The Power Grid Is Evolving. Cybersecurity Must Too

October 6, 2019, 10:00 AM UTC
A Con Edison power plant stands in a Brooklyn neighborhood across from Manhattan on March 15, 2018 in New York City.
NEW YORK, NY - MARCH 15: A Con Edison power plant stands in a Brooklyn neighborhood across from Manhattan on March 15, 2018 in New York City. As US officials step up sanctions on Russian intelligence for its interference in the 2016 elections, members of the Trump administration have accused Russia of a cyber-assault on the domestic energy grid and other key parts of America's infrastructure. (Photo by Spencer Platt/Getty Images)
Spencer Platt—Getty Images

It is no secret that foreign adversaries are becoming increasingly aggressive in attempting to infiltrate America’s critical infrastructure systems. At the Federal Energy Regulatory Commission, or FERC, we are charged with overseeing the development and enforcement of cybersecurity standards for the nation’s high-voltage transmission system. An important part of these mandatory cybersecurity standards are financial penalties for non-compliance.

Notably, electric transmission is one of only two critical infrastructure sectors subject to federal cybersecurity standards that are both mandatory and enforceable. These standards are key to fostering the culture of executive engagement and commitment to excellence in cybersecurity preparedness that we see in the industry today.

Securing our nation’s critical infrastructure is a complex and multi-faceted problem. But simply piling on more mandatory standards on industry isn’t the solution. Instead, I believe that technological advancement will play a critical role in building the stronger and more secure grid of tomorrow. To allow for that innovation to flourish, we as regulators must continually evaluate our rules, ensuring that utilities can both harness the benefits of new technologies and mitigate associated risks.

Technological advancements for the grid can cut both ways. On one hand, they can help streamline utility operations, resulting in reduced costs for customers. Yet on the other hand, they can introduce new vulnerabilities into a system that is critical to the safety, economic prosperity, and national defense of the American people. Take, for example, cloud computing. When it comes to the smart grid devices that generate huge amounts of data, third-party cloud storage can provide significant cost savings. However, using the cloud to store potentially sensitive data about our electric grid may create additional vulnerabilities if not managed properly.

Fortunately, there are a few things we can do to address the double-edged sword of technological progress. Cybersecurity standards must clearly address new technologies and help define when and where these technologies could be used. To continue with the example of cloud computing, more research needs to be conducted to determine if the most critical systems, such as those used for real-time operations, could be used in the cloud. The consequences if these systems fail or are compromised could potentially be catastrophic. Until we have more experience with cloud technology, it may be prudent to limit its use to things like long-term planning or asset management activities that take place over the course of weeks or months.

Perhaps even more importantly, cybersecurity standards must provide reasonable assurance that known risks are being mitigated. For example, supply chain controls, such as conducing background checks on contractors and encrypting sensitive data, could be used to enhance the security and availability of third-party systems. Regardless of the application, standards must be crafted to provide a framework for robust cybersecurity practices that can address the variety of threats and vulnerabilities that face each utility.

Finally, cybersecurity standards must be flexible. Technology is constantly changing, sometimes faster than the standards process can keep up with. This requires standards that can adapt to accommodate these incremental advances.

Achieving these objectives will require regulators to engage in a continuous cycle of information gathering and action. First, we must stay engaged with industry to understand the evolution of new technologies and how utilities are adjusting to those trends. Cybersecurity is so dynamic that we can’t afford to move at the speed of government; instead, we must constantly engage with our industry counterparts to stay ahead of the curve. Second, after identifying a potential need for action, we must employ the right process. This might range from directing the modification of a mandatory standard to convening a formal working group to study an issue further. The most important thing is that we keep moving the ball down the field in a thoughtful way.

Whatever the issue, we all must be clear-eyed about cybersecurity threats and not rest on our laurels. The electric grid is far more secure than it was a decade ago. But know this: Our adversaries will not rest. Neither can we.

Neil Chatterjee has been a member of the Federal Energy Regulatory Commission since August 2017, and has served as its chairman since October 2018. Prior to joining FERC, he was energy policy advisor to U.S. Senate Majority Leader Mitch McConnell.

More opinion in Fortune:

—Transportation safety head says it’s time to lower the legal BAC limit to .05%
—Diversity and inclusion is meaningless if people with intellectual disabilities are left out
—The USMCA could spur medical breakthroughs. Here’s how
Opportunity zones aren’t a program—they’re a market
—5 ways companies can show their commitment to improving the world
Listen to our audio briefing, Fortune 500 Daily

Read More

Great ResignationClimate ChangeLeadershipInflationUkraine Invasion