Among the many steps that the electricity sector takes to proactively guard against cyberattacks are tabletop exercises under which utility operators respond to a scenario and work through responses, said Joy Ditto, President and CEO of the American Public Power Association (APPA), on Oct. 6.
If such a scenario becomes a reality, “they have those lessons learned to apply,” Ditto said during a cyber summit held by the Aspen Institute.
Collaboration among the electric sector, government agencies and other industries plays a key role in the success of these exercises, Ditto pointed out.
“There’s a lot we do to try to prepare,” she said. “We’re looking at prevention, but we’re also looking at if something happens and if we have to stand ourselves back up, how do we do that?”
There are various scenarios that are examined over time “because we don’t want to have the hubris that this is not going to ever have an operational consequence.”
One example of how the energy sector regularly drills for potential cyber and physical attacks is the North American Electric Reliability Corporation’s GridEx.
The GridEx exercise, which began in 2011, allows utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of messages and communication, identify lessons learned and engage senior leadership. Public power participation increased 47%, from GridEx IV in 2017 to GridEx V. The next GridEx takes place Nov. 16-17, 2021.
Meanwhile, Ditto noted that digital components began to be installed onto the power grid in the 1980s to create efficiency, foster situational awareness and boost reliability.
When this technology was first developed there was not a full appreciation for cybersecurity vulnerabilities.
“When we started to realize that there was a cybersecurity issue, we started to bake in cybersecurity but we had to go back and reconfigure some of those legacy systems and that’s been part of the challenge to us,” Ditto said.
Noting the wide range of sizes among public power utilities, Ditto said that about half of APPA’s member utilities have no digital components on their distribution grids.
“But they will be looking to do so in the future, and I think one advantage they may have there is they can really bake that cybersecurity in on the front end when they’re developing those digital systems” to do things like integrating distributed energy resources, responding to customer needs or thinking about greenhouse gas emissions reductions “more fully on their distribution grids.”
For those public power utilities that already have digital components on their grids, “as we create more digital components to address” evolving customer needs and climate change, “we do now have an opportunity to really think much more strategically and fully about cybersecurity and I know our vendor community is working with us very heavily to do that.”
In July 2021, the Biden Administration released a national security memorandum on cybersecurity for industrial control systems. The memorandum outlined how critical industry sectors including energy should protecting themselves from cyberattacks.
Ditto noted that in the memo and in some actions subsequently taken to flesh out that memo, there are performance goals that will apply across critical infrastructure sectors. “They are voluntary. We agree with the voluntary goals. Where we sometimes get a little bit concerned is” when there are mandates in this space. “Because it is ever evolving it might make us a little bit more about compliance rather than addressing things in a timely manner and in a flexible manner.”
She pointed out that “we’re the only critical infrastructure sector” of the 16 critical infrastructure sectors “that have mandatory and enforceable reliability standards on our bulk power system that include cybersecurity standards.”