The Distribution Grid Gap on Cybersecurity
Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.
The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.
Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.
However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.
In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.
And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.
Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.
Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.
A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.
Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.
The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.
- NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
- Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.
In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.
As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.
Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.
According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.
In other words, it is a target-rich environment for malicious actors.
There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.
Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).
Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).
