The electric power sector has features that make it a useful case study for cybersecurity governance. The electric grid is not an island unto itself — it depends on critical infrastructure in the telecommunications, natural gas pipeline, water, and other sectors to keep the lights on. Numerous federal, state, and local agencies are involved in some aspect of cybersecurity, including standard setting, collection of intelligence on threats, information sharing, and response to cyber attacks. Furthermore, international consistency and cooperation is desirable because the U.S. electric grid is interconnected with grids in both Canada and Mexico. Notably, a significant portion of the grid (the bulk power system) already has cybersecurity standards developed and enforced by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC). The industry itself has extensive voluntary efforts underway and some power companies have already spent significant resources to protect customers from costly disruption of electric services.
Against this background of complex governance structure and interdependencies with other sectors, policy makers and the electric utility industry must grapple with a number of specific questions as they develop an approach for protecting the electric grid. For example, does the current allocation of authority among federal agencies and between the federal government and states make sense? Should portions of the grid beyond NERC’s reach be subject to mandatory standards, or would a voluntary approach be more effective? How and when should information be shared between the intelligence community and industry and what are the implications for keeping customer data private? Are there gaps that need to be filled in the existing system of cybersecurity protection and threat response? How will we pay for the needed protections to electric power systems and who will bear the costs?
Some of these questions would be addressed in whole or part by legislation and policies under discussion by Congress and the Executive Branch. In April, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act, which expands information sharing between the private sector and government. The Senate considered broader legislative proposals in the 112th Congress including the Cybersecurity Act of 2012, but was unable to reach consensus. President Obama issued an Executive Order in February with a framework for how the federal government should organize itself to protect the nation’s critical infrastructure from cyber attacks.
Despite these and other important efforts in Congress and the Executive Branch, cybersecurity for the electric power sector raises a number of challenging and contentious issues that are unlikely to be resolved in the near term. Additionally, although there are a number of protections that can be taken for critical infrastructure in general, each sector has unique legal standards and institutions that will determine how it is best addressed by government and the private sector.
In light of the growing threats to the grid and concerns that existing standards and institutions may be inadequate to combat and respond to these threats, the Bipartisan Policy Center (BPC) is convening the Electric Grid Cybersecurity Initiative. The initiative, which is a joint effort between BPC’s Energy and Homeland Security Projects, will work to develop recommendations on the appropriate roles for the numerous government and private actors involved with electric grid cybersecurity in North America. The initiative is co-chaired by General Michael Hayden, former Central Intelligence Agency and National Security Agency Director; Curt Hébert, former Chairman of Federal Energy Regulatory Commission; and Susan Tierney, former Assistant Secretary for Policy at the Department of Energy. The co-chairs will be supported by an advisory group composed of both energy and security experts from academia, industry, and government.