Wednesday, December 07, 2011

MIT Recommends Single Agency to Manage Cyber Security Threats for Electricity Grid

The Massachusetts Institute of Technology released a report on Monday that discusses the future challenges facing the U.S. electricity grid and several recommendations for how to best manage them. The researchers found that one of the most notable challenges facing the electricity grid is the threat of cyber attack.

MIT writes in the report:
Perfect protection from cyberattacks is not possible. There will be a successful attack at some point.
This is a huge threat to the grid because a cyber attack in one area has the ability to affect other areas very rapidly, which could greatly disrupt power supply all over the country. Cyber attacks are also considered by the Pentagon to be an “act of war,” said the MIT researchers at a National Press Club event this week.

To best manage this issue, MIT recommends that:
The federal government should designate a single agency to have responsibility for working with industry and to have the appropriate regulatory authority to enhance cybersecurity preparedness, response and recovery across the electric power sector, including both bulk power and distribution systems.
But which agency should be tasked with this authority? CNET’s Don Reisinger writes:
The Obama administration has argued in the past that the Department of Homeland Security should be charged with securing the electrical grid, while many members of Congress have called on the Department of Energy or Federal Energy Regulatory Commission [FERC] to take over. So far, a decision hasn't been made, and MIT researchers didn't provide insight into which organization might be best.
Although the MIT researchers believe that a single agency should be tasked with overseeing these efforts, the nuclear industry believes that the U.S. Nuclear Regulatory Commission has extensive regulations already in place for protecting nuclear energy facilities from cyber attack and that regulatory oversight by other agencies would be “unnecessary and duplicate strict NRC oversight.” In response to the White House’s proposal for DHS to manage a cyber security program, NEI writes:
However, this proposal—along with recent efforts to legislate cyber security for critical infrastructure—is not needed for nuclear plants because NRC regulations and oversight of industry actions to respond to cyber threats. Additional regulation would be duplicative and risk creating inconsistencies in requirements.
Some of you may remember NEI’s cyber security expert Bill Gross who posted in October on the House Republican Cybersecurity Task Force’s recommendations. He had this to say about the MIT’s recommendation:
The U.S. Nuclear Regulatory Commission has mandatory cyber security requirements in place for all power plants. While there may be value in a central coordinating authority, the regulators of jurisdiction have the subject matter expertise to manage the cyber security issue. Any centralized role should be focused on minimizing the potential for dual or duplicate regulatory requirements across sectors.
The industry does agree with MIT, however, that cyber attacks are one of the greatest threats facing the electric power industry today. Exelon Nuclear’s President and Chief Nuclear Officer Mike Pacilio commented on current cyber security programs in place in the nuclear industry in a recent video interview at the 10-year anniversary of September 11.
All of our plants today, not only Exelon, but in the industry, have a very comprehensive cyber improvement program where we are essentially making our plants an island. Any of the controls that interface with the Internet, for example, that could possibly control the reactor are not connected.
See NEI’s website for more information on cyber security programs in the nuclear energy industry.

Among MIT’s other recommendations outlined in the report are:
  • To facilitate the integration of remote renewables, the Federal Energy Regulatory Commission should be granted enhanced authority to site major transmission facilities that cross state lines.
  • To improve the grid’s efficiency and lower rates, utilities with advanced metering technology should begin a transition to pricing regimes in which customers pay rates that reflect the time-varying costs of supplying power.
  • To improve utilities’ and their customers’ incentives related to distribution generation and energy conservation, utilities should recover fixed network costs through customer charges that do not vary with the volume of electricity consumption.
  • To make effective use of new technologies, the electric power industry should fund increased research and development in several key areas, including computational tools for bulk power system operation, methods for wire-area transmission planning, procedures for response to and recovery from cyber attacks, and models of consumer response to real-time pricing.
  • To improve decision making in an increasingly complex and dynamic environment, more detailed data should be compiled and shared, including information on the bulk power system, comprehensive results from “smart grid” demonstration projects, and standardized metrics of utility cost and performance.
For more information on MIT’s research, see the full report, “The Future of the Electric Grid.”

Image credits: From the Department of Homeland Security’s Web page on Cybersecurity.

No comments: