Lieberman-Collins bill balances cyber security with grid reliability
Critical infrastructure companies, including utilities, may soon receive Federal guidance on cyber security best practices, an issue that many utilities have struggled with as they look to balance smart grid security and reliable electricity delivery.
The bill, co-sponsored by Senators Joseph Lieberman and Susan Collins, would provide incentives for the United States' most important industries to beef up cyber security precautions. Although it originally proposed the creation of mandatory cyber security measures by the Homeland Security Department, it has since undergone a flurry of amendments and been reshaped as a voluntary measure.
The bill went before the Senate on August 2, but failed to recieve enough votes to overcome a Republican filibuster. The bill now cannot be considered until Congress returns from its summer recess in early September. In the meantime, the issues raised by the bill remain relevant for utility companies.
Solving a Complex Issue
Adequately securing critical infrastructure against cyber-attacks -- a topic that ranges from malicious outside hacks, to compliance failures within utilities -- has been an issue in the utility industry for nearly 25 years.
"This is the most complex problem in the world to solve," said Dave Madden, a smart grid expert at security company SafeNet, in an interview with FierceSmartGrid. "People have been trying to do it for a long time."
The Lieberman-Collins bill has seen support from the White House and software security company Symmantec, among others. It has also faced criticism from IBM and the U.S. Chamber of Commerce, according to The Hill.
Madden estimated that the energy industry is running nearly 10 years behind government and financial industries in terms of cyber security, and added that utilities are too often forced to split their focus between security and reliability, resulting in grid vulnerabilities.
But Sam Sciacca, an IEEE smart grid expert, said utilities understand that these elements must work together.
"I don't think that any company would say that good cyber security policies would have a negative impact on reliability," Sciacca said, in an interview with FierceSmartGrid.
Dave Madden estimates that the energy industry is running nearly 10 years behind government and financial industries in terms of cyber security.
However, while reliability and security are not mutually exclusive, it is plausible that overzealous security programs could reduce reliability. For example, Sciacca suggested that a utility substation could be so secure that individuals are prevented from accessing the facility in the event of an outage.
"Utilities are constantly trying to find the correct balance of creating a system that has the intended effect of maintaining cyber security but does not have the unintended consequence of preventing authorized personnel from getting in there and doing their jobs," Sciacca said.
Currently, utilities must comply with the North American Electric Reliability Corporation's (NERC) Cyber Infrastructure Protection (CIP) policies. Given the energy industry's complicated regulatory structure it is unclear how a Federal mandate would affect the cyber security debate.
"I don't think it can be federally regulated simply because of the structure of regulation in the electric utility industry," Sciacca said.
Madden said he believes that Federal guidance will be helpful to utilities that often lack the internal security expertise to properly implement security precautions.
"The legislation gets people that best practice bar that they are trying to hit," he said. "Without that focus, utilities will focus on other things."
What is clear is that any solution will need to be applicable to the widening range of cyber threats facing the energy industry.
"The scenarios are so varied that the best you can really do is produce something that discusses overall objectives," Sciacca said.