Cybersecurity threats to the electric grid are no longer hypothetical. While attacks impacting grid operations have only been reported in Ukraine, DHS recently identified intrusions into the U.S. grid. Fortunately, substantial progress has been made in recent years to protect the grid. While the North American Energy Reliability Corporation (NERC) has implemented bulk grid cybersecurity requirements for the past decade, state utility commissions are increasingly defining requirements for low-voltage distribution grids. Furthermore, NERC-led initiatives, such as national response exercises (GridEX) and information sharing programs (E-ISAC) help ensure utilities are prepared to respond to similar events. At the federal level, the Department of Energy has recently introduced the Office of Cybersecurity, Energy Security and Emergency Response (CESER) to help better coordinate grid security, while recently proposed bills, such as HR5239 and HR5240, focus on improving the security of grid software and mitigations, including auditing, supply chains, and data sharing.
However, this remains a complex and growing challenge. A strong defense requires near perfection, while attackers only need probabilistic success. Furthermore, the skill of the attackers is often substantially greater than those who are defending the grid. Scaling this problem to the scope of the US grid (3,000 utilities), amplifies this issue, as it is inevitable that some firewalls will remain incorrectly configured, credentials will be stolen, and systems will lack key patches. While new regulations and technologies help, they are only as capable as the individuals that support them.
The most critical factor remains the availability of a national workforce with expertise in industrial control systems, cyber threats, and power system engineering to protect these systems. However, individuals with these backgrounds remain insufficient and the allure of jobs at high-paying tech companies further constrains the talent pool, especially for utilities in rural areas without the ability to provide lavish benefits. Earlier this year the DOE-sponsored a national collegiate cyber-defense competition, where hundreds of students protected control systems from professional attackers. However, more needs to be done to elevate the attractiveness of these careers. Without the right talent, new regulations and technologies supporting cybersecurity will fail to achieve their goals.