Cohesive cybersecurity policy needed for electric grid.

• Author: Zhang, Zhen
• Position: Cybersecurity

COMMENTARY

Securing the electric grid is one of the key components of preventing terrorist attacks in the United States and increasing the country's resilience and recovery from such events. A secure electric grid is one that is protected from errors, contingencies or assaults on computer systems and networks.

There is no shortage of government policies for protecting critical infrastructure sectors from network vulnerabilities. What is missing is a focused comprehensive cybersecurity policy for the electricity sector.

Smart-grid technology, which may rely on computer networks to intelligently manage electricity, makes this all the more important.

But electric grid security is a topic that transcends smart-grid applications and reliability standards to issues of national security and international diplomacy. President Obama's June 2011 "Policy Framework for the 21st Century Grid" by the National Science and Technology Council noted that ensuring that the electric grid can recover from cyber-attacks is "vital to national security and economic well-being."

[ILLUSTRATION OMITTED]

A comprehensive cybersecurity policy for the industry is essential for this sector to work with the government to create and deploy technologies necessary to increase grid security and resilience.

Current protection of the critical electric infrastructure sector is fragmented. The quasi-government North American Electric Reliability Corp. (NERC) coordinates information sharing and creates mandatory cybersecurity reliability standards. These are valuable, but cannot replace a cohesive policy. A cybersecurity strategy must include at least six components: improving information sharing; clarifying the role of industry players in responding to different types of cyber-incidents; ensuring awareness of domestic and international law implications beyond the reliability standards; implementing long-term planning; evaluating other countries' cybersecurity systems; and providing government funding.

In the United States, private companies own and operate most critical infrastructure assets such as power lines and substations. While some may perceive defense against cyber-attacks as purely a government function, given the private ownership, a public-private partnership is necessary. Two elements of the government/electric industry partnership are the Information Sharing and Analysis Center (ISAC) and the cybersecurity reliability standards. To improve the partnership, NERC should...