To counter the growing threat of cyberattacks, power utilities must harness the same manpower, money and other resources that they throw at natural disasters, industry leaders said Tuesday.
Computerized attacks from overseas could disrupt facilities that generate power and the electric grid that transmits it, said utility executives at an event in Washington, D.C. organized by the Bipartisan Policy Center. And, the executives predicted, it’s not a question of if, but when a disabling attack will happen.
“I know somebody’s coming. At some point in time, somebody’s coming at me,” said Scott Saunders, information security officer for the Sacramento Municipal Utility District. “It’s going to happen.”
The questions then become “how do you respond” and “how was your resilience” in the face of that attack, Saunders added.
Biggest focus: Experts advocate an executive approach to cyberterrorism
Chris Peters, vice president for critical infrastructure protection at Entergy, said the company has a five-year plan to bolster resources to counter cyberattacks.
“We have to treat the cyberthreat with the same respect that we give to forces of nature that impact our grid — hurricanes, floods, ice,” Peters said. “We have to put the same comprehensive approach and the same attention to cyberthreats as we do to the other threats that impact our system. We have to fund it, we have to staff it, and we have to be prepared to respond as necessary.”
A report released by Sen. Ed Markey, D-Mass., and Rep. Henry Waxman, D-Calif., earlier this year highlighted the threat; according to the lawmakers’ analysis, one power utility said it already fields 10,000 attempted attacks every month.
The electric grid’s vulnerability stems in part from its broad reach — a nationwide network of power lines, transmission centers and other infrastructure — and the diverse set of utilities and regulators overseeing it. An attack on one region or supplier can quickly ripple to others.
Security concerns: Cyberattack risk high for oil and gas industry
Overall, industry leaders said they need better information-sharing among the nation’s 3,300 utilities and with the federal government to help identify attacks and combat threats.
For instance, said Pepco’s director of information technology infrastructure, Doug Myers, the government could do a better job of giving power utilities “a dynamic feed of known bad IP addresses.” But federal officials also can help industry get a broader view, Myers said.
“There certainly is a role for data to flow into industry through various means but…there need to be mechanisms to turn that data into actionable information,” Myers said. “The role that government or other agencies can play (not just on providing the data) but also connecting the dots is key.”
Saunders stressed the importance of bidirectional information sharing. While the focus often is on utilities needing information from the federal government, he said, “I’d like to raise my hand and tell the federal government that I think we have information that may be helpful to you.”
“We actually could provide much more actionable information back to the government about what’s actually happening to us,” he added.
Utilities also insist they need liability protection for good-faith information sharing, but privacy activists have criticized the broad reach of the main legislation to insulate the industry, a bill passed by the House earlier this year. Gen. Michael Hayden, the former head of the CIA and the National Security Agency, said he did not expect congressional action on the issue.
Questions also abound about how to pay for efforts to protect the nation’s electric grid from attack.
Malware offshore: Danger lurks where the chips fail
Myers said it was appropriate to talk about the role of the federal government in recouping the costs of better cybersecurity, given the national interest in maintaining a robust grid and electric supply.
Hayden, now a principal at the Chertoff Group, acknowledged the resources are tough to muster. “It’s hard to make the business case” for it, he said.
Separately, Hayden speculated that cyberattacks could be mounted in retaliation if the U.S. arrests Edward Snowden, the former intelligence analyst who leaked information about top-secret NSA surveillance programs.
Activists who have rallied behind Snowden may make irrational demands for his release that are rejected, Hayden said.
“I don’t know that there’s a logic between trying to punish America and American institutions for his arrest, but I hold open the possibility,” Hayden said. Hayden stressed that he was being “speculative, not predictive.”