This article appears in the January-February 2013 issue of Public Power magazine.
By Doug Westlund and Bruce Gordon
The media is replete with warnings from the federal government and others of economic catastrophe should the U.S. power grid be attacked. The multi-state devastation of Hurricane Sandy makes real the impact of vast electric system outages. However, for a municipal electric utility, the pressure to launch a comprehensive cyber security program competes with the daily demands of maintaining the distribution system, navigating the wholesale energy market, managing billing/customer service and all of the other operational challenges. There is a risk of a “we’ll get to that soon” mentality, should time and the budget allow. A far more productive approach is to focus on cyber security as a central component to a utility’s reliability program, with quantifiable financial benefits to the public power utility and the community.
Cyber security has been front and center in the news, in dramatic fashion. At the time of this writing, the National Academy of Sciences issued a report stating that terrorists could black out large segments of the United States for weeks or months by damaging substations, transmission lines, and other hard-to-replace components of the power grid. In a speech to business executives, Secretary of Defense Leon Panetta said the United States must beef up its cyber defenses or suffer as it did on September 11, 2001, for failing to see the warning signs of a terrorist attack. He described a virus known as Shamoon which infected more than 30,000 computers of major energy firms in Saudi Arabia and Qatar in the summer of 2012. Clearly, the time is now for a proactive approach to protecting information and communications systems from cyber-based attacks.
The adoption of a solid cyber security program adds a vital layer of protection to the critical operational infrastructure. Cyber security keeps costs low by avoiding the huge expenditures associated with attack recovery. After a cyber attack, utilities must:
• Employ a team of cyber security experts to diagnose, isolate and repair damaged systems
• Perform an extensive forensic study and report about the attack
• Turn off operational systems and fly blind for awhile
• Replace hardware and software as needed
• Put a cyber security program in place, to avoid a repeated attack
• Address the regulatory scrutiny and public pressures which accompany outages
It is estimated the cost to repair the damage of an attack is 5 to 10 times greater than the costs of building a reasonable cyber security program. These costs include the loss of service and revenue associated with a cyber attack. However, along with avoiding the negative financial impact of an attack, a cyber security program reaps positive financial benefits as well. For example, the existence of a cyber program may have a positive effect on a utility’s credit ratings. In assessing a utility’s operations, credit rating agencies consider the reliability of the system. A utility’s cyber program will improve reliability through protection of smart control systems and automated metering systems. Credit rating agencies also look at the strength of the utility’s management, and an important factor in this assessment is the presence of a comprehensive strategic plan that includes risk management procedures and analysis. A utility’s cyber program helps demonstrate that the utility recognizes the risk of a cyber attack and has taken steps to mitigate the risk.
Similarly, insurance costs can come into play. Today, insurance companies are examining reliability statistics when determining utility coverage and premiums. As awareness of cyber vulnerabilities increases, insurance companies will be looking more closely at the details of a utility’s cyber security program.
In order to maintain a successful cyber security program, each utility must ensure everyone in the organization understands and buys-in to the value of the effort, thinking every day about the security of critical infrastructure and assets. At a minimum, a cyber program must cover the operational and enterprise network, with systems in place to record and report any abnormalities and attempted attacks. It is vital to make cyber security part of the culture of the utility, always striving to monitor and improve.
Doug Westlund is Chief Executive Officer and Bruce Gordon is Vice President, Sales & Marketing, of N-Dimension Solutions Inc., a leading provider of cyber security solutions in affiliation with Hometown Connections. N-Dimension is a member of NISTs Cyber Security Working Group, a founding member of the National Electric Sector Cyber Security Organization, and the recipient of the 2012 Frost & Sullivan Award for Best Practices in Industrial Cyber Security.