Cyber security has become one of the leading threats to our nation’s energy infrastructure. Although the internet has served to bring the world closer together, it can also be used to launch remote attacks against our energy infrastructure. Efforts devoted to the cybersecurity of our electric grid and other energy delivery systems have become top of mind in today’s energy industry.
While state-sponsored cyber intrusions remain a primary national security concern, more than 80% of the nation’s energy infrastructure is owned and operated by the private sector. As such, close and continuous collaboration between government agencies and our domestic energy sector is critical to the identification and suppression of any potential cyber intrusion. As directed by Congress, the North American Electric Reliability Corporation (NERC) is tasked with developing and enforcing standards, which also have to be approved by the Federal Energy Regulatory Commission (FERC).This sophisticated regulatory regime is part of a defense-in-depth strategy employed through a broad suite of industry-driven protections that are designed to promote the resiliency of the electric grid in the face of a physical or cyberattack. Parallel efforts are also underway to implement additional protections to insulate the grid from the low frequency yet high-impact potential posed by solar flares and electromagnetic disturbances.
Through executive orders, legislation, government interaction and cross-sector collaboration, much has improved in recent years, however such efforts are only adequate if they can meet tomorrow’s challenges. GEI supports enhanced information sharing between the government and private industry, as well as across critical infrastructure sectors, because it is essential to ensure that timely, actionable information is in the hands of the right people, at the right time.
However, overly prescriptive, top-down regulations beyond those already in place should not be pursued, as they can serve the counterproductive purpose of providing a roadmap for the exploitation of industry cyber defense structures and strategies. Instead, cyber maturity models and comprehensive best practices should be developed and widely-adopted to ensure that the delta between the most- and least-robust cyber protection frameworks is minimized.