Cutting Our Grid Off to Spite Our Enemies?

Is the nation’s electricity grid getting too darn smart for its own good? That seems to be the question at the heart of the new “Securing Energy Infrastructure Act.” Introduced in the Senate last month, the bill will get a hearing next week on July 12th. 

The bill takes that intriguing question to the next level by proposing that maybe the best way to protect the grid from a cyber attack is basically to unplug it. Or at least to study whether it might be better to go back to the past generation of analog technology for certain links in the chain of electrical custody.

While this may well be a $10 million jobs bill earmarked for national labs (two of the sponsors are from Idaho and New Mexico), it does highlight the dynamic security environment for the electrical grid.

The companies that generate, transmit, and distribute electricity focus on reliability, or rather, reliability of supply to customers at an affordable price with a reasonable return on investment (and the definition of “reasonable” varies depending on who owns the utility). The main risks to that reliability for most of the life of the grid have been disruptions from equipment challenges or natural hazards, such as weather, squirrels, and stupid humans.

But two variables in that risk-reliability calculation have been increasingly inconstant of late: threat and vulnerability. In times of war, critical infrastructure is often a target, both because it provides sustenance to militaries and because it’s a key societal pressure point. And while discrete acts of sabotage have the potential for significant political and economic effects, it has generally required the resources of a nation and a state of war for truly damaging attacks on critical infrastructure. But the arrival of information technologies as a transformative critical infrastructure has meant new vulnerabilities that cut across just about every aspect of modern life, including the electrical grid. It does not require the resources of a nation or a state of war to attack information infrastructure. This has been all too readily apparent in everything from criminal cases, such as the December 2013 theft of credit card information from 40 million Target customers, to state-sponsored malice, such as the 2014 North Korean hack of Sony. This changing vulnerability picture coincides with a new threat environment, as non-state actors such as al-Qaida and ISIL look for ways to wreak global havoc and states such as Russia or Iran undermine adversaries or even military targets without engaging in open warfare.

Notably, neither Target nor Sony left the computer age, despite the severe damage to their companies. And even with the advent of the world’s first successful cyber attack on a grid in Ukraine, it doesn’t necessarily follow that the costs of dumbing down the grid would be worth any security benefits. Or even that an analog solution addresses the greatest vulnerabilities, threats, or risks.

All the more reason to look forward to next week’s hearing, which I plan to live tweet. Follow along next Tuesday the 12th @burkese.