The bulk power system meets mandatory cyber security standards, but what about the companies distributing power to customers? The answer is: America, you have a problem.

- By Donna Benjamin

The hottest topic in technology is not the cloud or the new features that will come with the next generation of smartphones and tablets. It is cybersecurity. The recent security breach at Target, which impacted as many as 110 million customers, was a true eye opening experience. What if the company had been an electric company and 30 million people lost power? That puts a whole new twist on cybersecurity. There are real risks for electric companies associated with potential cyber attacks, so the government and industry specialists are working on finding solutions to the threats. The potential for suppliers that can contribute products, services, and technology know-how to minimize the risks is unlimited.

The electrical grid is an interconnected network of supplier power systems delivering electricity to customers. Bulk power systems are the segment of the electrical system made up of power generators, major transmission facilities, and control systems. The power is distributed to smaller electric companies that then distribute it to homes and businesses. Since everything is computerized today, a cyber attack can target the bulk power systems or the distributive systems. As a measure of the seriousness of the risks, the Federal Bureau of Investigation reported that the danger of cyber attacks is becoming more of a possible threat than a terrorist attack. Besides the incredible economic costs associated with blackouts, for any reason, a cyber attack on the power grid at any level could disrupt critical activities like delivery of food and water, communications, health care, and military and government functions essential to safety. Attacks could hit the high-voltage transmission lines, power plants, substations, small electric generators, distribution lines, private microwave network, and control stations.

Threats at Any Point

In reality, a highly sophisticated attacker could theoretically enter the network from a residence or business. Also, one of the many concerns is how an attack on a distribution system could potentially harm the bulk system. This is a case of working backwards. There is also a concern that a coordinated attack on more than one distribution system or an attack on a single system at multiple locations could broadly harm the bulk power system.

This begs the question: How much security is enough security? One of the difficult issues with security systems is that they are designed to put up barriers to keep out anyone or anything that is not supposed to enter the system, but the energy grid is designed to deliver non-stop power flows. This creates a unique technology challenge. The federal government has already established security standards for bulk power systems, but this implies a regulatory complexity. Who or what is supposed to manage cybersecurity beyond the bulk system?

Though Americans tend to think of cyberthreats as acts of outside terrorism, they could potentially come from anyone with the technological know-how. This includes a lot of people, like system operators, foreign nations, private businesses, and hackers who just want to prove they can do serious damage through hacking. Since the electric grid is interconnected, there are many points where attacks can occur. At the same time, there are just as many points of opportunity for new technologies and approaches that could serve as cyberattack barriers.

Meeting the challenges is difficult in such a complex, multi-layered system. The Bipartisan Policy Center issued a report on the Electric Grid Cybersecurity Initiative. The policy group, formed in 2007, is a Washington, DC-based think tank that actively promotes bipartisanship to address the key challenges facing the nation. Its report points out that there are unique challenges that will best be met through public-private partnerships to leverage assets and knowledge. Reading between the lines of the report, it is clear there are numerous areas where suppliers can get a piece of the action by providing products and services.

Menu of Opportunities

There are five project areas. The first is to Build a Culture of Security. In this area, suppliers have an opportunity to educate and train industry people in the electric industry. The second project is identified as Assess and Monitor Risk, which addresses developing tools to assess security status. Third, there is a need to Develop and Implement New Protective Measures to Reduce Risk. The opportunities in this area include research, development, and system to identify system vulnerabilities. Fourth, Manage Incidents is an area that addresses cyber intrusion detection, remediation, and recovery and restoration. The final and fifth area is Sustain Security Improvements, in which stakeholders are continually engaged in a collaborative manner to keep the flow of information going.

There is a lot of voluntary activity going on already because the industry is the first to recognize the risks of cyber attacks. The American Public Power Association, the National Rural Electric Cooperative Association, and The Edison Electric Institute have been identifying and documenting best practices and forming partnerships with each other and with the federal government. However, there is so much work that still needs to be done to protect the electric grid. The electric companies are not sitting still. They are implementing policies and procedures addressing security management, electronic and physical asset security, systems security, backup systems, and recovery.

A Call for Innovation

There are a lot of opportunities in the utility industry due to a need for new software, equipment, and security procedures. What is really needed is innovation. For every new security system implemented, there are thousands of hackers trying to break in. Electric companies are struggling to defend their system against cyber attacks. The new smart power grids are only complicating the issue because they provide another entrance point into the electric system via internet protocols. To date, most supervisory control and data systems (SCADA) have been standalone, creating a natural barrier to cyber attacks. That is changing with the conversion to the internet based systems.

There is probably not a more complicated problem than protecting the electric grid from cyber attacks. The sprawling system is a blend of old and new technology. The businesses that develop effective security systems, protocols, and administrative systems will be on the cusp of a new industry. Working through the trade associations is a good way to network as a supplier. How much security is enough? That is difficult to answer. Target found out that having a couple of layers of security was not nearly enough.

About DiversityPlus Magazine:
DiversityPlus is much more than “just” a supplier diversity magazine.Thanks to its strong media platform, which includes the print edition, digital magazine, website, weekly newsletter, social media, blogs, and video, DiversityPlus is able to provide print readers in seven countries and more than 117,000 digital readers worldwide with access to leading-edge supplier diversity content, webinars, and events.

What you’ll read in the pages of DiversityPlus represents the most current and impactful thinking about diverse supplier relationships. Plus, with over 17 years in print, our trend research, interviews, and feature articles showcase a depth of industry relationships unmatched by any other supplier diversity publication.