WASHINGTON — Despite rising anxiety over the possibility of a cyberattack on the power grid, the industry and government are not set up well to counter the threat, according to a report produced by leading energy security experts.
Companies are reluctant to share information with one another, a critical step in reducing vulnerability, because they are afraid of being accused of failing to comply with cybersecurity rules, committing antitrust violations, or giving away proprietary information, the report found.
And federal rules intended to protect the electric system from cyberattack are inadequate because they do not give companies an incentive to continually improve and adapt to a changing threat, according to the report, released Friday.
The report was produced by the Bipartisan Policy Center, a Washington nonprofit group, and led by Michael V. Hayden, a former CIA director; Curt Hébert Jr., a former chairman of the Federal Energy Regulatory Commission; and Susan Tierney, a former assistant energy secretary and former utility regulator in Massachusetts.
The experts also found that while the government had focused on the high-voltage power grid, less work has been done on the lower-voltage distribution system, which could cause problems that would propagate up the chain.
Cyberwarfare is “a domain that favors the attacker,” Hayden said in a panel discussion Friday. But he said the United States could reduce its vulnerability and improve its ability to recover. He even quoted a line spoken by John Wayne in the film, “Sands of Iwo Jima”:
“Life is tough, but it’s tougher if you’re stupid.”
Most hacking against utilities is done by people who are trying to steal financial data, including that of customers, but experts fear an act of war, or what Hayden called “recreational espionage.”
Not even public utility commissions are well set up for new problems, the report said. Regulated utilities can add security costs to the expenses for which they bill their customers, if the regulators find the expenditures “prudent,” but “many regulators lack the expertise to make these judgments,” the report said.
And many entities on the grid are unregulated in a competitive market, which may make it hard for them to recover their costs.
The report recommended establishing a group like one set up after the Three Mile Island accident in 1979 by the nuclear industry, the Institute of Nuclear Power Operations, to conduct peer-to-peer audits and disseminate best practices.
Outside experts who were not involved with the report endorsed some of its findings. Samuel P. Liles, an associate professor at Purdue, where he works in the Cyber Forensics Laboratory, said that sharing best practices was “a hit or a miss,” although threat information was shared.
At the Utilities Telecom Council, a trade association of electric and water utilities, Nadya Bartol, a cybersecurity expert, said the report was correct in asserting that utilities might not always come forward with helpful information.
“If utilities say, ‘I have this vulnerability,’ they might get fined if that’s a violation,” she said. And they may hesitate to talk about their vulnerabilities because, “if I put it out in the public space, I will get hacked more.”
The report raised the issue that public utility commissioners, who decide which utility expenses are “prudent” and eligible to be passed on to customers, have trouble determining the value of such investments. At the National Association of Regulatory Utility Commissioners, a nationwide organization of state commission members, Miles Keogh, coauthor of a paper on evaluating such investments, said commissioners should approach the problem as a management audit and not get into the details of security.