The growing reliance of the electric power industry on information technologies introduces a new class of cyber vulnerability. The principal challenge is to determine how best to counter cyber threats posed by malicious elements, be they terrorists bent on destruction, vandals hacking their way into control or data exchange systems, or even commercial competitors, stealing their adversaries' data or sabotaging their operations.
The key to meeting that challenge successfully is to recognize the mutually supportive roles public and private sectors can play.
As everybody realizes, electric utilities have a natural self-interest in protecting their information systems, particularly as these systems are becoming ever more crucial to the operation of their power networks and accounting systems. And in the emerging competitive regime that natural self-interest may be all the more pronounced.
This is because in the traditional regulatory framework, electric power was viewed as a service, and the finding of liability required proof of gross negligence--not easy to establish. But under the new contract arrangements for electric power, the supplier(s) may be liable under product liability law, which would probably be easier to establish. No doubt, too, insurance issues will arise out of these liability battles.
But risks associated with data security transcend the private good of individual companies. Suppose there were a premeditated assault on a power network's data infrastructure. The utility industry is of course well adapted to dealing with a few contingencies, but a coordinated attempt to penetrate several critical information systems at the same time could, if successful, be devastating.
Such risks bear on the nation's security. They can be effectively addressed only at the national policy level.
In the past many electric utilities have relied on building and operating their own communications facilities with the aid of proprietary system products and standards. This practice has yielded a certain degree of isolation and security, but for economic reasons the trend is now toward the use of public networks and general-purpose operating systems, whose many weaknesses are widely known.
An industry goal is more effective use of power system assets, which implies tremendous expansion of the instrumentation used for sensing and data processing--expansion by several orders of magnitude. As the numbers of communicating devices swell, so will complexity. In turn, growing complexity means greater reliance on information systems, needed if human operations staff are to respond quickly enough to deal with events.
Then, too, contending with the Y2K bug has revealed that the integration of systems is much more fraught with risk than was ever imagined. The large-scale and real-time control requirements of the power system will continue to challenge the state of the art in fault-tolerant distributed systems.
Dependency on the Internet is exemplified by the open-access same-time information system (Oasis), adopted several years ago to swap information on power exchanges, and entails that conditions on the Internet can greatly influence power system management and trading [see "Keeping the lights on".] Those conditions are essentially external to the power sector and beyond its control.
By the same token, as power control responsibilities shift from the traditional owners of the power systems to the independent system operators, the nation's power supply is put more at the mercy of the latter's networks and systems. These independents are regional organizations, which are being set up to manage grids as ownership of transmission and generation assets is unbundled.
On the still higher, interregional plane, the coordination of power transfers relies on a nationwide network of people and information systems. As industry restructuring pushes ahead, more points of entry will become available to legitimate users desirous of accommodating power marketing, wholesale and retail trading, and commodity brokering.
To protect these points of entry against hostile individuals or organizations, adequate security measures must be taken. Each entity having legitimate access to a sensitive system also has interconnected partners and exposes the system to their vulnerabilities. What's more, there is always the possibility, as access spreads further, of one or another party doing unintended harm.
Attacking the problem
The challenges of operating in a deregulated environment will put great pressure on the safety margins currently maintained by electric utilities. The competitive need to operate closer to physical limits requires a more accurate and timely understanding of what those limits are--and where one is operating with respect to them. As a consequence, there are smaller margins for information error.
Investments in long-term research and development are already on the decline and could become inadequate for national security and the public good. The depletion of R&D resources may not be felt immediately, but over time the loss of a commitment to technology investment will slow economic growth, impair international competitiveness, and erode technological and economic leadership. Through private sector-public sector cooperation on research, preparedness, and response, the cost to each sector can be reduced.
Moreover, the power industry has decidedly less experience in dealing with information vulnerabilities than with physical and environmental events.
Reductions in the overall vulnerability can be achieved through planning and acquiring state-of-the-art knowledge of information-security management--measures such as penetration testing and intrusion detection. Fortunately, government agencies are in a strong position to support private industry in dealing with cyber issues. One current example of such support is CyberNotes, a publication issued biweekly by the Federal Bureau of Investigation's National Infrastructure Protection Center (for its Web site, see http://www.nipc.gov.)
A national agenda emerges
At the heart of many concerns about critical infrastructures is the mutual dependency of electric power and computing systems. Few believe that the industry alone is or should be equipped to deal with a higher-level threat from a well organized adversary such as an enemy government or a professional terrorist or criminal outfit. Preparing for such threats will require a framework and a collaborative action plan involving government as well as industry.
In May 1998, President Bill Clinton issued Presidential Decision Directive 63 (PDD-63), which outlined his approach to protecting critical infrastructures from physical and cyber disruption and attack. The U.S. Government had examined the policy options for addressing vulnerabilities of the infrastructures upon which the nation depends, as regards both their facilities and their computer-control systems. PDD-63 was the culmination of that sustained effort. Recognizing that most of the country's critical infrastructures are privately owned and operated, PDD-63 emphasizes the importance of a public-private partnership to tackle risks and vulnerabilities.
Under the directive, the Department of Energy was designated the lead agency for both the electric power sector and the oil and gas production and storage sector. The North American Electric Reliability Council (NERC), Princeton, N.J., has also agreed to serve as the sector coordinator for the electric power sector.
PDD-63 directs the Department of Energy to coordinate the key components of a National Infrastructure Assurance Plan for the energy sector. The development of this plan will require a concerted, collaborative effort by the government and the private sector, which owns most of the infrastructure. While great strides have been made, developing the necessary working relationships and mutual trust will take time.
In November 1998, senior industry and government executives examined the issues of critical infrastructure protection during an Energy Sector Forum convened in Arlington, Va., by the Department of Energy, the Electric Power Research Institute, and the Gas Research Institute. They recommended that the following steps be taken:
With deregulation and restructuring defining the business agenda, be sure to raise the security issue to the level of the chief executive officers and the boards of directors of the top 10 utilities. To make the case for more action, prepare an industry white paper.
Get information to industry faster so problems can be fixed. Government programs currently move too slowly.
Set up an information technology clearinghouse that will serve as a primary point of contact with government. No forum exists today for sharing information on cyber security.
Continue the good precedent for cooperative awareness and action established by the Y2K process.
Spectrum editor: William Sweet
About the Author
David A. Jones is a senior executive in the Office of Nonproliferation and National Security at the Department of Energy in Washington, D.C. He served as a commissioner on the Presidential Commission on Critical Infrastructure Protection.
Ronald L. Skelton retired in 1977 from the Electric Power Research Institute (EPRI), Palo Alto, Calif., where he was manager for advanced information technology.
To Probe Further
The President's Commission on Critical Infrastructure Protection evaluated the power industry's infrastructures: its report, Critical Foundations: Protecting America's Infrastructures was published in October 1997 and is available from the Critical Infrastructure Assurance Office at http://www.ciao.gov.
In September 1998, the Secretary of Energy Advisory Board's (SEAB) Task Force on Electric System Reliability issued its final report: Maintaining Reliability in a Competitive U.S. Electricity Industry. The document addresses institutional, technical, and policy issues, and is available at http://www.hr.doe.gov/seab.
R&D issues for the energy sector are described in a report by the Department of Energy's Critical Infrastructure Protection Task Force, issued to the White House in November 1998 and available from the Office of Critical Infrastructure Protection(+1 301 903 9283). Earlier, in August 1996, the General Accounting Office issued Changes in Electricity-Related R&D Funding (GAO-96-203).
The executive summary of the November 1998 Energy Sector Forum meeting, plus news of other Energy activities regarding infrastructure protection, can be found at Infrastructure Assurance Outreach Program Web site http://w3.pnl.gov:2080/iaop.