The following Viewpoint is from Brien Sheahan, chairman and CEO of the Illinois Commerce Commission and a member of the DOE Nuclear Energy Advisory Committee, and Robert Powelson, former FERC commissioner and president and CEO of the National Association of Water Companies.
Recent confirmation by the U.S. Department of Homeland Security that Russian hackers targeted the control rooms of the nation's public utilities underscores the vulnerability of our critical infrastructure and the urgency to address this susceptibility in a coordinated and comprehensive way.
Securing the bulk electric system, and in particular the high voltage interstate transmission systems, is an issue that has garnered a great deal of attention. However, we cannot forget the electric distribution system. The increasingly networked and interconnected local electrical distribution system and the critical services that depend on it — such as our water delivery systems, financial institutions, hospitals, food and fuel distribution, and public safety — require national standards and a collaborative effort between federal and state regulators to prevent disruption and strengthen resiliency.
As the situation in Puerto Rico after Hurricane Maria demonstrates, prolonged disruptions in electricity pose a real and serious societal threat. According to a 2015 report by Lloyd's of London, a major attack on the U.S. electric grid could cost between $243 billion and $1 trillion dollars. The stakes are high.
Unfortunately, the threat of a large-scale cyberattack is not implausible. According to a recent Accenture survey, more than three-fourths of North American utility executives believe that cyber-attacks could bring down an electric distribution grid in the U.S. in the next five years.
The North American Electric Reliability Corporation (NERC) has been designated by the Federal Energy Regulatory Commission (FERC) as the electric reliability organization responsible for developing and enforcing mandatory reliability standards applicable to the "bulk electric system." These protocols, including critical infrastructure protection standards (NERC CIP), contain extensive cybersecurity requirements for the bulk power system.
In contrast, the regulation of local distribution systems (i.e., the wires, poles, and transformers that take power from the bulk electric system and deliver it to homes and businesses) falls largely within the purview of state public utility commissions (PUCs), municipal corporations, or in the case of cooperatives, with utility customers themselves. Traditionally, the role of state PUCs has been primarily economic regulation, rather than ensuring the operational security of the grid. In most states, utilities self-certify compliance with reliability obligations, including cyber-security. Fortunately, most utilities understand the threat of cyberattacks and take it seriously, but is this enough?
While federal and utility leadership to harden the bulk electric system has been laudable, there are no consistent, formal, and mandatory cybersecurity requirements across states for local electrical distribution systems. These are the systems that comprise the more than 3,000 local utilities that provide electricity to nearly every person in the United States. PUCs are responsible for reliability, however, with no baseline established for minimum cybersecurity, a patchwork of different regulations and approaches exist across the country.
The rapid pace of change in electricity generation and distribution adds to the urgency. Local distribution systems are becoming more and more complex with digitalization, bi-directional power flows and the integration of distributed energy resources (DERs), such as solar and battery storage.
The Edison Foundation estimates that smart meter deployment will reach 90 million of the 150 million electricity customers by 2020. Utilities have also increasingly adopted distribution automation, which uses digital sensors, switches and other devices on the grid to automate the management of substations, feeder switching, equipment monitoring and power management.
These technologies lower consumer costs and decrease the frequency and duration of outages by improving the speed, cost and accuracy of utility operations. However, as these new technologies and systems become increasingly interconnected, the attack surface for hackers and the potential damage that can be caused by bad actors only grows.
To ensure that all local distribution utilities are employing appropriate cybersecurity standards, we need consistent regulations and best practices for both the bulk power and local distribution systems. A coordinated and unified approach to preventing and mitigating cybersecurity vulnerabilities across state and federal jurisdictions requires national standards and collaboration with state utility regulators at PUCs who oversee local distribution.
Adoption of distribution-level cybersecurity standards could be accomplished through model regulatory rules with incentives for states to opt-in through federal monetary grants associated with compliance with the standards. A collaborative and robust discussion is essential to begin a process that could ultimately culminate in a uniform regulatory approach to set some minimum level of distribution system security.
While compliance should be prioritized, it is important to recognize that the collection and management of sensitive information creates its own set of risks. While many PUCs have recently increased involvement with cybersecurity oversight, the landscape is uneven, and not all PUCs have the resources or expertise to deal with technically complex information technologies. Third party audits are one potential solution for states with resource or technical limitations.
Between the provision of high voltage electricity at the bulk power level and lower voltage electricity distribution to every resident in the nation, there is a cyber-security gap that has the potential to threaten the country's national security. This is not fear mongering. A disruption of electricity to tens of millions, or hundreds of millions, of Americans for months, or years, could fundamentally impact the country for generations.
Many have said we are at a pre-9/11 moment for cyberattacks, and it is imperative we seize this moment to collaboratively develop sensible solutions to improve distribution system level security. Many utilities have risen to the challenge and already operate mature risk management programs. Establishing minimum cybersecurity compliance requirements at the distribution level can complement the risk-based approaches already in place. Rather than relying on ad hoc fixes, a consistent, unified approach across states and local utilities will most efficiently improve security.
Meagan Pagels and Wei Chen Lin, attorneys with the ICC, contributed to this commentary.