Yesterday I was interviewed by the always astute Blake Sobczak of Energy and Environment News[i] about a cyber security report issued by the White House last week, and specifically about what it had to say about the cyber security of the power grid. The article appeared today.
The discussion of the grid in the report was certainly good and not terribly inflammatory. My feelings about this report are very similar to my feelings about Ted Koppel’s book Lights Out, which I discussed in this post in early 2016: What Koppel was writing about had very little to do with cyber security. It had everything to do with the amount of devastation that any widespread and prolonged grid event could wreak (and we’re talking about a much more serious event than even the 2003 Northeast blackout), whether caused by a huge weather event (even bigger than Superstorm Sandy), solar storm, EMP event, physical attack, or yes a cyber attack. Even more importantly, the book documented in horrifying detail the country’s almost total lack of preparedness for this. Unfortunately, whoever wrote the book jacket decided the book would sell more copies if it were made to appear as a book about a big cyber attack on the grid, without doubt to leverage the popular movies that had depicted such an attack. So that is how the book is known, but it isn’t what’s actually between the covers.
In the same way, the section of the White House report that I commented on quotes the 2015 study by Lloyd’s and the University of Cambridge that estimated the total cost of a worst-case cyber event at $1 trillion. I totally agree that a worst-case cyber event could cost that much. But there are two considerations: 1) The cost would be the same whether the cause of the event were weather, solar storm, or anything else; and 2) I’d say a worst-case cyber event is probably the least-likely cause of such a huge grid outage – with a probability somewhere around 1 in 10 to the 10th or the 20th power. I think a solar storm is far more likely to cause such an event (and the 1859 Carrington Event probably would have done it, had it occurred today. We’d better hope these aren’t every-200-year events!).
Although the report didn’t advocate any particular policy actions (it was actually quite good as a broad overview of the risks posed by cyber security weaknesses across the US economy), in my comments I anticipated what I thought might be the typical response regarding security of the power grid: “Oh my God, we have to do something about this! We need to really tighten up the cyber security standards so that the power industry (that would be you, Dear Reader) doesn’t let his happen to us!”
My response to this response, whether triggered by the White House report, Ted Koppel’s book or any number of alarmist statements, is that the situation won’t be improved by requiring say a 10-fold increase in the severity of the NERC CIP requirements. There has never been an outage caused by a cyber attack in North America; nor has there ever been even a documented penetration of a control network in a grid asset of any significance (I make this qualification because there was a penetration of a 5MW dam in New York state in 2013. I know of no other such penetration, although if anyone knows of another I’d appreciate your letting me know about that in an email). And of course, any amount of increased cyber security spending by the power industry will do nothing to mitigate the danger of a different type of event like a solar storm (and NERC is currently in the process of approving a draft standard to address solar storm risks by “hardening” grid assets).
I have long believed that the best protection against widespread outages, no matter what the cause, is microgrids. If the great majority of populated areas in North America were protected by microgrids, there could still be widespread grid events which would destroy huge fixed generation and the high-voltage transmission network - but these events wouldn’t cause widespread outages. Each microgrid would automatically activate its local generation resources – wind, solar, gas turbines – and keep on chugging. Of course, the problem at the moment is that microgrids are very expensive to implement and they’ve only been implemented in a small number of high-value locations (like the New Jersey transit system, which was knocked out by Hurricane Sandy, greatly complicating the recovery from the storm). But if we’re talking about throwing a lot more money at grid security, wouldn’t it be a lot better to throw it at a solution to all potential causes of a huge grid outage, rather than just at reducing the already-infinitesimal probability of just one of those causes – a massive cyber attack?[ii]
Before I go, I do want to point one thing out: I don’t believe for a moment that electric utilities are paying too much for OT cyber security controls now. In fact, given the ever-tightening threat environment, I think it’s inevitable they will need to spend more every year for the foreseeable future. My issue is that a large portion of what NERC entities spend on NERC CIP compliance now goes simply to pure compliance activities, not to increasing the level of cyber security. I think that virtually all NERC entities understand that this is a tough world, and they will have to increase their cyber and CIP spending every year just to stay in the same position. But they will be increasingly reluctant to do this without changes in the NERC CIP compliance regime (and in the standards themselves) that will allow a much higher percentage of every dollar they spend on CIP to go towards cyber security.
And what are those needed changes? Funny you should ask. That is the topic of a book I am working on with two co-authors. You may roll your eyes and point out that I’ve been talking about this book for close to two years. That’s true, but we now have a lot of momentum and I’m sure we’ll have something out before the end of the year. And what is the solution we’re advocating? Well, you can find most of it in my posts, although I’ll admit you’ll have to look hard (and be able to tie a lot of bits and pieces together). I hope to have everything in a one-stop-shop this year!
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
[i] This online publication has the best articles about security of the energy sector of any publication I’ve seen, all written by either Blake or his colleague Pete Behr. They’re all very in-depth (a few even as long as my average post, heaven forbid!) and very well-researched – and this applies to all of the articles, not just those on cyber. Most online news feeds confine themselves to news feeds or reproductions of articles from other publications, so E&E News really stands out. This is a subscription-only publication, but I strongly recommend you try to get your own organization to subscribe to it. I recommended to my boss at Tom Alrich LLC that we purchase a subscription, but he hasn’t replied to my email yet.
[ii] And if you’re tempted to think that the big toughening of the NERC CIP standards would be paid for by “private industry” while the cost of implementing microgrids everywhere would have to be borne by the taxpayers, let me point out something to you: Every taxpayer is a ratepayer to their local electric utility. Where will the utilities get the money to comply with this huge increase in the cost of CIP compliance?