Is the Energy Industry on the Same Path as Banking and Finance?

Published: November 4, 2008 | No Comments

By: Mike Hoefgen

The collapse of the financial markets has been largely blamed on poor risk management in the sub-prime mortgage market. Now more regulations in the banking, finance and insurance industry are imminent. CA's Mike Hoefgen asks, will the electrical power industry follow their lead?

 

In March of 2007, the Department of Homeland Security launched an experimental cyber attack that caused an electrical generator to shake, smoke, and then stop (CNN reported on this scenario in September 2007; watch the full video segment here on CNN’s site). The federal government and electrical industry were obviously concerned about what might happen if such an attack by foreign nations or others intent on attacking the U.S. through its electric grid were carried out on a larger scale. Experts fear bigger, coordinated attacks could cause widespread damage to electric infrastructure that could take months to fix.

The cyber security risk has been indentified and called “Aurora.” What has happened since this experiment might surprise you.

The North American Electric Reliability Corporation (NERC) is a government entity that oversees the bulk power systems of North America, and is responsible for fixing this vulnerability. NERC issued an advisory to 1,800 owners and operators of the national power grid and provided a 60-day schedule for “immediate” mitigation measures and a 180 day schedule for longer term measures. Compliance is voluntary.

If you were the CEO for an electrical utility, what would you do? In the current Governance, Risk, and Compliance environment, the first step is to identify your risks, and that has obviously been done. The next step is to measure the risk and determine its impact.

According to the Committee on Energy and Commerce: 

“Federal Energy Regulatory Commission staff report identified 20 separate domestic and foreign instances of cyber attacks on electricity systems” and “the CIA has identified cyber attacks on the electrical systems in major cities overseas which caused significant blackouts. CIA has reported that criminal enterprises have broken into utility control systems overseas as part of extortion schemes.”

Need more risk measurement?:
Economist Scott Borg, who produces security-related data for the federal government, projects that if a third of the country lost power for three months, the economic price tag would be $700 billion. “It’s equivalent to 40 to 50 large hurricanes striking all at once,” Borg said.

The next steps would be to prioritize your risks and mitigate the largest risks by putting appropriate controls in place. So what really happened?

FERC conducted an audit of 30 utilities and found that 23 were in noncompliance of the NERC advisory. Is this sounding familiar? The banking institutions didn’t identify the possible risk that house pricess would drop below the loan values. The electrical utilities have it much easier — the risk has been identified but 76% of them did nothing to mitigate the risk. Because of their lack of response, the Subcommittee is considering legislation that would give Federal authorities the power to compel implementation of remedial measures on an emergency basis throughout the bulk power system when a vulnerability poses a significant threat to the system.

Because of the widespread utility noncompliance with voluntary recommendations meant to protect the grid from cyber attacks, key lawmakers have unveiled plans to give the Federal Energy Regulatory Commission (FERC) broad powers to enact new mandatory measures to close vulnerabilities in the U.S. bulk power system to potentially devastating computer-launched assaults.

Kevin Kolevar, assistant secretary for electricity delivery and energy reliability at the Department of Energy (DOE), was equally alarming in describing the level of threat to U.S. power systems.  The DOE supports giving FERC heightened powers to guard against cyber attacks on the grid, but the Department of Energy wants an additional role for itself.

If the electrical utilities don’t mitigate their risks, the government will step in and force the issue. Not only will the government give FERC/NERC more power, they may also involve the DOE and Homeland Security. So what could this mean? 2,000 requirements, instead of the current 1,000? Audits every year instead of every three? Fines upwards of $2 million per day? Regulations from four government entities instead of one? Any or all of these actions are possible, and the electrical utilities brought this on themselves.

The solution is simple, identify your risks, mitigate those risks by putting controls in place then audit the controls on a regular basis. This basic compliance lifecycle is not a checklist that can be done once and filed away as completed. This is on ongoing endeavor and will hopefully keep us out of the dark (literally).

Tags: Audit, energy industry, FERC, NERC, Risk Management

Leave a Comment