A small group of senators is pushing legislation that would take some parts of the grid back in time to ward off cyber intrusions.
A bill introduced by Sen. Angus King, I-Maine, would create a $10 million, two-year pilot program within the Department of Energy's national laboratories to research and test technologies, such as analog systems and physical controls, that could be used to isolate and protect the most critical systems of the electric grid.
The so-called Securing Energy Infrastructure Act, or S. 79, would also authorize $1.5 million for a working group to evaluate proposals coming out of the pilot program and develop a national engineering strategy to defend against security vulnerabilities and exploits.
This approach to addressing cybersecurity concerns has been touted by Sens. James Risch, R-Idaho; Martin Heinrich, D-N.M.; Susan Collins, R-Maine; and Mike Crapo, R-Idaho, who have co-sponsored the legislation.
King said at a hearing April 4 before the Senate Energy and Natural Resources Committee that there were places in the grid that could be shielded from a cyberattack with analog technology.
The legislation, King said, was largely inspired by an October 2015 report produced by the Center for Strategic and International Studies that made a "case for simplicity in energy infrastructure." That paper advocated re-engineering "selected last-mile and endpoint elements of the grid" judged to be the "most essential to national security.
For good business reasons, there has been an enthusiastic embrace of digital systems that used to just be electromechanical and were protected in large part through isolation, Andrew Bochman, senior cyber and energy security strategist for the Idaho National Laboratory and a co-author of the paper, said. Now communication technologies and sensors are being added to even the most mundane parts of different interconnected systems, making the government's ability to influence the wide deployment of the so-called "internet of things" minimal, he added.
"Very selectively adding these types of analog or out of band [controls] or putting a trusted human back in the loop, [and] doing that in a moderate way in only the holiest of holy places, allows you to then proceed with the modernization, which brings all of the benefits of the grid that we need to have in the future," Bochman said. "At the same time, it might let utility and natural gas executives and folks on the Hill sleep a little bit more soundly."
The hearing, which homed in on efforts being pursued to protect U.S. energy delivery systems from cyber threats also afforded an opportunity for DOE, the North American Electric Reliability Corp. and others to expound on ways the industry and the government are working to secure against what one senator called the interconnectedness of things, where a problem in one sector of the country's energy infrastructure could have a cascading effect throughout the system.
Patricia Hoffman, acting assistant secretary of DOE's Office of Electricity Delivery and Energy Reliability, pointed to the need to test not just the networks but the devices that intend to connect to them. There must be an understanding of where the vulnerabilities are in both, she said.
Cybersecurity must also be baked into systems, not tacked on as an afterthought, she said. There must be a clear picture of what normal operations on a system should look like as well as what abnormal operations or communications look like so any abnormalities can be blocked and prevented from causing damage, Hoffman added.
Arkansas Electric Cooperative Corp. President and CEO Duane Highley said cross-sector coordination was also critical.
He asserted that oil and gas, electricity, telecommunications, finance and water were all dependent on one another in today's interconnected world. "So what we're doing at the AECC is bringing those sectors together in cross-sector dialogue" along with the sector-based Information Sharing and Analysis Centers that provide information on cyber threats.
Gerry Cauley, president and CEO of NERC, offered that "separation and compartmentalization" is standard practice within the power sector, with the most critical assets and control centers already "using one-way data diodes" and similar equipment to "control the flow [of data] so no harmful information can come in" as part of the early stages of some of the more advanced work taking place.
Yet, he said, "It is a dilemma to try to operate a very interconnected grid and a compartmentalized and protected grid at the same time."
While NERC standards require a thorough understanding of the architecture and design of critical assets so there are no mysteries regarding the connection points and vulnerabilities of those assets, "the more you get further down into the system — into distribution, distributed resources and those kinds of things — then we're talking about more mass devices, instruments and communications, and it's much more difficult" to account for all of the information sharing capabilities of those products "because the sharing is the value," Cauley said.
For the natural gas sector, there are multiple layers at play as the sector delivers electrons using automated controls, moves molecules through mechanical and physical processes and considers security from both a safety and a cyber perspective, American Gas Association President and CEO Dave McCurdy told lawmakers.
The gas industry, he said, conducts regular testing of its systems, participates in simulated grid attacks and has developed threat detection capabilities as part of its culture that strives to "go beyond layered defense to have layered resiliency."
This article was authored by Jasmin Melvin, a reporter for S&P Global Platts, which like S&P Global Market Intelligence, is a division of S&P Global Inc.