Several times in the past few weeks I've seen articles in magazines and newspapers, and online that state as a fact that the electric power utilities have taken the lead in protecting the country's infrastructure from cyber attack. As we've shown repeatedly for years, nothing could be further from the truth. How "cyber secure" each utility is depends on how you count it. The North American Electric Reliability Corp. (NERC), which is both the trade association of electric utilities and the federal government's main regulator of those utilities, simply made it possible to have entire power plants and distribution facilities declared to be "non-critical" cyber assets. Why? Well, it seems they have excess generation capacity. What arrant nonsense!
The very fact that there is, at a given point in time, excess generation capacity does not logically lead to the notion that a cyber attack will only happen to one generation station at a time. In fact, it is likely that such an attack will happen to all of them. Not a critical cyber asset? Says who?
Read Also: Bound to Fail: Why Cybersecurity Risk Cannot Simply Be Managed Away
Says the lawyers, that's who. The utility industries have been quick to treat cybersecurity exactly as they have treated safety—as regulatory compliance exercises. They comply with the regulations, no more and no less.
Why would the utilities not want to be measured on increasing security? It's about liability. If you admit there's a security problem, or even a security metric, then you have admitted liability—and when the power goes out and the root cause is traced to a cyber attack, the large users who have been inconvenienced will sue to recover what production they lost and what damages they suffered.
If the utilities treat the idea of cybersecurity as a regulatory compliance issue, not only are they not admitting that they might have liability, but also they can use the very fact of compliance as a defense against liability claims.
Meanwhile, what about making our power grid more secure? Since NERC is the regulatory body, as well as the trade association, it really doesn't have any reason to do that, and nobody to tell it to do it either. Congress doesn't look like it is going to do anything anytime soon, so NERC is in the clear until the lights go out.
Joe Weiss, our "Unfettered" cybersecurity blogger, said in a recent post that he believes the way to increased security in the utility sector isn't through NERC or government regulation, but through the insurance companies.
Joe wrote, "The insurance companies that ensure industrial facilities are struggling to understand the new cyber risk as it is different from other risks already insured. When the insurance company ensures a company or a facility, they do not assume that key pieces of equipment or key facilities will not have threats addressed. Yet that is precisely what the NERC CIPs do. They allow the utilities to exclude facilities, equipment, communications, etc. from any cyber inspection."
Once the insurance companies understand this, they will push for real cybersecurity measured by increased security, rather than by regulatory compliance. When the lights go out, the insurance companies are the ones that pay.
Currently, the penetration of cyber insurance in the private sector is very low (less than 20% of companies) and centered on enterprise security, not industrial control systems. It's even lower in the public sector. What this means is that the insurance companies don't understand the risks they are being asked to insure against. When they do, regulatory compliance instead of real security just won't cut it.
I think Joe is right. It may be that the "free market" will work better than any other way to improve security in the power utility industries. I sure hope so. I also own a very large generator.