A joint strategy released by the governments of the U.S. and Canada to thwart the growing threat of cyberattacks on the electric grid sets three priorities that the countries said would be critical to preserving energy and national security.
The “Joint United States-Canada Electric Grid Security and Resilience Strategy,” released on December 15, outlines three goals: protecting the electric grid and enhancing preparedness; managing contingencies and enhancing response and recovery efforts; and building a more secure and resilient future electric grid. Significantly, the countries’ strategy highlights a critical need to incentivize risk reduction and protective measures to address persistent risks and outlier events.
An Imminent Threat to National Security
While the governments said the joint strategy fulfills commitments made earlier, in March, to strengthen the security and resilience of their shared grid infrastructure, today’s strategy release comes as concerns mount about Russia’s involvement in a cyberespionage and information-warfare campaign that the Central Intelligence Agency suspects was devised to disrupt the 2016 presidential election.
According to The New York Times, Russia turned its attacks for political purposes in Estonia in 2007 and in Georgia, during the Russo-Georgian war in 2008. Both countries are former Soviet republics. On December 23, 2015, a number of energy companies in Ukraine were targeted, and a swathe of unscheduled power outages afflicting three regional power distribution companies prompted a blackout affecting 225,000 Ukrainians. A U.S. interagency team in February 2016 confirmed that that incident—pegged as the first time that malware had apparently been used to prompt a large-scale blackout—was conducted by “external malicious actors,” though it did not directly implicate a specific entity for the attacks.
The electric grid shared by the U.S. and Canada is complex and dynamic, made up of interconnected federal, territorial, municipal, co-operative, and investor-owned and -operated utilities. While owners and operators are primarily responsible for the continued operation and security of critical generation, transmission, and distribution functions of the grid, they are also responsible for implementing mitigation and protection measures to improve security, as well as for leading response and restoration efforts.
Both the U.S. and Canadian governments have in recent years tasked regulatory agencies with establishing reliability and security standards and working with public and private entities to ensure grid security and resilience.
However, the document ominously notes: “New threats, hazards, and vulnerabilities continue to emerge even as we improve our abilities to respond to and recover from incidents and work to prevent, protect against, and mitigate potential consequences of future incidents. The United States and Canada share priorities to reduce the systemic risk to the electric grid through combined and aligned organizational, technical, and policy efforts across the public and private sector.”
Three Key Goals
The strategy essentially calls for federal, state, provincial, tribal/indigenous, territorial, and local governments to coordinate activities through “timely and effective” information sharing. Information-sharing is meant to facilitate “prudent, efficient, evidence-based investments in the electric grid’s security.”
Both governments will also coordinate law enforcement and forensic efforts. Meanwhile, the countries will “encourage” utilities to collaborate during cyber-incidents by developing plans and capabilities, assigning roles, and developing procedures to respond.
Sparking investment in grid protection is a key part of the strategy. “Securing and encouraging investments in risk reduction in the existing electric grid and against such consequences is central to the joint and respective national security goals of the United States and Canada,” the document says. “The United States and Canada will strengthen interactions between regulatory structures and operational requirements and augment current incentives to encourage investment in protective measures for both persistent risks and outlier events.”
Other measures call for improving independent and joint abilities of both countries to respond to emergencies. “The United States and Canada will also seek to encourage the expansion of public and private resources for response to and recovery from major power outages through electric grid modernization,” it says. Additional resources should include more robust equipment and systems, research and development for more resilient critical electric grid components, and hardening of assets.
Measures to ensure a more secure grid in the future include jointly identifying, understanding, and addressing “emerging and evolving threats, hazards, and vulnerabilities.”
“To achieve an electric grid that is able to heal itself following major disruptions, we will work to develop a system where power flow can be quickly reconfigured, frequencies can be stabilized, and voltages can be controlled,” the strategy says.
“The United States and Canada will identify, develop, and facilitate the adoption, where appropriate, of advanced system design tools to mitigate cyber threats in an increasingly decentralized electric system.”
Finally, the two countries will coordinate with industry and academia to develop a highly skilled workforce.
The strategy will be implemented in accordance with detailed action plans from both countries that are forthcoming.
—Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)