Washington, D.C. – The Bipartisan Policy Center (BPC) today published a new report through its Electric Grid Cybersecurity Initiative with recommendations on how to better prepare for cyber attacks against the electric grid. The report is authored by the initiative’s co-chairs General (Ret.) Michael Hayden, former director of the Central Intelligence Agency and National Security Agency; Curt Hébert, former chairman of the Federal Energy Regulatory Commission (FERC) and former executive vice president of Entergy Corporation; and Susan Tierney, former assistant secretary for policy at the Department of Energy.
Cyber attacks on key energy infrastructure, including the electricity system, are increasing in terms of frequency and sophistication. Electric grid failures are costly and have the potential to profoundly disrupt delivery of essential services, including communications, food, water, health care and emergency response. In light of these developments, BPC convened the Electric Grid Cybersecurity Initiative – a hybrid project of BPC’s Energy and Homeland Security Projects – to tackle these challenges.
Although industry has taken many actions to prevent such attacks, there is more that can be done to improve grid cybersecurity. BPC’s initiative identified urgent priorities, including strengthening existing protections, enhancing coordination at all levels and accelerating the development of robust protocols for response and recovery in the event of a successful attack. The initiative developed recommendations in four policy areas: standards and best practices, information sharing, response to a cyber attack and paying for cybersecurity. The recommendations are targeted to Congress, federal government agencies, state public utility commissions (PUCs) and industry.
“Timely information sharing is the primary way to identify, assess and respond to threats in real time,” said General Hayden. “The intelligence community needs to identify best practices for sharing classified information in a way that is actionable for industry.”
“The electric power industry is proactively taking many steps to protect the grid from cyber attacks, but current policy treats transmission and distribution systems very differently. Given the interconnectedness of the grid, there is a need to complement existing efforts with an organization that broadly encompasses a full set of power sector participants to advance cybersecurity risk-management practices,” said Curt Hébert. “This organization – modeled after the nuclear industry’s Institute for Nuclear Power Operations – could provide detailed facility evaluations, train and accredit related professionals, and provide technical and management assistance to individual utilities.”
“Utilities are expected to spend roughly $7 billion on cybersecurity by 2020. That’s not chump change,” said Susan Tierney. “A key question moving forward is how the cost of such investments will be distributed. Some government leadership is needed to help regulators better evaluate investments. We should also provide support for entities that own critical facilities but may lack resources to make investments.”
“Initiatives like this are exactly what makes the BPC, BPC. We’ve brought together an interesting cross-section of national security and energy experts to help address governance issues that have billions of dollars of costs and potentially life-threatening implications,” said BPC President Jason Grumet. “I look forward to seeing how people react to this on the Hill, in the executive branch and in industry as we move forward with advocating these recommendations.”