Securing the Smart Grid

The Trump Administration is reportedly finalizing a cybersecurity executive order. According to multiple sources, the draft order includes a 90 day assessment of the electric grid’s vulnerability to significant cyber incidents, and “the readiness of the United States to manage the consequences of such an incident.”

I have some relevant policy experience here. I’ve had the good fortune of working on national smart grid policy — twice.

First, at the FCC’s National Broadband Plan, under Chairman Julius Genachowski and Broadband Plan Executive Director Blair Levin, I led a small team focused on how broadband and other advanced communications can promote our national goals in energy and the environment. We ended up focusing in part on smart grid policy — and our policy recommendations are still relevant today.

Then I got recruited to work at the White House, where I worked with Aneesh Chopra, Jason Bordoff, and Phil Weiser to write national smart grid policy again, this time with a White House and inter-agency team in the National Science and Technology Council. At the U.S. Department of Energy and the National Institute of Standards and Technology (NIST), Assistant Secretary Patricia Hoffman, Chris Irwin, Eric Lightner, George Arnold, and David Wollman were invaluable contributors and thought leaders.

It was a great learning experience to do this, twice! I learned a ton about how to develop policy, and about how to listen to and engage a wide range of interested stakeholders. Both times our teams spoke to utilities, regulators, large and small technology companies, non-profits, consumer advocates, government agencies, security experts, and many others.

In the initial 2011 White House smart grid report (which was followed by a progress report in 2013), we outlined four areas of policy:

1. Enabling cost-effective smart grid investments

2. Unlocking the potential for innovation in the electric sector

3. Empowering consumers and enabling them to make informed decisions, and

4. Securing the grid

It was especially fun to take policy ideas and turn them into action, especially after writing them into multiple reports.

For example, in partnership with electric utilities, the White House, NIST, and the Department of Energy launched the Green Button Initiative, based on the idea that electricity customers should be able to get access to their own energy information — not just easy to understand, but also in standardized and machine-readable formats.

The Green Button Initiative soon became more than just an idea. According to a 2015 White House blog post:

More than 150 utilities and service providers have committed to providing more than 60 million U.S. households (including altogether 100 million people) access to their own Green Button energy data in a consumer- and computer-friendly format. Similar efforts are also taking hold internationally. In Canada, for example, more than half of Ontario-based consumers, totaling 3 million residences and businesses, now have access to their Green Button data.

The fourth policy area in the 2011 report is arguably the most important: securing the grid.

Our policy work in this area was heavily informed by cybersecurity experts, including the National Security Council, the Department of Homeland Security, the Department of Energy, the North American Electric Reliability Corporation, and other external experts.

As we wrote in the 2013 update:

Cybersecurity is a significant and evolving challenge for the electric system given the wide variety of deployed technologies and the dependency of so many sectors and networks on electricity. Protecting this critical system from cyber-attacks and ensuring that it can recover quickly in the event of an attack is vital to national security and economic well-being.

We highlighted four areas of Administration activity to secure the grid:

1. Improving critical infrastructure cybersecurity: President Obama signed an Executive Order and a Presidential Policy Directive to strengthen critical infrastructure cybersecurity, with a focus on partnering with critical infrastructure owners and operators against evolving threats.
2. Promoting a performance-based cybersecurity culture: The Obama Administration launched a risk management process guideline and facilitated a strategic industry framework focused on the vision of a resilient energy delivery system that can survive a cyber-incident while sustaining critical functions.
3. Setting cybersecurity guidelines for the smart grid. The Department of Energy and NIST worked with utilities to highlight cybersecurity best practices and to develop recommendations to incorporate cybersecurity throughout the smart grid systems’ development lifecycle.
4. Promoting physical preparedness and resilience. The Obama Administration also worked to understand and manage physical threats to critical electricity assets — including scenario planning for electromagnetic pulses and prototyping small and light modular extra-high voltage transformers.

While I am proud of the Obama Administration’s efforts to promote grid security, we of course recognized that much of the progress was happening — and will happen — in partnership with the private sector.

The more recent 2016 Washington Post article about a Russian cyberattack on a Vermont utility highlighted the issue of electric grid vulnerabilities. It should be noted, as the updated article does, that the attackers weren’t able to disrupt operations or breach grid control networks.

While it’s helpful to get the Washington Post paying attention, utilities and security experts have known about security threats to the grid for some time. There are many dedicated professionals that have been working on these issues for some time.

One particularly wonky but thorny issue to highlight is that the control networks in the grid, called SCADA (Supervisory Control and Data Acquisition) networks, were not designed for a hyper-connected world.

Ideally, SCADA networks should never be connected to anything Internet-connected. And they should be retrofitted with sufficient security protections.

But in the real world, as more things are connected to the Internet — including our buildings, cars, and electric utility business computers — we run the risk of inadvertently making control systems more vulnerable to attack. And the first step to fixing this is to understand the assets controlled by SCADA networks, and their vulnerabilities.

That’s another reason I’m excited to be at Insight Venture Partners, where we are investors in Tenable Network Security. One of Tenable’s newest products leverages their market-leading passive monitoring technology to analyze SCADA network traffic — discovering SCADA assets and their vulnerabilities.

Tenable Networks is one of our most exciting companies — we led a $250 million round in late 2015. They just added a new Chairman and CEO, Amit Yoran, who previously ran RSA, a key billion-dollar security company. They are also investing in new product capabilities — recently launching Tenable.io, a new cloud-based vulnerability platform. I work closely with their public sector team, led by Darron Makrokanis and James Hayes, both of whom have been talented public servants themselves.

My days of writing policy reports are over — at least for the foreseeable future. But it’s exciting to partner with a team, again, that is turning ideas into action — and doing their part to secure the grid.

I’m encouraged the new Administration appears to be focusing on smart grid security—and hopeful they listen to the experts inside and outside the government.