Cyber Security and the North American Electric Grid
On April 16, 2013, the Canada Institute hosted its fourteenth Cross-Border Forum on Energy Issues. This year’s program, “Cyber Security and the North American Electric Grid” assembled key stakeholders, academics, and government policy makers for an off-the-record discussion on the vital but potentially vulnerable electric grid shared by Canada and the United States. The assembled participants concluded that despite decades of cooperation more must be done to confront emerging cyber security issues in the energy sector.
Government representatives, industry stakeholders, and independent experts are optimistic about Canada and the United States’ abilities to promote an infrastructure security dialogue and undertake joint approaches to tackle new challenges to the North American energy industry. However, companies and governments must change their mindsets if they are to meet the ever increasing threat that cyber attacks pose. Governments must incentivize companies to share threats and attacks and institute strict privacy controls on information received. For their part, private companies should trust that sharing information with the government will lead to more effective cyber security and should therefore share information as it becomes available. Thwarting cyber attacks demands communication and collaboration on three levels: between governments, within government, and between government and industry. The depth of communication between these levels must increase if we are to meet the threat that cyber attacks pose.
Participants noted that the North American electricity sector is currently the only critical infrastructure sector with mandatory and enforceable cyber security standards in place. The organization responsible for developing these standards – the North American Electric Reliability Corporation (NERC) – is continually refining them, with the fifth iteration set for approval by regulatory authorities in the near future. However, stakeholders acknowledge that no single standard or set of standards are adequate to fully guard against all potential cyber threats and that the industry’s defenses must keep pace with a continuously shifting threat environment.
As threats change and take on new forms, solutions must also be more adaptable in order to be relevant, responsive, and effective. Although simulations are effective in helping to prepare responses to potential challenges, real-time solutions must take precedence. Participants concluded that further joint action is needed to address challenges confronting the North American energy sector. This collaboration will also ensure that the North American energy market remains reliable and strong.
Watch speaker Mark Fabro of Lofty Perch discuss cyber security.
- CEA's North American Policy Paper
- CISPA Myths and Facts
- Cyber Intelligence Sharing and Protection Act (CISPA)
- NIST Prelim Cyber Framework_10-24.pdf
North American electric utility associations issued joint comments in response to the NIST cyber framework "Request for Information," available here.
On April 9, North American electric utility associations issued a joint letter in support of CISPA.
FERC Commissioner Cheryl LaFleur issued a statement on April 18 concerning the reliability orders issued by FERC, which include an approval of the Version 5 cyber standards. She references the CEA-Canada Institute Cross-Border Energy Forum on Cyber Security and the North American Electric Grid.
On October 22, the National Institute of Standards and Technology released its "Preliminary Cybersecurity Framework". NIST will open a 45-day public comment period prior to releasing the official framework in February 2014, per Executive Order 13636.