Findings

Although the attendees at the Pocantico retreat did not explicitly arrive at findings, the following key themes and observations were gleaned from their discussions.

There is an urgent need for a common threat picture.

The threat environment for the North American grid system is changing rapidly, which presents significant risks to public health, safety, and prosperity. Yet the utility industry lacks a shared understanding of the threats and hazards for the modern American grid, particularly when it comes to cyber. In addition to technological change, there is a significant amount of misinformation on grid threats, including deliberately “weaponized” misinformation. And while government entities, such as the Departments of Energy and Homeland Security, and industry organizations, such as NERC, the Edison Electric Institute, and utilities, play an important part in sharing threat information, there is neither a uniform assessment of the threat ecosystem nor uniform access to threat information, intelligence, or analysis by both government and industry. A handful of executives at large investor-owned utilities, for example, may have sustained access to classified government threat information and analysis, while small, rural cooperatives may not have access at all, even though they may experience a similar or greater risk exposure (i.e., they may have fewer resources to mitigate or prevent an attack). Also, there are common shortfalls in understanding supply chain vulnerabilities and interdependencies across sectors (e.g., natural gas, water, and communications). Moreover, there is a need for a common understanding in the public domain, one that can be shared with regulators, local governments, and ratepayers.

• There is a strong need for concerted, systematic government-produced warnings, indicators, and assessments, with extensive outreach to the utility sector. At the same time, the sector could also benefit from a companion, independent assessment process that can be broadly shared within the industry and even with ratepayers.

The Federal government should clarify roles and improve threat information sharing.

A number of Federal and regional agencies and organizations have responsibilities for electric grid security, particularly when it comes to cyber threats, meaning there are overlaps and gaps. The Federal government should reaffirm a lead mission owner for grid security, or at least for cyber security, and designate other agencies as supporting partners.

• As specified in statute (the FAST Act and Federal Power Act), the U.S. Department of Energy is the Sector Specific Agency for grid security. And while the Department of Energy has considerable subject matter expertise and the trust of the industry in many ways, the agency’s mastery of the grid security mission, particularly when it comes to cyber, remains unproven. The Department will require adequate staffing, technology support, innovative policies, effective programs, good leadership, and support from other agencies (including CYBERCOM) if it is to succeed and gain the confidence and ethusiasm of private sector partners when it comes to grid security. In particular, the Department of Energy should focus on collecting and sharing credible, thorough, and actionable information and threat assessments – and in blue sky times, not just during emergencies.

Innovation is not just about technology.

There is a range of promising technologies for improving grid security, from microgrids to smart, autonomous control systems to redundant transformers. In many cases, however, the innovation context, such as the policies, regulations, legislation, standards, workforce capability, and best practices lag the technology itself.

• Government agencies and utilities separately and in cooperation should look for ways to promote a culture of agility, rather than constantly layering on the next coat of new policies and regulations.
• Any new technologies added to the grid should incorporate security intrinsically to the greatest extent possible. Retrofits are generally more expensive and less effective.

State level policy, regulation, and legislation are important.

There isn’t one grid, of course, but rather a system of interlocking pieces largely overseen and operated at state and regional levels. This decentralized system can be a weakness, but it is also a strength and certainly a fact of life.

• The groups that convened this event or other related groups (e.g., Protect our Power) should consider follow-on discussions focused on state and regional policy, regulation, and legislation to promote grid security.
• “N-Groups” such as the National Governors Association, National Association of Regulatory Utility Commissioners, National Association of State Energy Officials, and the National Emergency Management Association are powerful convening bodies to bring together the appropriate state and regional officials for national dialogue to share best practices and create a degree of uniformity in how each state maintains their regulatory and policy environment to protect the grid, promote reliability through sound investment, and prepare to respond to grid emergencies more effectively.

The Department of Defense presents opportunities.

The Department of Defense is at once a major consumer of electricity and of threat information, with the country's lead responsibility for national security. It is also a customer with both significant resilience needs and uneven resilience practices.

• The Department of Defense has the potential to be a proving ground for grid security as a large consumer with a public mission, an urgent need for improvement, and unusual authorities (such as 30-year Power Purchasing Agreements). Conversely, NERC, utilities, trade associations, and regional transmission organizations should be more proactive about engaging the Department of Defense, as a major customer and potential target for grid attacks.

Define resilience.

Resilience is one of those qualities that is often discussed but rarely understood, at least in tangible terms. It is important to have a more actionable definition when referring to the electric grid, however, including how "resilience" might differ from "reliability," which the industry understands very well, indeed.