Governors' Wind Energy Coalition

The Department of Energy and U.S. grid operators need detailed emergency operating plans to combat a state-backed cyberattack, says a former Defense Department official.

Further, he says, “harsh and politically contentious” options should be on the table when there’s a cyber crisis to ensure the power is left on for critical military, energy and public safety needs.

Doing so would necessarily leave some lower-priority customers of all kinds without power, or facing rolling blackouts, until the crisis was over. But that could prevent the beginnings of an attack from causing cascading failures, while limiting damaging outages, Paul Stockton, former assistant DOD secretary for homeland defense, said in a paper published by the Johns Hopkins University Applied Physics Laboratory.

“Government officials — and, ultimately, the president — should make such decisions and provide political top cover and liability protections for power companies that implement them,” Stockton said.

“One of the interesting hypothetical situations is, if one city is completely unoperational [after a cyberattack] and another is 100 percent, who decides to take from the one and make two that are 50 percent? That isn’t a decision industry wants to make or is equipped to make,” said Scott Aaronson, the Edison Electric Institute’s vice president for security and preparedness.

DOE and electric power companies are working with the North American Transmission Forum to develop a series of action plans that the Energy secretary would use in ordering emergency actions, Aaronson said. The forum is an industry group working on transmission technology and policy.

The project’s first product will be emergency operating plans to respond to a massive solar storm triggering electromagnetic disturbances that could black out large parts of North America and potentially disable transformers. That was a good place to start because the extensive research already done on the threat will guide the response planning, Aaronson said.

“We will build out teams to look at the various scenarios and build out templates,” said Aaronson, who is also secretary of the Electricity Subsector Coordinating Council, the highest-level government and industry cybersecurity strategy panel. The timing of these reports isn’t settled. “It’s up to the engineers,” he said.

“This will never be a process that’s finished,” he added.

For a decade, power companies have been strengthening defensive shields against cyberattacks, following mandatory rules in the case of regulated companies and voluntary guidelines for the others.

Stockton said his paper, based on interviews with government and industry experts, is meant to help the sector prepare for attacks that get through.

Road map of options

In 2015, Congress gave the secretary of Energy broad authority to direct power company operations during a presidentially declared grid emergency. But it provided little guidance about what DOE orders should do, said Stockton, managing director of security consulting firm Sonecon LLC and an adviser to Exelon Corp. and other energy companies.

“The secretary of energy’s new authorities are so vast that they entail a potential risk: issuing ill-conceived, poorly coordinated emergency orders could hurt rather than help power company operations,” Stockton wrote.

“DOE and industry have only begun to figure out how to use this authority to actually be helpful during cyberattacks as opposed to getting in the way, or worse,” he added in an interview. He called on DOE and energy companies to create an emergency playbook of grid defensive moves, a road map of options to use before, during and after a major cyberattack.

“You can’t wave a magic wand and use this authority,” Aaronson said. “It has to have a process behind it. What we don’t want to do is write these orders in the middle of these incidents.”

Aaronson said Stockton’s report is important “because it brings together in one place a lot of the considerations regarding the president’s and the secretary of Energy’s new emergency authority.”

Utilities should develop methods for running their power operations when international cyber tensions increase, Stockton said — for example, keeping some power plants that are not needed for normal operation in active standby status to speed a response to an attack.

The planning would also speed recovery after a natural disaster that takes down transmission lines or gas pipelines, Stockton said. Potential attackers who realize recovery has been planned for could be deterred, he said. “If we can really get the bulk [interstate] power back on quickly and sustain flows to critical facilities, it makes attacking it a lot less tempting,” he said.

As the plans take shape, DOE and the industry may need to return to Congress for more legislation on potential legal vulnerabilities for power companies taking emergency actions, and for additional financial support, Stockton said.

Threat headlines

The potential threat of cyberattacks on the nation’s critical energy infrastructure jumped back into headlines last month following a series of unusual unclassified public briefings by the Department of Homeland Security.

Jonathan Homer, chief of the industrial control systems group at DHS’s Hunt and Incident Response Team, said a wide-ranging intrusion attack originating in Russia, according to federal officials, had hit an unspecified number of U.S. energy facilities over the past year.

“They got to the point that they could turn the switches” to shut down equipment, Homer said. The Russian government has denied responsibility.

After an alarming response to that disclosure, DHS clarified that only a single U.S. generator suffered a breach of its control systems — a small wind turbine installation, whose loss would have posed no threat to the surrounding grid, officials said (Energywire, Aug. 1).

That conclusion was repeated yesterday by EEI and the nation’s two other major electric power groups, the National Rural Electric Cooperative Association and the American Public Power Association, in a letter to Sen. Ed Markey (D-Mass.) responding to his query about the DHS briefing.

The intrusion campaign was detected last summer, triggering alerts to U.S. power companies, the groups said (Energywire, June 27, 2017). The DHS briefing, they said, “rehashed the event from a year ago — there was no new security incident.”

“Clarifications aside, the threat from nation states, such as Russia, and from many other adversaries that may wish to harm the energy grid, is real and growing,” the organizations’ letter said.

“There absolutely are situations where some pretty sophisticated campaigns are trying and failing,” Aaronson said in an interview. “Sometimes they are trying, succeeding and getting caught, and are remedied.”

Energy consultant Tom Alrich, who writes a blog on grid security regulation, noted that DHS’s account of the attack had changed several times within a week and speculated on whether that revealed differences within DHS about the handling of the threat.

“I find it hard to believe that it’s just the normal fog of war that led to these contradictions. In any case, a single definitive statement of what happened, issued by someone presumably above the fray and the factions, could settle this,” he said.