Grid execs consider triage plan for attacks

By Peter Behr | 05/13/2016 08:29 AM EDT

The electric power industry’s playbook against cyber and physical threats is adding new pages as these threats evolve, industry executives and cyber experts say.

The electric power industry’s playbook against cyber and physical threats is adding new pages as these threats evolve, industry executives and cyber experts say.

The emerging strategies include:

  • Clarifying rules for blacking out parts of the grid deliberately, if necessary, to isolate sections that are under cyberattack, and setting clearer priorities for restoring power if a terrorist or nation-state attack does widespread damage.
  • Stockpiling replacement high-voltage transformers and other critical equipment that could be needed to restore parts of the power grid, and building a mutual response capability of cyber experts from the power industry and possibly other industries, who could be marshaled in an emergency as repair crews are after major storms.
  • Spreading state-of-the-art cyberdefenses from the largest utilities to smaller ones whose cyber expertise and budgets don’t match those of the leaders.
  • Linking response plans of key sectors, led by electric power, natural gas, telecommunications and finance.

The nucleus of this effort lies with the Electricity Sub-sector Coordinating Council (ESCC), a group of about 30 power industry chief executives that meets several times a year with senior federal security and energy officials, and is briefed whenever serious threats to the sector break out.

Tom Fanning
Tom Fanning, chairman and chief executive of Southern Co. and co-chairman of the power industry’s grid defense council, speaks yesterday at an Edison Electric Institute forum on cyberthreats. | Photo courtesy of The Christian Science Monitor.

Tom Fanning, chairman and chief executive of Southern Co. and co-chairman of the ESCC, spoke yesterday of severe cybersecurity scenarios that could compel utilities to shut off power in places in order to isolate parts of their networks to contain or quarantine threats.

"We’re going to have to make some tough calls. If we ever get to that point, people are going to have to make some tough choices about what to shut down, how to isolate. We’re going to interfere with commerce, in certain circumstances," Fanning said at a conference sponsored by the Edison Electric Institute.

"Real boots on the ground … are going to have to figure out what they’re going to do about it," Fanning said.

The recovery challenge was highlighted during November’s "war games" planning exercise, which confronted more than 4,000 industry and government officials with a massive simulated cyber and physical attack across the United States.

Following that exercise, a group of power grid planners and engineers is being assembled to study how sections of the grid could be operated at a reduced level — in a "degraded" way — after an attack to create a faster, smoother total recovery, an industry official said.

Tom Kuhn, EEI president, credited Congress for creating needed federal policy for extreme grid threats with the passage in December of the omnibus transportation infrastructure bill. At the last minute, lawmakers added new authority in the legislation for the secretary of Energy to act in a presidentially declared "grid security emergency." The secretary could issue orders for temporary actions to protect grid reliability in those circumstances. A DOE spokesman said plans for carrying out that responsibility are still in the works.

Last December’s legislation, the Fixing America’s Surface Transportation (FAST) Act, also directed DOE to submit a plan by this December for an emergency reserve of high-voltage transformers and other essential grid equipment that could be deployed to replace units disabled by natural disasters or terrorist attacks. That plan is also under development.

Protecting smaller utilities

Another priority for the industry is providing the nation’s smaller utilities with the same cyberthreat information sharing that the large power companies can access, officials say.

The North American Electric Reliability Corp. (NERC) runs the power sector’s most advanced threat intelligence initiative, the Cybersecurity Risk Information Sharing Program (CRISP).

Utilities participating in CRISP can send suspicious cyber data to an analysis center run by the Pacific Northwest National Laboratory over a secure network. If threats are found, PNNL responds with alerts and defensive measures if possible, which are shared with participating companies through NERC’s Electricity Information Sharing and Analysis Center.

Duane Highley, chief executive of Arkansas Electric Cooperative Corp. and an ESCC co-chairman, said around 30 utilities are running the CRISP program. Those companies serve three-quarters of the U.S. population, but that leaves the vast majority of power utilities, and a quarter of Americans, outside the program, Highley said in an interview.

"We would like to see that closer to 100 percent," Highley said.

"The smaller utilities don’t have CRISP implemented, and there are a whole bunch of those people. Part of the impediment for small utilities — we’re talking primarily municipals and cooperatives — is that the cost of CRISP can be very prohibitive [for them] to deploy.

"One of the subjects we’re working on now with our government partners is how we can reduce the cost of implementation of CRISP — or something we’re calling CRISP Light — to allow smaller utilities to participate," he said.

"We’re talking about going from something that costs hundreds of thousands of dollars to deploy and possibly over $100,000 a year to maintain, to something that is thousands of dollars; that’s our goal. Even a small cooperative could afford to be part of that," Highley added.

"The broader we can cover, the more likely we are to find something happening." If the balance of the power industry is brought into the program, "you might be able to connect the dots more quickly on an emerging threat," he said.

Focus on vulnerabilities

Fanning said grid defenders continue to analyze and strengthen the transmission system’s most important substations, whose operations have the greatest impact on the entire grid. "In any network of companies, the vulnerable points are the points of intersection," he said yesterday.

"Where are those points of intersection? What should we do, from a regulatory relief reform standpoint, and from a legislative standpoint? What enablers can we put in place in order for us to better prevent and respond to in a timely way?" he asked.

He repeated previous statements challenging the 2013 analysis by the Federal Energy Regulatory Commission staff that concluded a coordinated terrorist attack on as few as nine strategically placed high-voltage substations could take down large sections of the power grid.

That analysis "was just dead wrong," Fanning said. "It’s based on a fundamental misunderstanding of how the grid works," because it didn’t adequately consider the ability of grid operators to reroute power flows around disabled substations.

There are substations that require priority protection, and they are getting that, he said. "We had one of the nine assets" identified in the FERC study, Fanning said.

"It’s no longer critical" following changes Southern made in its power network. "You could blow it out of the water today and it wouldn’t make a blink" on power delivery.