Introduction
Devastating events such as the terrorist attacks on 9/11 and the Great Northeast Blackout of 2003 led the US government to an increased focus on cybersecurity and the development of the mandatory cybersecurity requirements for the bulk power system known as the NERC Critical Infrastructure Protection (CIP) standards. Immediately following the attack on the World Trade Center, the US government asked experts to explore other out-of-the-box means by which the country could be dealt a catastrophic blow by distant and relatively small groups of attackers. Several scenarios emerged, one of which was a coordinated cyberattack on the US electric grid. Forensics experts have determined that the massive Northeast 2003 blackout was initiated by a falling tree branch. However, grid managers’ responses were slowed by the presence of malware on their computers, prompting even greater concern at the Federal level. The Energy Policy Act of 2005 then set the wheels in motion for what would later become the mandatory reliability and CIP standards, both of which were developed in collaboration with industry, and enforced by grid reliability overseer, NERC. From the initial attack to a codified and enforceable mitigation strategy took nearly a decade.
Today a new foe has surfaced, even as the first gains ground: climate change. Unprecedented heat, fire, floods, droughts and aquifer depletion, storms of increasing frequency and ferocity, higher air and water temperatures, and rising sea levels threaten generation, distribution, storage, and transmission assets. A 2020 massive-multi-state heat dome forced outages in California. Early 2021 saw another break in the polar vortex and a deep freeze in TX which begat prolonged power, natural gas, and water disruptions. The changing climate will continue to bring difficult-to-forecast physical impacts that stress unprepared grid infrastructure to failure. If there is anything positive about the arrival of this new threat category, it’s that some of the changes to policy and procedure being implemented to make us more resilient to cyber risks can be leveraged to mitigate the physical risks of climate change as well.
Lessons abound from the evolution of the NERC CIP standards and other grid cyber defense policies and best practices. And in ways similar to the NERC standards, in our recently published book Countering Cyber Sabotage, co-author Sarah Freeman and I document the value of prioritizing asset protections by consequence. Overall, three approaches stand out as particularly relevant for grid defenders who seek to be proactive against physical risks from climate change. They are: Organize, Prioritize, and Exercise.
Organize
The call to organize speaks to the benefits of governance structures calibrated to the most pressing current and emerging challenges, both within and outside an entity. It took a long time for large and medium sized electric utilities to understand that having their most senior person in charge of cybersecurity positioned as a manager several rungs below the CIO was not getting leadership the necessary visibility or action. Today it is common for the head of cybersecurity, most often designated as Chief Security Officer or Chief Information Security Officer, to report directly to the CEO. Climate risk issues, to the extent they are being addressed in a utility, are often being handled in an ad hoc manner with different groups in a utility taking independent, uncoordinated actions Ensuring climate physical risk is in the portfolio of the Chief Risk Officer can shorten the climate risk communications paths to the CEO or the Board of Directors.
An additional benefit to creating a senior position (e.g., VP or higher of Climate Physical Risk) is that it sends a clear signal to regulators whose job it is to assess whether utilities in their jurisdiction understand the climate risk stakes and are updating their risk committees and reporting structures accordingly.
Federal or state government climate risk or resilience manager positions created specifically to address climate physical risk to utilities will encourage increased coordination with utilities’ risk officers. Continuing this restructuring beyond the electric sector is necessary as well, per risk analysis firm ICF in their recent report:
Coordinating grid investments with a local government’s plans for critical loads, such as water treatment facilities, will support optimizing the nature, amount, and timing of grid resilience projects.
Prioritize
One point that pops right out of Countering Cyber Sabotage on the Consequence-driven Cyber-informed Engineering methodology is that we cannot protect every asset equally well. For us to thwart the most destructive potential cyberattacks we must prioritize defensive efforts and investments based on the criticality of the assets in question and the critical functions they provide. Prioritization will likely prove to be even more important in the climate physical risk realm, where grid assets that support defense critical electric infrastructures (DCEI) and other national and economic security functions should get more attention than assets deemed less essential or disproportionately expensive to harden. There is much work to be done on this topic and some of it is sure to be acrimonious, as there are winners and losers in every attempt at triage. Further scrutiny should be given to the downstream, cascading financial, security, transportation and public health impacts of sustained electrical outages that roil interdependent sectors like water treatment, fuels provision, and communications. Without robust, consequence-based frameworks for allocating finite funds, whether from government or rate-payer sources, and material and human capital to install and operate, we are sure to fall short in attempts to meet some of the most important challenges of this decades and the ones to follow.
Exercise
One of the more valuable activities for grid cyber defenders in every role and at every level of maturity has been the development and evolution of national level exercises like NERC’s biennial GridEx series, which is now preparing for its sixth iteration in late 2021. GridEx simulates escalating, highly disruptive cyberattacks on generation plants, substations and other grid assets, and challenges participants to coordinate their responses for maximal defensive effect. One potentially climate physical risk-relevant aspect of the GridEx formula is called the GridEx executive tabletop. This full day event brings together top US and Canadian utility executives, military and civilian government leadership, and representatives from other interdependent sectors to develop and practice command and control at the national level. Working through climate scenarios in tabletop format could help senior-level participants practice prioritization of critical protections in urgent circumstances, as well as with coordinating with regional owners and operators and balancing authorities affected by the scenario’s stressors. Lessons learned would then be shared in detailed after action reports that inform regulator and utility policy updates and combined with current real-world events, inform and evolve the gameplay of the next exercise.
What’s Next for the Grid
In the wake of Superstorm Sandy in 2012, then-Assistant Secretary of Defense for Mission Assurance and grid resilience guru Paul Stockton wrote a paper for grid defenders outlining lessons learned. They centered on the value of resilience and adaptation to a new but not yet fully acknowledged risk reality. An obverse approach holds merit as well: that by looking at how grid regulators, operators and defenders initially reacted to emerging cyber threats, we may find lessons to inform more-robust, proactive adaptations to present and looming climate physical risks to energy infrastructure.
Teaming with subject matter experts in academia and industry, my INL colleagues and I are developing guidance to help prioritize and better protect existing critical grid infrastructure elements including all forms of generation and storage, sbstations, control centers, transmission and distribution assets, and natural gas pipelines. The team is also building a version 1.0 methodology for siting new electric infrastructures that accounts for climate physical risks informed by national and economic consequence prioritization and cost benefit analyses. The term being used for these efforts is Climate-informed Resilience Engineering, or CIRE (pronounced “Sire”).
Photo credit: Bilanol/istockphoto.com
For old-guard grid defenders, cyber and climate risks are relative newcomers to the all-hazards risk portfolios utilities and regulators have historically tracked. Most public utility commissioners and staff, insurers and re-insurers, and credit ratings firms — are just beginning to understand the scale and the timing of these risks, as well as the efficacy of the engineered mitigations and protections we have at our disposal. There won’t be any declarations of victory in the campaigns against either cyber or climate physical risk; both are lasting and evolving wars. If defenders do their jobs well, however, we may be able to ward off the worst catastrophes. We may be able to limit damage to levels that allow the grid and the nation it propels to continue operating safely and with relative reliability as we move into an uncertain future.
https://www.congress.gov/109/plaws/publ58/PLAW-109publ58.pdf
https://www.taylorfrancis.com/books/countering-cyber-sabotage-andrew-bochman-sarah-freeman/10.4324/9780367491161
I use the term grid defender broadly, to include policy, operations and technical personnel from all manner of organizations who work to keep the North American electric grid up and running and resilient in the face of all the hazards that assail it
Resilient power: How utilities can identify and effectively prepare for increasing climate risks, March 2021. https://www.icf.com/insights/energy/resilient-power-utilities-prepare-climate-risks
Note: It’s important to remember that the infrastructure assets that support these crucial functions will also be facing their own climate physical risks, independent from the electric sector
https://www.nerc.com/pa/CI/ESISAC/Pages/GridEx.aspx
https://www.jhuapl.edu/Content/documents/PostCyberAttack.pdf