The Urgency of Protecting the Electric Grid from Cyberattacks

The clock is ticking to protect the electric grid from cyberattacks.

Adversarial nations, terrorists, and criminal groups have been refining their techniques since before Dan Coats, director of National Intelligence, warned of America’s vulnerability to major electric grid attacks in January 2019. This followed an earlier report from Lloyd’s that a successful, coordinated intrusion could cost $1 trillion.

The Colonial Pipeline cyberattack this May showed how vulnerable America is to relatively modest attacks and how disruptive they are. Our electric grid continues to face daily attacks and so far, we have dodged catastrophe.

At its core, this is an engineering and not a partisan issue. The Trump Administration brought much attention to the dangers of cyberattacks and instituted concrete steps to better confront them, such as the establishment of the Cybersecurity and Infrastructure Security Agency in 2018.

The bipartisan infrastructure bill that President Biden signed on November 15 provides for substantial assistance. According to the U.S. Department of Energy this includes “$11 billion in grants for states, tribes, and utilities to enhance the resilience of the electric infrastructure against disruptive events such as extreme weather and cyberattacks.”

Among those touting the bill’s benefits is the American Public Power Association (APPA) which represents 2,000 public power utilities. “Of particular importance to APPA members is the bill’s requirement that the Secretary of Energy carry out a program to promote and advance the physical security and cybersecurity of electric utilities, prioritizing those with fewer resources,” said APPA’s President and CEO, Joy Ditto.

An area that is particularly vulnerable is America’s distribution grid, which carries electricity from transmission systems to consumers and is regulated primarily by states. “Distribution systems are growing more vulnerable,” said the U.S. Government Accountability Office in a March 18, 2021 report.

The bottom line is that all utility power generation and transmission grid operators, no matter how big or how small, need to be aggressively and heavily invested in cyber protection.

As beneficial and large as these federal programs are, they should be a small part of utilities’ decisions to make cyber investments, especially for large utilities.

Electric utility regulators and investors need to better scrutinize the resources and commitments that electric utilities have made to cybersecurity. It is a risk-management decision and perhaps the most important. Regulated utilities should be able to include reasonable cybersecurity costs as part of the costs that will be recovered from customers.

Protecting the electric grid, though, is not just an infrastructure issue. Rather, it is central to national security. When countries attack one another, disabling electric infrastructure is a primary target.

It is essential for electric utilities to protect both information technology and operational technology, the electricity distribution equipment, valves, and pumps that are the backbone of the country’s electric grid.

A 2019 study by Siemens and the Ponemon Institute found, “As utilities increasingly adopt business models that connect operational technology power generation, transmission, and distribution assets to Information Technology systems, critical infrastructure is more vulnerable to cyber attacks.”

With a robust information technology industry, the United States has the capability to fight cyberattacks and stay ahead of developments. America’s cyber-fighting expertise includes world-class companies such as Raytheon Technologies, Forescout, and Sierra Nevada Corporation. We can also safely increase connections to the grid, including renewable power sources and smart meters and other remote devices.

It will be critical for industry to work more closely with government laboratories in the years ahead. The Chinese and the Russians will consistently hone their ability to penetrate our electric grid systems and to be able to inflict harm at a time of their choosing.

Furthermore, the timing has never been better for large-scale cyber improvements. With large amounts of the transmission grid likely to be overhauled, in part because of the bipartisan infrastructure package, the opportunities to cost-effectively build new systems with better information technology and operational technology are compelling.

The need for electric grid cybersecurity is greater than ever and the added resources from the bipartisan infrastructure bill will help. To protect our way of life, though, we must be fully committed to continually strengthening the grid from attacks by our enemies, criminals, and other nefarious actors.

Paul Steidler is a Senior Fellow with the Lexington Institute, a public policy think tank based in Arlington, Virginia