AUSTIN, Texas (September 11) — The prevention of a potentially catastrophic cyber attack on America’s electric power grid requires frank conversation, compromise, and incentives say experts at The Anfield Group of Austin, Texas.
“With each passing day, the North American power grid experiences a growing number of increasingly sophisticated cyber attacks,” said Patrick Miller, an Anfield Group partner and managing principal. “Most are simple probes or “pings” testing current cybersecurity defenses. But it is not unlikely that some of these probing efforts will expose flaws that could allow hackers, both individuals and those supported by foreign powers, to literally turn off the electric power in much of the nation and keep it off for days or even weeks at a time.”
In recent years, Miller and his associates at The Anfield Group have conducted more than 130 audits of the electric utility industry to insure compliance with a variety of governmental and industry regulations regarding cybersecurity, He concludes that regulations, by themselves, can’t secure the grid.
“We could fix the regulatory model, but that would literally take an act of Congress,” said Miller. “The President’s executive order earlier this year emphasized the need for cybersecurity for the nation’s power grid, but there’s only so much an executive order can do. That’s why some sort of compromise between Congress, the White House and the industry is vital. Time is slipping away and even if a compromise is reached, the electric industry cannot change overnight — harnessing one of the most powerful forces in nature and squeezing it down a skinny wire to your house so you can see in the dark, dry your jeans and toast a bagel is an incredibly complicated process.”
Miller explained that the Federal Energy Regulatory Commission and the industry’s North American Electric Reliability Corporation (NERC) do an outstanding job of writing standards and enforcing their compliance, but new cybersecurity threats arise almost daily. As a result, regulations are always trying to catch up with the changing realities of protecting the North American power grid.
“What we have found is that when it comes to North America’s electricity, there are dedicated, responsible, and profoundly smart people keeping the juice flowing,” said Miller. “They do it every day. They fix it fast when it breaks. And they work just as hard to keep it secure. This is serious business for them.”
Miller and his fellow experts at The Anfield Group see incentives as the motivation needed to jump start new, cooperative efforts to secure the grid. These could include federal grants, limits on liability or even some sort of public recognition or awards program.
“We need incentives for R&D so new security technologies can make their way from idea to product. We need incentives to upgrade to these new security technologies and get rid of the excuse that it costs too much to take an outage and replace hardware,” Miller said. “We need incentives and assistance to train the next wave of cybersecurity professionals for the industry. We need incentives to share information between utilities so they can gain situational awareness from their interconnected peers and the government, if they so desire – in a way that won’t put them in a legal pinch for doing so.”
With more than 30 years of combined experience in NERC CIP standards, The Anfield Group stands out as the most experienced consultancy in the industry. The firm’s experts have participated in CIP drafting teams and implemented the standards at utilities. The staff includes NERC-certified lead auditors and the founding chairman of the CIP Compliance Working Group composed of the CIP Compliance Managers and CIP Subject Matter Experts for all eight regions. Together, The Anfield Group staff has participated in more than 130 NERC audits
“Now our enemies are also seeking the ability to sabotage our power grid,” President Barack Obama, State of the Union Address, Feb. 12, 2013
The Anfield Group provides security to the North American power grid through the application of security-based strategies, regulatory compliance, solutions integration, education and training.