The U.S. utility sector has been focused on cybersecurity for several years now, as the industry grasped the full extent of the threat it faces — and how unprepared most companies really were.
The effort to get up to speed has progressed on several fronts: This year, the U.S. Department of Energy created the Office of Cybersecurity, Energy Security, and Emergency Response, and is now funding tens of millions of dollars in projects and research. GridEx, a biennial security event hosted by the North American Electric Reliability Corporation's Electricity Information Sharing and Analysis Center, draws thousands of participants and allows them to run through their cyberattack response protocols. And the Federal Energy Regulatory Commission (FERC) has been strengthening its Critical Infrastructure Protection (CIP) Reliability Standards to respond to more sophisticated threats.
In the face of these enhancements, a recent survey found almost half of power and utility CEOs think a cyber attack on their company is inevitable.
While utilities appear to be making peace with their responsibilities and the stakes, most scenario planning has been focused on short-term outages. For better or worse, say industry officials, utilities have gotten pretty good at responding to those.
But a new draft report from the President's National Infrastructure Advisory Council (NIAC) is tackling a different kind of blackout.
In "Surviving a Catastrophic Power Outage," the council examines the United States' ability to respond to and recover from an outage "of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence."
NIAC was tasked with considering an unprecedented scenario: an outage that extended beyond days and weeks, out to months or even years, while affecting large portions of the country.
"We know how to deal with, what we'll call 'extended outages.' We have lot of experience responding to those, similar to what happened in Puerto Rico with Hurricane Maria," said Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, and a member of the report's advisory group.
"The devastation in Puerto Rico following Hurricanes Irma and Maria gave us a glimpse at how a loss of power can cascade into other sectors affecting public health and safety and the economy."
Surviving a Catastrophic Power Outage
National Infrastructure Advisory Council
"From a planning perspective, if you're simply planning for things you already know how to do, that isn't helpful," said Aaronson.
There has been much debate around the federal response to the disaster on Puerto Rico, and the official death toll — raised from an initially-reported 64 to 2,975 following more study — reflects the difficulties NIAC's report addresses. A power outage of this length would be devastating and deadly with impacts reverberating far beyond utility poles and wires.
"The devastation in Puerto Rico following Hurricanes Irma and Maria gave us a glimpse at how a loss of power can cascade into other sectors affecting public health and safety and the economy," the report says.
NIAC's report uses the word "cascading" more than two dozen times, highlighting the potential for far-reaching impacts from such an event. And the findings do not inspire confidence.
Are we ready?
The report concludes that "existing national plans, response resources, and coordination strategies would be outmatched by a catastrophic power outage," adding, the "profound risk requires a new national focus."
The report includes a broad range of recommendations, from clarifying federal authority with a focus on Cabinet-level leadership, to conducting a series of regional outage exercises. But generally there are two ideas underpinning the suggestions: design a "national approach" to prepare for, respond to and recover from a catastrophic outage; and improve "our understanding of how cascading failures across critical infrastructure will affect restoration and survival."
A lot of the recommendations are already being implemented in many ways, said Aaronson, from long-range planning to coordination across critical infrastructure sectors.
The report "continues a conversation about the threats we as critical infrastructure providers face," he said, adding that the industry needs to be using the "time we have now while the skies are blue … to be planning for an impact from an intelligent adversary."
- Develop a federal design standard to determine what infrastructure is needed to mitigate outage impacts;
- Develop guidance and provide resources for states, territories, cities and localities to design community enclaves where critical services and resources could be co-located in order to maintain health and safety in communities and to allow residents to shelter in place.
- Ensure critical natural gas transmission pipeline infrastructure has the "appropriate standards, design, and practices" to continue service during an outage and to provide "rapid availability" to blackstart generation.
- Design a portfolio of incentives that provide financial support or remove financial and regulatory barriers to help implement the report's recommendations.
Digging down into the "portfolio of incentives" idea, the NIAC draft report identifies these suggestions to assist power companies:
- The Secretary of Energy should identify major incentives that could "quickly have impact," that would take into account different ownership structures in the power sector (e.g., investor-owned utilities, cooperatives, public power utilities), "and that some may need more direct financial support."
- FERC should implement cost recovery and return on equity incentives for investments in hardening the bulk power system.
- DOE should work with Congress to provide incentives and technical assistance for state public utility commissions to evaluate cost recovery for resilience investments or provide cost recovery incentives at the retail or distribution level.
- DOE and Congress should work to provide liability protection and other incentives set forth in the recommendations where the government lacks authority.
But at least one expert says some of these incentives are unnecessary.
"I do not see a need for 'incentives,'" Jon Wellinghoff, former FERC Chairman and founder of Grid Policy, Inc. at the Rocky Mountain Institute, told Utility Dive. FERC has already enacted reliability and CIP rules for utilities, he said, with which utilities must comply.
"If they do so they will be compensated for their investments and the bulk power system will be hardened," Wellinghoff said in an email. "FERC generally does not give out incentives for compliance with its Orders."
Aaronson said the report is mostly aimed at showing "where lines of investment and responsibility lie" rather than prescribing incentives. Right now, "there's no clear line of demarcation" between customer and government responsibility, he told Utility Dive.
The NIAC report itself sums the issue up well: "The power grid is a prime target for attack by nation states, and it is not fair for ratepayers to bear the full burden for this national security function."
"Utilities are looking very hard at the fact that we are targets of malicious actors."
Vice President of Security and Preparedness, Edison Electric Institute
When it comes to paying for grid hardening, "some parts of the investment can be on customers," Aaronson said, adding there are already "all sorts of incentives to protect infrastructure" across the power sector. And utilities are already pursuing much of the work needed.
"Utilities are looking very hard at the fact that we are targets of malicious actors," said Aaronson.
In addition, "there are functions that are inherently the responsibility of electric customers," he said. But "sophisticated and intelligent adversaries" and other threats are evolving that responsibility, from a "financial and protection standpoint."
Protect Our Power Executive Director Jim Cunningham told Utility Dive that customers should not be asked to shoulder all of the financial requirements of defending the grid, but they do have a share to pay.
"Nothing is done for free — that's the story of getting stuff done," said Cunningham. But, he added, "the cost is going to run into the billions to do it right, and laying all of that on the back of the ratepayer seems like an incredible burden."
"There is a national security component here that the Department of Defense is involved in. Having them find money might be another way."
Executive Director, Protect Our Power
Protect Our Power believes grid-hardening cyber-defenses need to be viewed as an investment, which utilities can recover and earn a rate of return on, rather than an expense.
The group believes there are three primary ways to finance the necessary investments: customers can pay through rates; infrastructure grants from the federal government; and some form of bonds to finance power system upgrades, with the cost potentially spread out over decades.
"There is a national security component here that the Department of Defense is involved in," Cunningham added. "Having them find money might be another way."
But "the reality is, it's an ongoing threat. It's not something we fix today and walk away from," Cunningham said.
"The value of the report is to further the conversation between and among stakeholders, our regulators, the national security community, and the federal government," Aaronson said, noting that 87% of critical industry is privately owned.