EEI > Resources & Media > Energy Talk
EEI Energy Talk  
Subscribe to EP
Top Story
Top Story
Securing the Nation’s Energy Grid

​October is Cyber Security Awareness Month, but securing the nation’s energy grid is the electric power industry’s top priority all year long. Electric companies proactively safeguard the energy grid to help ensure a reliable and affordable supply of energy for customers. To address hazards that could impact the energy grid’s complex and interconnected technologies—including malicious, man-made cyber and physical attacks as well as a variety of natural disasters—the electric power industry is working hard to enhance the resilience of the energy grid and to accelerate recovery from potential incidents.

The electric power industry takes a risk-based “defense-in-depth” approach to protecting critical energy grid assets from all threats. This approach includes:

  • rigorous, mandatory, and enforceable reliability regulations; 
  • close coordination among industry and with government partners at all levels; and 
  • efforts to prepare, respond, and recover should an incident impact the energy grid. 

The electric power industry is subject to mandatory and enforceable reliability standards that include cyber and physical security mandates. Regulations and standards provide a solid foundation for strengthening the industry’s security posture, but, given the dynamic threat environment, the industry’s efforts move beyond them. Electric companies tailor security programs to their unique operating and business environments, and they coordinate with the Electricity Information Sharing and Analysis Center (E-ISAC); federal agencies including the Department of Energy, Department of Homeland Security, and the FBI; and state governments to identify and mitigate threats.

The electric power industry’s security strategies constantly evolve and are closely coordinated with the federal government through a CEO-led partnership called the Electricity Subsector Coordinating Council (ESCC). The ESCC, which includes electric company CEOs and trade association leaders representing all segments of the electric power industry, serves as the principal liaison between the federal government and the electric power sector to coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. By working together, industry and government greatly enhance our nation’s ability to defend and protect against cyber and physical security threats. To improve energy grid security, the ESCC focuses on:

  • identifying research and development opportunities for tools and technologies that improve situational awareness and enable machine-to-machine information sharing;
  • ensuring that timely, actionable intelligence and threat indicators are communicated between industry and government;
  • preparing for and exercising to coordinate responses to both natural and malicious threats to energy grid operations; and
  • working closely with other interdependent infrastructure sectors (communications, downstream natural gas, financial services, and water) to ensure all are prepared for, and can respond to, national-level incidents.

The National Infrastructure Advisory Council has called the ESCC a model for how critical infrastructure sectors can partner more effectively with government, and it has been a catalyst for major initiatives that are improving the security posture of the industry and the nation.

Read the ESCC's factsheet​. Learn more in EEI’s grid security key messages​ and factsheet​.

Industry in Action
Industry in Action
Exercises and Information Sharing Enhance Grid Security

​Electric companies plan and regularly exercise for a variety of emergency situations that could impact their ability to provide electricity. The industry also is engaged in programs that enhance the ability of industry and government to share critical information on all types of threats. 

The industry has partnered with the federal government to create the Cybersecurity Risk Information Sharing Program (CRISP), a public-private partnership co-funded by the Department of Energy and the industry and managed by the Electricity Information Sharing and Analysis Center (E-ISAC). CRISP enables near-real-time, bi-directional sharing of actionable unclassified and classified threat information among government and industry stakeholders, using advanced collection, analysis, and dissemination tools to identify threat patterns and trends across the electric power industry. Cyber threat information shared through CRISP is helping to inform important security decisions among participating companies and all E-ISAC members throughout the electric power industry.

The industry also regularly participates in incident response exercises, including several national-level exercises since June 2016, including FEMA’s May 2018 national-level exercise that tested the ability of all levels of government, private industry, and nongovernmental organizations to protect against, respond to, and recover from a major Mid-Atlantic hurricane. Several local, state, and federal exercises were integrated into this drill, including the Department of Energy’s Clear Path VI.

In November 2017, the North American Electric Reliability Corporation’s GridEx IV gathered more than 450 organizations and 6,500 participants from industry, government agencies, and partners in Canada and Mexico. The two-day exercise simulated a coordinated cyber-physical attack that damages the bulk power system and causes widespread outages. GridEx IV also included an executive tabletop exercise where 40 electric sector executives and senior U.S. government officials worked through incident response protocols to address widespread outages.

Innovative Partnerships
Innovative Partnerships
Cyber Program Builds on Industry’s Hallmark of Mutual Assistance

​Mutual assistance is a hallmark of the electric power industry, and is an essential part of the industry’s restoration process and contingency planning. Mutual assistance goes beyond sharing crews and critical personnel and includes resources and equipment that can be allocated and shared among electric companies to ensure all restoration and recovery needs are met. As cybersecurity risks proliferate, the electric power industry is expanding upon its culture of mutual assistance by organizing itself to prepare for new types of threats and by using the latest tools and technologies.

In partnership with the Electricity Subsector Coordinating Council (ESCC), the industry has created the cyber mutual assistance (CMA) program. The CMA program is composed of industry cyber experts who are able to provide voluntary assistance to each other in advance of, or in the event of, a disruption of electric or natural gas service, systems, and/or IT infrastructure due to a cyber emergency. To date, more than 140 entities, including investor-owned electric and natural gas companies, electric cooperatives, public power utilities, Canadian electric companies, and regional transmission organizations/independent system operators, participate in the voluntary CMA program. CMA program members provide electricity to more than 80 percent of U.S. customers.

Policy Perspectives
Policy Perspectives
Outlining the Industry’s Cybersecurity Strategies on Capitol Hill

​As the electric power industry works together through the Electricity Subsector Coordinating Council (ESCC) to confront constantly evolving threats to the energy grid and to coordinate with federal and state partners, the industry also is committed to keeping all stakeholders informed. To highlight the ESCC’s efforts, ESCC Co-Chair Tom Fanning, chairman, president and CEO of Southern Company, recently testified​ before the U.S. Senate Judiciary Committee’s Subcommittee on Crime and Terrorism. 

“Securing critical infrastructure from all threats—but particularly from new and evolving cyber threats—is a defining challenge for our nation,” Fanning said. “The threat to critical infrastructure and to our way of life is growing, but so is the work that is underway to prepare our systems, to prevent attacks in the first place, to detect intrusions, to respond to issues, and to recover quickly. That work is enhanced through our work within industries and across sectors and with the strong support from government partners at all levels."

Recently, EEI also joined the American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA) on a letter to Senator Edward Markey (D-MA), responding to a letter he wrote regarding cybersecurity of the energy grid and referencing recent media stories on Russian targeting of critical infrastructure. “Our members were aware of this threat because of outreach from our federal partners,” the joint EEI-NRECA-APPA letter says. “Immediately, we worked across the industry and with government security professionals to increase security measures and to monitor the threat.” The letter also outlines the industry’s many activities over the last five years to enhance the security of the energy grid.

Ericsson
Delivering Innovation
Delivering Innovation
Electric Companies’ Investments Safeguard the Grid for Customers

​Investing in a robust, flexible, dynamic, and secure energy grid is a multi-billion-dollar, multi-year effort. In addition to the industry’s substantial investments in energy infrastructure to ensure that energy gets where it is needed, when it is needed, the electric power industry is making significant investments to harden the energy grid to make its infrastructure more resilient and to strengthen its defenses against cyber and physical threats. 

Electric companies invested a projected $57.2 billion in the energy grid’s transmission and distribution infrastructure in 2017. These investments enhance the energy grid and further support grid security efforts.

Read how electric companies’ investments in smarter energy infrastructure and deployment of game-changing technologies benefit customers in many ways on EEI’s Delivering the Future​ site.

What We’re Reading
What We’re Reading
DHS’s Chris Krebs on Collective Cyber Defense

​“As we gained a better understanding of the adversary’s actions, it became clear that delineations between economic sectors were becoming less important,” writes Christopher Krebs, Undersecretary for the National Protection and Programs Directorate, Department of Homeland Security, in Electric Perspectives​.

“Underpinning services inextricably link the critical functions that drive the economy. If those services are vulnerable, multiple sectors are vulnerable. At a national or regional level, visibility into those foundational services increasingly is more relevant to understanding the threat landscape than simply securing the individual assets or facilities that traditionally have defined critical infrastructure protection efforts.”

Read more​.

EEI President Tom Kuhn
EEI President Tom Kuhn
Defending the Grid

​"Every second of every day, America’s electric companies are delivering energy to their customers that is reliable, affordable, safe, and increasingly clean. This energy drives our economy and enables our way of life, and providing reliable service is a responsibility electric companies take very seriously," writes EEI President Tom Kuhn in an op-ed in The Ripon Forum.

"This includes protecting the energy grid from cyber-attacks, which are increasing in frequency and sophistication. As these threats evolve, so, too, do our security strategies, which are closely coordinated with the federal government through a partnership called the Electricity Subsector Coordinating Council."

Read more​.

ConEdison CEO John McAvoy
ConEdison CEO John McAvoy
Cyber Information Sharing

​“Sharing information about cyber and physical security threats is critical to protecting the energy grid, national security, and public safety. The Electricity Information Sharing and Analysis Center (E-ISAC) plays an integral role in ensuring the right people have the right information at the right time,” writes John McAvoy, Consolidated Edison chairman, president, and CEO, and co-chair of the E-ISAC Members Executive Committee, in the latest issue of Electric Perspectives

“The E-ISAC serves as a critical link between our industry and the Department of Energy. The E-ISAC, operated by the North American Electric Reliability Corporation, collects, analyzes, and shares security data across all segments of the electric power industry and throughout North America. This includes information on how to safeguard critical assets from cyber threats, as well as intelligence from government partners on what would-be attackers may be plotting.”

Read more.

Sponsored Content
Modernize Your Network with Private LTE

Utilities today are facing a dramatic business and technological transformation, leading to increased demand on their communications networks. Traditional systems that typically support a single application are challenged, and in many cases, private LTE networks can prove to be the optimal solution for utility operational technology applications.  

Learn more​.

AEP CEO Nick Akins
AEP CEO Nick Akins
Strengthening Partnerships with State Government Leaders

​“The Electricity Subsector Coordinating Council (ESCC) has a close partnership with the federal government. The ESCC now is building on that model to engage more directly with governors and other state and local leaders,” writes Nick Akins, American Electric Power chairman, president, and CEO, in Electric Perspectives. “We all have a shared responsibility to prepare for and respond to threats facing the critical infrastructure we operate.”

Read more.

PPL Corporation’s Bill Spence
PPL Corporation’s Bill Spence
Resilient Communications Are Critical for the Electric Power Industry

​“Over the course of my career, I have participated in dozens of preparedness exercises that have tested how our sector would respond to a major incident or disaster that causes widespread power outages,” writes William Spence, PPL Corporation chairman, president, and CEO, in Electric Perspectives

“These exercises are a key part of how we plan for emergencies, and many have led to significant changes in how we protect the energy grid…. The Electricity Subsector Coordinating Council and leaders from across the industry have made it a priority to ensure that we have access to communications capabilities that are both resilient and reliable.”

Read more.

​Future Focus
​Future Focus
Our Public Policy Platform

Electric companies are laser-focused on safeguarding the energy grid, and it’s critical that the right public policies are in place to help them maintain and strengthen the grid’s resilience against cyber and physical attacks. Some of the key building blocks of a more dynamic, more resilient, and more secure energy grid are:

  • ensuring that policymakers, stakeholders, and customers understand the value of the energy grid;
  • reinforcing industry efforts to strengthen grid security defenses by expanding and building upon the industry’s partnership with the federal government;
  • allowing electric companies to plan, build, and operate the energy grid as a platform to integrate a diverse set of emerging technologies;
  • supporting public policies that promote investment in new grid technologies while balancing security risk, operational efficiency, and customer costs;
  • encouraging expanded partnerships between the electric power industry and leading technology companies to bring tomorrow’s technologies to customers today; and
  • supporting federal research and development on grid security technologies and expediting technology transfer to the private sector.

Learn more in EEI’s factsheet​.

Read EP
NKA house ad
Advertise
No
No