RICHLAND, Wash. – A window-sized screen updates real-time electricity data, as computers hum in the background. The Electricity Operations Center at Pacific Northwest National Laboratory could serve as a back-up control center for an electrical utility, if its ability to deliver power were wiped out by a disaster — including a cybersecurity attack.
If electric utilities do not properly protect themselves, they can be vulnerable to hackers, who would make it difficult to keep your power running.
That’s why it’s important for utilities to know if they have good cybersecurity measures in place, says Paul Skare, chief cyber security manager at the lab.
Skare has helped the Department of Energy develop an online model for utilities to assess their security. It’s meant to help electric companies pick out the biggest threats to keeping the power on. That way, utilities can do a better job guarding against those attacks.
“What we’d like to see is that the privacy of all the individual consumers are protected, so all your billing information and personal information,” Skare says. “From an electric system point-of-view… We want to make sure that the high-voltage part of the grid stays up and running because that would have the biggest impact on the largest number of people.”
To assess cybersecurity, utilities will be able to take a survey that compares their measures to the online model. They will then be graded on a four-point scale, depending on their system.
The survey will measure various different components, including:
How utilities track and plan for cybersecurity risks
If utilities have a cybersecurity program in place. These programs can monitor cybersecurity in coordination with the agencies like the FBI, or at the utility through different computer programs
How companies train and vet their staff
If a utility has an emergency response plan in place to prepare for storms or surprise power outages
Skare says utilities will eventually be able to gauge their security plans against others.
“When you’re comparing a small utility in a region to another small utility, they like to get the feeling that they’re doing it in a similar fashion to show their ratepayers that they’re spending their money as wisely as they can,” Skare says.
He says utilities will be able to better spend their money on beefing up security once they understand their gaps. The survey allows utilities to prioritize their cybersecurity aspects. That’s especially important to smaller utilities, says Annabelle Lee, technical executive of cyber security at the Electric Power Research Institute (EPRI).
“Whether they’re under a state or union or co-op, they can’t just spend lots of money. They have to justify it to somebody, and they have to look at the highest priorities. Number one priority is the reliability of the grid. Cybersecurity supports reliability,” Lee says.
In a 2011 report, EPRI found that updating the grid’s cybersecurity could cost $3.7 billion. That’s a drop in the bucket compared to a total smart grid update, which could range from $338 to $476 billion. Still, costs vary from utility to utility, Lee says, depending on what needs to be upgraded.
“If it’s an organization that has large, expensive equipment that’s really old, replacements are expensive,” Lee says. “If some utilities have started to upgrade some of the protocols that they’re using, then it may not be as expensive. It depends which devises they’re replacing.”
Lee says standards reports also can help utilities figure out what cybersecurity is important to their organization.
Skare hopes that eventually all the nation’s utilities will gauge their cybersecurity risks with this newly developed model.
“In the end,” Skare says, “it’s the consumers who will pay for this with their electric bills. So, as a consumer myself, I like to make sure all the money I’m paying for electricity is spent in the wisest way possible. And I think that, overall, this [model] allows utilities to target where they spend their money, rather than putting too much money in one area so that it’s not needed or leaving a weak link in some other area.”
Share your experiences as part of EarthFix's Public Insight Network.
Join our Public Insight Network!