The time has come for the U.S. government to focus a single agency's efforts on reinforcing the security of the electrical grid, MIT researchers said today in a wide-ranging report.
The issue, MIT's researchers say, is that the many stakeholders involved in maintaining the U.S. electrical grid aren't working together, even though "cybersecurity regulations for bulk power systems already exist in the form of the NERC Critical Infrastructure Protection reliability standards." For one, the researchers point out, those standards only apply to "the bulk power system and [do] not include the distribution system." Distribution utilities on the local level are operating outside current regulations, making managing the entire grid practically impossible, the researchers added.
"This lack of a single operational entity with responsibility for grid cybersecurity preparedness as well as response and recovery creates a security vulnerability in a highly interconnected electric power system comprising generation, transmission, and distribution," the researchers wrote.
To address the problem, the researchers believe "the federal government should designate a single agency to have responsibility for working with industry and to have appropriate regulatory authority to enhance cybersecurity preparedness, response, and recovery across the electric power sector, including bulk power and distribution systems."
The only question is, which organization should it choose? The Obama administration has argued in the past that the Department of Homeland Security should be charged with securing the electrical grid, while many members of Congress have called on the Department of Energy or Federal Energy Regulatory Commission to take over. So far, a decision hasn't been made, and MIT researchers didn't provide insight into which organization might be best.
However, the researchers did point out that absolute protection against a cyberattack on the electrical grid is nearly impossible. Therefore, the U.S. government must act quickly to find a suitable organization that can not only safeguard the grid, but also establish a response to a potential attack.
"Perfect protection from cyberattacks is not possible," the researchers wrote. "There will be a successful attack at some point. It is thus important for the involved government agencies (i.e., NIST, DOE, FERC, and DHS), working with the private sector in a coordinated fashion, to support the research necessary to develop best practices for response to and recovery from cyberattacks on transmission and distribution systems, so that such practices can be widely deployed."
Security researchers have been worrying about attacks on the electrical grid for well over a decade now. For good reason. In 2009, a U.S. senior intelligence official told The Wall Street Journal that both the Chinese and the Russian governments have "attempted to map our infrastructure, such as the electrical grid."
That information and continued threats from China have prompted the U.S. to get serious about securing the electrical grid. In fact, Pike Research reported last year that 15 percent of all smart grid investments over the next several years will be spent on cybersecurity.
But before the nation gets too carried away on the grid's security, MIT's researchers say the situation isn't nearly as bad as some think. It's just that complacency and a general lack of action could prove to be the system's downfall.
"Between now and 2030, the electric grid will confront significant new challenges and inevitably undergo major changes," the researchers said. "Despite alarmist rhetoric, there is no crisis here. But we do not advise complacency.
"The environment in which the grid will operate will change substantially in the next two decades," the researchers added. "If the grid is to evolve with minimal disruption despite the challenges ahead and if electricity rates and levels of reliability are to be acceptable, decision makers in government and industry need to continue to focus on meeting the system's challenges."