Above the lines: Addressing grid security in the press

The utility industry is bombarded by negative press about the security nature of the electric grid. It seems we read a new story about “what is going wrong” with utilities weekly and on a regular basis. We have heard the constant drum beat of “hackers are in the grid” or “industry doesn’t take security threats seriously enough”, but rarely does industry receive due credit for the positive steps it has taken to secure electric systems and infrastructure. Today more than ever, industry is acutely aware of the microscope placed on it and the importance of electricity to the American way of life.

Electric power remains a very visible and attractive target to anyone looking to cause damage. A successful attack on the power grid causing a wide-area long-term outage would have significant national security, economic, and public health and safety consequences.

The threat remains and we should not lose sight of this. However, we have seen the media run wild with stories about substation shootings, rumors of hacked control systems, and the targeting of specific infrastructure sites within the grid. While some responsible reporting has taken place, many see the opportunity to “pile on” and make accusations that industry isn’t responsive. Yet, the opposite is true. This industry, more than any other critical infrastructure sector, has moved the proverbial football down the security field.

[ ALSO ON CSO: Defending the grid ]

The North American Electric Reliability Corporation (NERC), Electricity Information Sharing and Analysis Center (E-ISAC), and the Electricity Sector Coordinating Council (ESCC), along with the various trade associations have put security at the top of the list in terms of ensuring continued reliability. The electricity sector is one of the few sectors that has mandatory and enforceable security standards.

A new Design Basis Threat (DBT) was recently released and NERC is now preparing for its next Grid Security Exercise (GridEx IV), to be conducted in November of 2017. Meanwhile, utilities are spending millions of dollars to upgrade their security programs and better protect their substations and generating plants across North America. With the development and acceptance of the newest physical security standard, NERC CIP-014, utilities are conducting assessments, building security plans, and installing mitigation measures to protect their transmission “crown jewels”.

Investments in cybersecurity continues to be monumental. NERC and industry are currently developing a cybersecurity supply chain management standard in response to FERC order 829. While compliance is a driver, utilities understand the impact that poor cyber practices can have on industry perception and company reputation. The point is a lot of progress is happening.

The utility industry needs to be their own advocate, quick-to-draw and highlight success stories that point to action and accomplishments. While industry remains committed to “keeping the lights on”, we should consider how to best articulate activities and initiatives that demonstrate the importance of the topic and the solutions brought to bear.

If you’re proud of your program, let others know about it. A two minute elevator speech that can effectively communicate the progress of your compliance program, reliability investments, and culture of security may be worth its weight in gold.