Paul working for you.

Wednesday, March 28, 2018

Grid security falls to industry to self-regulate

Grid security falls to industry to self-regulate


BOSTON — The U.S. power grid is coming under increasing attacks from hackers, but security experts say rules on dealing with cyber threats are being written mostly by the energy industry, leaving the public in the dark.

A cyber attack against the grid could do as much damage as a bomb, experts say, cutting off electricity to hospitals, banks and other assets, disabling devices from cellphones to traffic lights, and threatening lives if heating and air conditioning systems are cut off long enough.

Regional utilities like National Grid, Eversource and Unitil are upgrading their physical infrastructure and computer systems to deal with the increasing threats from hackers, but remain tight-lipped about how much they are spending or where the money is being invested.

Federal and state regulators set guidelines for utilities to report physical and cyber attacks, but the industry is largely allowed to develop its own policies and security plans for dealing with the threats, which are kept under wraps.

“Basically, the attitude so far has been to let the market deal with it,” said Juliette Kayyem, a national security expert and former assistant secretary at Homeland Security under President Barack Obama. “But this is a national security imperative, which requires government resolve.”

'Public deserves to know'
Kayyem said the lack of state and federal government standards on grid security is putting the public at risk.

“This is ‘finger’s crossed’ or ‘trust us’ policy,” she said. “We don’t do that with the telecom or nuclear industries, so why would we do it with the power grid?”


Fears about cyber security have been stoked by recent claims that Russian hackers have been remotely targeting the U.S. grid, as part of what the Department of Homeland Security has described as a “multi-stage effort by the Russian government to target critical infrastructure.”

Hackers have targeted nuclear reactors and other power industry infrastructure, using tainted emails to harvest credentials and gain access to networks, according to the federal agency.

In Massachusetts, self-reporting rules agreed to by the state Department of Public Utilities and major utilities, require companies to notify the state about a cyber or physical attack “as soon as is practicable” and only if it resulted in a power outage or natural gas system interruption.

The self-reporting requirements are similar for notifying the state about a hack or breach involving customers’ personal information.

Utilities are required to appear before state regulators once a year to “self-certify” that they have adequate cyber security safeguards, but those efforts are shrouded in secrecy.

“Self regulation has proven to be a failure,” said Deidre Cummings, legislative director for the Massachusetts Public Interest Research Group, a consumer protection advocacy group. “Utilities should be required to disclose what they are doing in terms of cyber security, and state regulators and the public deserve to know immediately when there has been a breach.”

Cummings cited the recent breach at Equifax credit bureau, which waited weeks before disclosing that the personal financial information of tens of millions of consumers had been hacked.

She said state regulators should require utilities to disclose what they are doing as part of electric and gas rate increase requests.

“Ensuring that utilities have adequate safeguards to protect consumers has to be part of that rate setting process,” she said. “There has to be transparency in the process.”

Beefing up reporting rules

A spokeswoman for ISO New England, which operates the regional grid, declined to discuss specific hacking incidents or responses to cyber threats but said the nonprofit organization has spent more than $11 million on cyber security upgrades in the past five years.

“We have security measures such as redundant facilities, as well as other measures that follow industry best practices, and we are continually working to improve our security as cyber security threats evolve,” ISO spokeswoman Marcia Blomberg said in statement. “We monitor system conditions continuously, and we share information as needed with regulatory and industry bodies.”

National Grid, which serves about 1.3 million customers in Massachusetts, declined to say how much it is spending on cyber security or where the investments are being made, but points out that it must undergo a “rigorous security audit program” overseen by state and federal regulators.

“Our robust systems enable us to monitor, detect and protect our network to keep energy flowing,” the company said in a statement. “We work closely with government, industry partners and regulators to protect our network from current and future threats.”

The Federal Energy Regulatory Commission, which oversees the nation’s energy sector, is in the process of beefing up the mandatory reporting requirements for major electric and gas companies which is says “understate the true scope of cyber-related threats facing the grid.”

The agency says the lack of any reported incidents in 2015 and 2016 “suggests a gap in the current mandatory reporting requirement.”

'Testing our resolve'

In 2015, Ukraine experienced an unprecedented cyberattack on its electric grid that led to widespread power outages, which it said was caused by Russia. The attack raised concerns about vulnerabilities in the U.S. grid system that could make it a victim of similar attacks.

Energy Secretary Rick Perry has proposed the creation of a new division within the federal agency to specifically deal with cyber security threats and President Trump’s budget proposal included $96 million in funding for the Office of Cybersecurity, Energy Security, and Emergency Response.

And Russian attempts to penetrate the grid were cited by the Trump administration as one of the reasons for imposing economic sanctions this month on the country, part of a sweeping new effort to punish Moscow for its attempts to interfere in the 2016 presidential election.

Still, Kayyem said Trump’s slow response to hacking has emboldened Russia and other rogue nations such as Iran and North Korea seeking to disrupt the country’s infrastructure.

“Nothing this administration has done has tempered Russia’s desire to test our resolve,” she said. “Our energy infrastructure is under attack, and that requires presidential focus.”

Christian M. Wade covers the Massachusetts Statehouse for North of Boston Media Group’s newspapers and websites. Email him at cwade@cnhi.com.

No comments:

Post a Comment