As the global community continues to grapple with the coronavirus (COVID-19), the Atlantic Council is open for business. Our business, meetings, and events, however, are occurring virtually. For more information, please read an update from our President and CEO.
The energy industry is in the midst of a technological revolution. Over the next two years, 2.5 billion industrial devices will be connected to the energy industry’s critical infrastructure. The energy transition is enabling a more distributed and interconnected ecosystem, but at the same time, new digital connections can expose utilities, energy companies, and critical infrastructure operators to cyberattacks. Utilities of all sizes can ensure a secure energy transition by implementing innovative cybersecurity solutions, which provide the monitoring and the visibility necessary to protect the grid at-large.
Energy companies, grid operators, and policymakers have an opportunity to proactively address vulnerabilities that can lead to cyberattacks. To accomplish this, the public and private sectors must work together to forge new partnerships, invest in advanced, cutting-edge technologies, and prioritize smart cybersecurity policies.
On Thursday, October 1, 2020, the Atlantic Council Global Energy Center and the Scowcroft Center for Strategy and Security Cyber Statecraft Initiative hosted a panel discussion on cybersecurity solutions for grid resilience in the context of the energy transition. Trey Herr, director of the Cyber Statecraft Initiative at the Scowcroft Center, moderated the discussion. The event featured: General Wesley Clark (US Army, Retired), chairman and chief executive officer of Wesley K. Clark & Associates; Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy; Gil Quiniones, president and chief executive officer of New York Power Authority (NYPA); and Joy Ditto, president and chief executive officer of American Public Power Association (APPA). The panelists discussed the issues for grid cybersecurity in the face of a rapidly changing energy system.
General Clark opened the conversation by emphasizing that the US electricity grid’s vulnerability to cyberattacks serves as one of the greatest national security threats for the country today. Clark described the US electricity grid as “at the heart of America’s infrastructure,” responsible for powering critical assets such as the transportation network, pipeline network, aviation industry, and shipping.
The panelists discussed the impact of the energy transition on electricity grid cybersecurity. Simonovich framed the rapid changes to the US energy grid as part of a broader “energy revolution” characterized by a “more distributed, more decentralized, and more efficient” energy grid. However, recent extreme weather events underscore the growing pressure being placed on the energy grid. Simonovich pointed to outdated assets and heterogenous technologies as representative of a large-scale security architecture problem that leaves the US energy grid susceptible to massive blackouts.
In drawing upon his experiences at NYPA, Quiniones highlighted the role of innovation as a leading factor facilitating the shift from one-way power flow to an intelligent, clean, and integrated energy network. While he acknowledged the benefits of moving from a one-way to a multi-flow system, Quiniones also recognized that infrastructural changes increase the energy grid’s threat surface. In Quiniones words, “electricity is like the oxygen of the economy,” and so a targeted attack orchestrated by a hostile state or non-state actor on the US energy grid could have far-reaching physical consequences: an attack on a bulk power system could compromise every dependent system. Quiniones called for “collective preparation, collective defense, and collective response” to ensure grid security. Ditto added that many grids still use legacy systems—dated infrastructure out of tune with the most recent technology—which will need to be modernized and securitized in the future to protect against cyberattacks.
General Clark continued to expand on the definition of cyber threats. Hostile actors have developed the capability to access and damage electrical grids through the Internet. As of now, a small number of transformers manage between 60-70 percent of the total power in the United States. If breached, vulnerable nodes in the system could take down transportation, communication, and pipeline networks. The global energy transition multiplies this complexity and increases the number of attack surfaces within the US energy system.
General Clark and Simonovich then turned to the technologies necessary to protect grid infrastructure. From a military perspective, General Clark affirmed that the Department of Defense has dedicated significant resources to hardening network and communication infrastructure through advanced levels of encryption. However, technological innovation can only go so far when legacy systems cannot incorporate new technology. General Clark emphasized the need for warning systems and quick disconnects to prevent an attack or overload on one part of a network from disrupting the larger energy system. Simonovich underscored the need for visibility: “the central problem is that of visibility; we cannot protect what we cannot see.” A security solution would require a combination of technical and human resources to build a monitoring system to understand the most pressing cybersecurity risks.
Panelists then underlined the unique challenges facing small to medium-sized utilities as they strive to balance protecting critical infrastructure with goals of long-term sustainability. Ditto relayed that while cybersecurity remains an important consideration, the most critical issue facing power companies is ensuring situational awareness and information sharing with the government. Grid fragmentation, according to Ditto, can thus positively impact cybersecurity by preventing bad actors from targeting the entire energy system at once. Quiniones discussed the need for improved public-private coordination and communication, while Simonovich stressed the need to bring solutions to market in a faster, more affordable manner.
With regard to energy resilience, Quiniones affirmed that there are already protocols in place to manually operate the grid in the event of a catastrophe. General Clark continued on this point, drawing attention to the trade-off between efficiency and security. While grid fragmentation would afford positive security elements, there would be an increased need for workforce training and preparation to accommodate changes to the operational environment. General Clark stressed the need for a national security apparatus to support the grid, while both Ditto and Simonovich highlighted the role of utilities in leading the development of security technology.
Quiniones concluded with a positive projection for the future, explaining that strong momentum exists in the push towards collective preparation for cyberthreats.
A conversation with
General Wesley Clark (USA, Ret.)
Chairman and Chief Executive Officer
Wesley K. Clark & Associates
Vice President and Global Head of Industrial Cyber and Digital Security
President & Chief Executive Officer
New York Power Authority (NYPA)
President and Chief Executive Officer
American Public Power Association (APPA)
Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security