After Superstorm Sandy pummeled the great State of New Jersey in 2012, more than two million households were without power, many for close to two weeks. A silver lining is that this disaster occurred in the fall, after the heat of summer and before the onset of freezing conditions.
With Sandy, New Jersey and the surrounding region dodged a bullet from a potentially much greater power outage disaster. My mother, an octogenarian living on her own, was among those who got through this upheaval. We must take all available steps so that this situation is not repeated; that is what modern, first-world countries do.
Today, the chief threat for a major electric grid disruption is a cyberattack. At the national level, we have been warned about this loudly and repeatedly in the last 18 months including by the Director of National Intelligence, the May 1 Executive Order on the bulk-power system and reports from the Cyberspace Solarium Commission, U.S. Department of Homeland Security and the U.S. Government Accountability Office.
Washington is now taking important steps to protect the grid from cyberattacks. But unless states start to vigorously join in this effort, America’s senior citizens and others will face unacceptably high risks from future power outages.
While the bulk-power system is regulated by the Federal Energy Regulatory Commission and the federal government, the electric distribution grid, which transfers power from utilities and cooperatives to homes and businesses, is primarily governed by the states. The weakest link in the vast, sprawling electric grid is this section regulated by states.
New Jersey got off to a great start in state cyber protection, but those efforts have sputtered. In 2016, the New Jersey Board of Public Utilities (BPU) issued the first statewide standards for cyber protection. The program requires electric utilities to meet rigorous standards concerning cyber risk management, situational awareness, incident reporting, response and recovery and security awareness and training.
Unfortunately, the program has been on autopilot since then and not revisited. State lawmakers have not held hearings about the status or progress of the program. The BPU seems focused on other issues despite the growing worldwide cyber threats about which numerous federal agencies have warned.
When all is said and done, the U.S. electric grid is a complex, integrated circulatory system that must be protected everywhere. According to the U.S. Energy Information Administration the electric grid is comprised of more than 7,300 power plants, nearly 160,000 miles of high-voltage power lines and distribution transformers, connecting 145 million customers.
Problems that begin in the distribution grid can make their way to the bulk-power system, resulting in serious power disruptions. And for attackers, the distribution side of the grid may provide the most fertile entry. For example, researchers at Sandia National Laboratories are now evaluating threats to the electric grid from electric vehicles and charging stations.
A November 2019 study by the Institute for Energy and the Environment at the Vermont Law School made clear the serious and growing threats to the electric grid from attacks coming from the distribution side.
“The attack surface of the distribution system is increasing due to the digitization of operational control and the connection of millions of new devices,” says the report.
It also warns, “The information asymmetry that exists between utilities and their regulators on cybersecurity threats, vulnerabilities, practices, policies, and processes is a serious obstacle to elevating grid security and resilience … Utilities, who are at the forefront of daily efforts to prevent cyber intrusions and attacks, have a scope and depth of knowledge that greatly exceeds that of their regulators.”
Yet, few states have taken steps to ramp up electric distribution grid protection. While progress is being made, it needs to be accelerated. The National Conference of State Legislatures reports that in 2019 11 states passed over a dozen measures which predominantly dealt with:
- Establishing state-level cybersecurity task forces and committees
- Establishing cybersecurity standards and reporting requirements
- Expanding state open records exemptions to include cyber vulnerabilities
- Directing and authorizing governors and state agencies to take certain actions to prepare for and respond to cyber emergencies.
To accelerate and elevate grid security, independent auditors should evaluate each state’s cyber protection programs by 2025, with a public grading system of A to F. The U.S. Department of Energy should issue a similar report card about the safety of the bulk-power system.
Whether these programs are done voluntarily or through statute, they will provide an important catalyst for ensuring grid protection from cyberattacks. This is imperative for public safety and especially for protecting the elderly and most vulnerable.
In addition, the citizens of New Jersey, and all Americans, would benefit by understanding how the pioneering, comprehensive system of 2016 has worked, what has been learned since then, and new practices that should be adopted.
—Paul Steidler is a Senior Fellow with the Lexington Institute, a public policy think-tank based in Arlington, Virginia.