Keeping the lights on

From Hollywood to Washington to the evening news, the subject of cyber security seems to be taking up more and more of the spotlight.

That would appear to be inevitable given the increasing frequency of successful hackings, ranging from that of US retailer Target to Sony Pictures to the US military’s Twitter account and YouTube channel – the latter hacked into by individuals claiming allegiance to the extremist group ISIS.

But the most popular target for cyber attacks is the energy sector.
“For the last several years running, more than half of the hacking attempts in the country have been on the energy sector,” Cheryl LaFleur, chairman of the Federal Energy Regulatory Commission (FERC), states.

“Energy continues to be a major target, which is why we’re fortunate that it’s really one of the only sectors that has a mandatory set of standards in place.”

STAYING AHEAD OF THE THREAT

In addition to mandatory standards, which FERC has the responsibility of establishing for the bulk electric system, there are also voluntary standards created by the Office of Energy Infrastructure Security (OEIS), which FERC established at the end of 2012.

“OEIS was set up to do two principal things,” LaFleur explains. “The first was to work in a non-standards, non-enforcement context with the owners and operators of the bulk electric system; to identify and assess and communicate best practices going beyond the [mandatory] standards. The second was to work with our government partners.”

Indeed, FERC works with such agencies as the Department of Energy (DOE), the Department of Homeland Security (DHS), in some cases the Federal Bureau of Investigations (FBI), the North American Electric Reliability Corporation (NERC) and others.

But in addition to collaborating with other government agencies, a key component of ensuring the security of the country’s critical infrastructure is information sharing between government and the private sector, especially since more than 80 percent of energy infrastructure is privately-owned and operated.

OEIS uses the lessons FERC has learned through its work in the voluntary standards it formulates for the industry. It also works with government agencies such as NERC, to communicate new threats rapidly through industry meetings and outreach programmes.
“Having the experts in one place with the expertise and the ability to do that has really helped us communicate more quickly and effectively,” she remarks.

One of the main challenges of cyber security, however, is that it evolves quickly, making it difficult for standards to keep up with the latest threats.

An example is CIPS – Critical Infrastructure Protection Standards – part of a set of standards that govern the operation, construction and planning of the bulk electric system to ensure that it’s reliable and secure, both in terms of cyber threats and physical threats.

FERC approved the first CIPS in January 2008. Since then, another four versions have followed, while modifications currently underway will produce the sixth version.

“I’ve often said that this is like the iPhone. You think you have the best model and then a new version comes along,” LaFleur says. “It’s a constant effort to keep standards up to date and to make them broader and more effective.”

Asked whether the country’s energy infrastructure is more susceptible to physical threats or cyber threats, LaFleur responds: “Well either type of threat – or indeed any other kind of threat, severe weather for example – can have an equally devastating effect on the country. I think what’s so difficult about cyber security is that it’s not something you can readily perceive.”

A PUBLIC-PRIVATE PARTNERSHIP

US President Barack Obama has identified cyber security as “one of the most serious economic and national security challenges” of the country and has taken several steps in addressing the problem since beginning his first term in office in 2009.

More recently, and on the same day LaFleur spoke to Infrastructure Investor, the President visited the National Cybersecurity Communications Integration Center (NCCIC), which DHS established in October 2009 and which it describes as “the Nation’s principal hub for organizing cyber response efforts and maintaining the national cyber and communications common operational picture”.

In remarks made during his visit to the NCCIC, Obama reiterated the importance of information sharing between government and the private sector, a topic he addressed in an executive order issued in February 2013, titled “Improving Critical Infrastructure Cybersecurity”.

“Much of our critical infrastructure – our financial systems, power grids, pipelines, health care systems – run on networks connected to the Internet,” the President said. “Most of this infrastructure is owned and operated by the private sector. So neither government, nor the private sector can defend the nation alone. It’s going to have to be a shared mission – government and industry working hand in hand, as partners,” he said.

One way that information is shared between the government and private sector is through Information Sharing and Analysis Centres (ISACs), a group of entities established in 1998 under a Presidential directive decision by then President Bill Clinton. Initially, eight ISACs were established “for each of the eight infrastructure industries deemed critical to our national economy and public well-being,” ES-ISAC, the body representing the electricity sector, states on its website.

ES-ISAC, in collaboration with the DOE and the Electricity Sector Coordinating Council “serves as the primary security communications channel for the electricity sector and enhances the ability of the sector to prepare for and respond to cyber and physical threats, vulnerabilities and incidents,” a similar role carried out by each ISAC for their respective industries.

Currently, there are 17 such entities, including one for the oil and gas industry.
Asked what other legislation could make FERC’s job easier in terms of ensuring cyber security, LaFleur says: “I think one thing that’s been talked about a lot in the energy space is legislation that clearly delineates who would have emergency authority in the event of some large-scale attack. That’s something that’s been in a lot of the bills and something I’ve publicly testified about.”

Another way to protect energy infrastructure is through modernisation and investment. On that front it would seem the industry is making significant strides.

According to a report released by the Edison Electric Institute (EEI) in early January, the electric power industry invested a record $37.7 billion in transmission and distribution infrastructure in 2013. Projected transmission investment also continued to climb in 2014 with the industry investing in expansion, integration of new resources and improving system resiliency and security, EEI said.

“Right now, we’re actually seeing a great deal of investment in transmission because of the changes in resources in the country,” LaFleur explains. “The new power sources, the new environmental rules, new renewables technologies are leading to a lot of investment in transmission. So it’s a very good time when you’re building new transmission to build it to the latest security standards.”

“But the point of our mandatory standards is that, whether you are old transmission or new transmission, you have to meet the standards because we can’t just wait for all of it to be replaced for it to be secure. It has to be secure now,” she stresses.