|
06.11
Raising
Priority for Cyber Security in the Electric
Utility Sector’s C-Suite
by Dan Skaar,
President/CEO of Midwest Reliability
Organization
Since 2008, I have seen numerous
reports and articles which highlight the lack of
attention cyber security is receiving from the
electric utility industry. The fact is:
cyber security is receiving a lot of attention in the
industry through Critical Infrastructure
Protection (“CIP”) standards which are mandatory
in the United States and applicable in most of
Canada. However, it may not be getting the
attention of all top utility executives. For
example, a 2010 Black & Veatch survey of the
U.S. electric power industry entitled, “Fourth
Annual Strategic Directions in the Electric
Utility Industry,” showed that security and
technology are considered “…lower in priority
than many of the other strategic issues
addressed in the survey.” The survey also found
that, “…while 65 percent of ALL respondents
believe the reports that the U.S. transmission
grid had been hacked, until the lights go out,
cyber security remains principally a ‘potential’
threat.” While the CIP standards are enforced
in the United States with up to one million
dollars per day in penalties, financial
penalties should not be required to get the
attention of the C-suite. So, what are the
missing ingredients to raise its priority? It’s
simple:
-
First, we need to
identify cyber security as a public safety
issue, not an IT problem
-
Second, we need more
transparency on the threats
From my perspective, cyber
security for our industry is a matter of
securing the systems that control the assets
from unauthorized or inadvertent access. In
nearly all cases, system assets are controlled
by a Supervisory Control and Data Acquisition (SCADA)
system (the central nervous system of the Bulk
Electric System). And, just like the central
nervous system of humans, nothing works without
it. Without power, there is significant risk to
our economy and society. So, securing the
electric infrastructure is a matter of public
safety. A lack of system protection on a cyber
level goes far beyond an IT problem or a matter
of avoiding financial penalties — it’s vital to
the long term health of our infrastructure and
more.
Transparency is another key.
The transparency between physical and cyber
threats is not the same. This case has been
clearly laid out by former NSA and CIA Director,
Retired General Michael Hayden, in his paper
titled, “The
Future of Things ‘Cyber’,” published by
Strategic Studies Quarterly. In his paper,
Gen. Hayden asserts that part of the problem
with cyber security is that the government does
not provide as much transparency about cyber
threats compared to physical threats. He
states, “Let me be clear: This stuff is
overprotected. It is far easier to learn about
physical threats from U.S. government agencies
than to learn about cyber threats.” The
government can help make a compelling case for
more attention to cyber threats by sharing more
information. I believe that when the industry
has more facts about the real threats, both past
and potential, we will close any gaps with the
executive suite.
In my experience, I have rarely
encountered any executive who, given the facts
and the risk, has not taken appropriate action.
In our industry, cyber security is
about public safety and our economic security.
We can all rally around that.
Opinions expressed are the
author's and not those of IEEE or IEEE-USA.
Dan Skaar is President and
CEO of Midwest Reliability Organization (MRO),
which ensures the reliability of the bulk
electric system for the upper Midwest region of
the United States and Canada under delegated
authority from the North American Reliability
Corporation or through arrangements in the
applicable provinces in Canada. In this role,
Dan oversees MROs regulatory operations, directs
its strategy and financial management, and is
very involved in the regulatory changes of the
electric sector impacting reliability.
Comments may be submitted to
todaysengineer@ieee.org.
|
Comments
on this story may be
sent directly to
