The FBI is worried. Over the past few months, the head of the U.S. Federal Bureau of Investigation, Christopher Wray, has repeatedly and very publicly sounded the alarm about the threat of cyberattacks on America’s most critical infrastructure, including the electric power system.
“The fact is, …targeting of our critical infrastructure is both broad and unrelenting,” Wray told a gathering at Vanderbilt University in Nashville, Tennessee. Wray noted that advanced cyber threat actors’ motivations were varied, including economically motivated intellectual property theft.
The fact that a sophisticated nation-state would choose to launch near-continuous cyberattacks against critical infrastructure underlines something important: critical infrastructure, including the electric grid, is susceptible to cyber incursions and, equally important, needs stronger defenses against increasingly sophisticated attacks. Nation-states, criminals seeking payoffs, and terrorist organizations all view the electric grid as a prime target for cyberattacks.
What makes the grid such a tempting target for cyberattacks? Part of the answer lies in the fact that the grid is essential to everyday life, and any disruption to its smooth operation can create havoc. However, the grid’s vulnerability to cyberattacks is also a function of its transformation to become far more decentralized and decarbonized. “We’re looking towards new ways of generating energy and assets working together more closely than they have in the past through IT (information technology) and OT (operational technology) integration,” said Jason Hollern, an EPRI Technical Executive for Digitalization. “It’s also about how complex the system is going to be and how integrated. That’s creating more security issues that need to be addressed.”
The vulnerabilities of the existing grid are also a function of its age. Indeed, many of the devices and equipment that keep the grid functioning have been operating for many decades and were not originally designed with security in mind. “They were designed and built for their function,” Hollern said. “The replacement of OT devices takes much longer than in IT, where it can be as fast as three to five years.”
Even when devices were designed with cyber security in mind, they often function using proprietary protocols—which can challenge both system cyber security and the necessary interoperability a more distributed and digitized grid demands. Furthermore, those charged with maintaining robust cyber security are also in an inherently reactive position. “We learn of new threat capabilities of the adversaries on a day-to-day basis and constantly need to adjust and react,” Hollern said. “The goal is to have a less reactionary stance to cyber security and be more proactive.”
Department of Energy (DOE) Backs Wide-Ranging Research
The growing threat of cyberattacks is no secret. EPRI has long been engaged in research to identify threats and develop tools and guidelines utilities can implement to prevent and effectively respond to attacks. Regulations and standards are also in place that require utilities and grid operators to take steps to defend against attackers. For example, bulk power system operators must comply with the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Standards focused on cyber security.
However, there is a clear understanding that much more needs to be done to adequately defend against the threat. To help accelerate the development of new tools and standards that can defend the changing electric power system, the U.S. Department of Energy (DOE) announced $45 million in funding to support collaborative initiatives in six cyber security topic areas:
- Automated cyberattack prevention and mitigation
- Security and resiliency by design
- Authentication mechanisms for energy delivery systems
- Automated methods to discover and mitigate vulnerabilities
- Cyber security through advanced software solutions
- Integration of new concepts and technologies with existing infrastructure
This past March, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response selected EPRI to lead five projects aimed at reducing cyber risks facing the energy system. The EPRI-led projects span four of the DOE topic areas and include a wide range of partners, including member utilities like Salt River Project (SRP), Southern Company, Consolidated Edison (ConEd), and Ameren, as well as universities like Virginia Tech and Penn State and technology companies like NVIDIA.
The projects also leverage EPRI’s past research and the use of EPRI’s laboratory in Knoxville, Tennessee, and Charlotte, North Carolina. “Each of these projects will use our internal lab capabilities to either do prototyping or proof of concepts,” Hollern said. “Each of them also has a demonstration component, where we implement new technologies in the field.”
While each of the projects will last between three and three-and-a-half years, EPRI will produce interim reports and host advisory meetings to provide updates and solicit feedback as it conducts its research. Another unique component of the projects is that they are focused on commercializing the technologies being developed. “The DOE wants to start moving the needle on getting these technologies out into utilities and into the industry,” Hollern said. “Each of them has a commercialization plan with identified commercialization partners so that a pathway to the industry can continue after the actual research is done.”
EPRI Technical Expert
Jason Hollern
