Security and Resilience (Cyber and Physical)

Modern Utility Resilience: Fighting the Hydra

The word “resilience” has become a term of art in recent years, especially in critical sectors like electricity. While many groups have attempted to define the word in precise ways, the essential meaning is simple — how well an electric utility (or system of utilities) can absorb an event that causes an outage in all or parts of its territory and restore power as quickly as possible.

The range of possible events that could cause an outage include natural disasters such as ice storms, hurricanes, and tornadoes; accidental physical damage such as a plane crashing into a substation; intentional physical damage caused by a person or people like cutting, shooting, ramming or bombing facilities; a cyberattack that compromises critical infrastructure (to date, a cyberattack has not led to a power outage in the U.S.). It is also possible that other types of “high-impact, low-frequency” events — events that happen rarely, if ever — could cause significant problems, including outages. Such HILF phenomena could take the form of electromagnetic pulses caused by detonation of high-altitude nuclear devices, solar flares and, yes, pandemics.

Most of these threats to electric grids have existed since the first interconnections between utilities in 1922. Such is the reason that electrical engineers plan for contingencies by creating redundancies, training staff, and exercising restoration in potential outage scenarios. Electric utility managers and planners also stockpile materials such as poles, copper wire, and other crucial equipment. It’s also why the electric sector came together in the late 1990s to create mandatory reliability standards for the interconnected bulk power system in the U.S., Canada and parts of northern Mexico. Ultimately passed in the 2005 Energy Policy Act, the new standards regime (formally Section 215 of the Federal Power Act) managed by the North American Electric Reliability Corporation and overseen by the Federal Energy Regulatory Commission is intended to prevent power outages and to promote resilience. Compliance with such standards is not the end of the story, however.

The mid-2000s brought into focus the potential for cybersecurity threats to undermine reliability and test the resilience of our systems. This threat is like the Hydra of Greek mythology — multi-headed and massive, and when you lop off one head, another five grow back to replace it. As an industry, and as public power specifically, we regularly reevaluate how we manage risk in order to combat the Hydra.

We have recognized the need to partner more fully with the federal government and via pan-industry “information sharing and analysis centers” (ISACs), such as the Electricity ISAC and the Multi-State ISAC, because they help identify cybersecurity vulnerabilities — such as those potentially impacting the digital components we use in our SCADA systems — as well as active threats.

We have also learned to think about cybersecurity on the front end of deploying new digital technology onto our infrastructure and to hire and partner with cybersecurity experts. We now know the difference between operational technology (OT) and information technology (IT), with the former giving us the ability to operate our grids remotely and with greater situational awareness and the latter allowing us to conduct business with our customers and others through platforms such as websites, billing systems, and databases. We have figured out that having an extremely good handle on our digital assets and how exactly they interface with our grids (OT) will help us manage and mitigate cyber risk over time.

While this may seem daunting, as public power utilities think about modern resilience, we must rise to the challenge of integrating both cyber and physical security into our planning and risk mitigation strategies. We must also understand and seek to assure the safety of our most critical workers, as the COVID-19 pandemic has underscored. The American Public Power Association has tools and resources to help, including via cooperative agreements with the Department of Energy. We also continue to partner with joint action agencies, state and regional public power associations, and others in the industry and government to empower our public power utility members through knowledge-sharing, education, technical support, and mutual aid. Together, we are resilient.