Infrastructure Defense as a Key Element of National Security Policy: Securing America’s Electric Grid

By Scott Aaronson

Energy is a critical resource that powers our homes and businesses, and also supports every facet of the U.S. economy and our nation’s security. As technology advances and we become more connected, the likelihood that there will be a successful cyber or physical attack on critical infrastructure increases.

This month we recognize National Critical Infrastructure Security and Resilience Month, which is a great time to reinforce that our nation’s electric companies are working across the industry and with our government partners to protect the energy grid and ensure that customers have access to the safe and reliable energy they need. We also are focusing on strategies to mitigate the potential impact of an attack and to accelerate recovery should an incident occur.

We know that cyberattacks constantly are evolving and increasing in sophistication. As the vice president for security and preparedness at the Edison Electric Institute (EEI), the association that represents all U.S. investor-owned electric companies, I have a deep appreciation for how any threat to the energy grid endangers our communities and the national and economic security of our country.

I am proud of our industry’s commitment to strengthening our cybersecurity posture and am acutely aware that progress would not be possible without deep cooperation across the industry and with our government partners. This partnership, embodied through the CEO-led Electricity Subsector Coordinating Council (ESCC), is key to ensuring that vital and actionable information is being shared quickly.

The ESCC serves as the principal liaison between leadership in the federal government and in the electric power sector, with the mission of coordinating efforts to prepare for national-level incidents or threats to critical infrastructure. ​One example of the strength of industry-government coordination is the Cyber Security Risk Information Sharing Program (CRISP). This program brings together the energy industry, the U.S. Department of Energy, the intelligence community, and the Pacific Northwest and Argonne National Laboratories to share near-real-time information securely, to enhance situational awareness, and to identify threat indicators. To date, U.S. electric companies that have deployed CRISP represent more than 75 percent of all U.S. electric customers, and that number increases every year as more companies join the program. Threat information gleaned from CRISP is shared across the sector and with government partners to better protect all critical infrastructure operators.

The ESCC also facilitates and supports policy- and public affairs-related activities and initiatives designed to enhance the reliability and resilience of the energy grid. Unity of effort and unity of message are critical to ensuring our customers, the American people, can have confidence that industry and government are working closely to defend the nation’s most critical infrastructure.

Not only does the ESCC invest in strategic research and technology development to further protect the energy grid from cyberattacks, but ESCC members regularly share information, engage in scenario planning, and hold coordinated response exercises to ensure preparedness for any kind of potential attack on the energy grid.

Earlier this month, more than 6,500 electric power industry and government executives participated in the North American Electric Reliability Corporation’s GridEx V exercise. Held every two years, this exercise brought together electric company leaders; local, state, and federal government officials; and other critical stakeholders to test and evaluate emergency response plans for responding to and recovering from a range of cyber and physical security threats to the energy grid. The exercise also helps participants strengthen their crisis communication coordination and develop actionable plans to improve our collective security posture.

One key security enhancement that resulted from a previous GridEx scenario was the development of a cyber mutual assistance (CMA) program, which was tested during GridEx V. Similar to the industry’s traditional mutual assistance program, through which electric companies send equipment and lineworkers to help restore power after storms, CMA helps ensure that companies being impacted by a significant cyber incident can call upon additional industry experts to help restore critical computer systems. Today, CMA includes more than 145 electric and natural gas companies from across the United States and Canada – covering approximately 80 percent of U.S. electricity customers and 75 percent of U.S. natural gas customers.

Protecting the energy grid from threats that could impact national security and public safety is a responsibility shared by both the government and the electric power industry. Together, we continue our work to enhance energy grid security and resiliency and to protect the customers and communities we serve.

Scott Aaronson is Vice President, Security and Preparedness at the Edison Electric Institute, where he leads the EEI teams focused on cyber and physical security, storm response and recovery, and associated regulatory policy.

This article was first published by Real Clear Defense on December 4, 2019.