Cyber attacks are an increasing risk for the US electric sector and have eclipsed terrorism as the primary threat, according to the Federal Bureau of Investigation. The Industrial Control Systems Cyber Emergency Response Team responded to 256 incidents that targeted critical infrastructure sectors in fiscal year 2013, and 59 percent of those incidents involved the energy sector. A large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery. Moreover, cyber threats are more difficult to anticipate and address than traditional threats to electric grid reliability, such as extreme weather. A cyber attack could come from many sources and—given the size and complexity of the North American electric grid—could target multiple vulnerabilities. Advanced grid technologies provide new efficiencies and other benefits but also increase cybersecurity challenges, because the transition from analog to digital controls creates new potential pathways into utility systems.
It is probably impossible to protect the electric grid from all cyber attacks, particularly given the rapid pace at which cyber threats evolve. Therefore, industry and policymakers must consider how to most effectively manage the risks, taking steps to reduce the likelihood of cyber attacks and to limit the impacts of a successful attack. With this goal in mind, the Bipartisan Policy Center launched the Electric Grid Cybersecurity Initiative in May 2013 as a collaborative effort between the center’s Energy and Homeland Security Projects. The initiative was co-chaired by General Michael Hayden, former director of the CIA and NSA; Curt Hébert, former FERC chairman; and Susan Tierney, former assistant secretary for policy at the Energy Department. On February 28, 2014, the co-chairs released a report that provides recommendations in four key policy areas: standards and best practices, information sharing, responding to a cyber attack, and paying for investments in cybersecurity.
Continue reading at Bulletin of the Atomic Scientists