Our guest blogger is Peter Swire, a Senior Fellow at the Center for American Progress and the C. William O’Neill Professor of Law at the Ohio State University.
The front page of the April 8 Wall Street Journal blared: “Electricity Grid in U.S. Penetrated by Spies.” The article reports that cyberspies from Russia, China, and other countries “have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system.”
The same day, I released a report on “Smart Grid, Smart Broadband, Smart Infrastructure: Melding Federal Stimulus Programs to Get More Bang for the Buck.” Among other points, I specifically discusses how better broadband deployment can improve the cybersecurity of the electricity grid.
Parts of the Recovery Act’s stimulus spending can be integrated to save money and improve our long-term infrastructure. One section of the act provides billions of federal dollars to fund a “smart grid” for electricity that connects a far more flexible and efficient grid for long-distance transmission to regional feeder lines and local hubs, and then to the “last mile” to residences and businesses. A different part of the act provides billions in funding to upgrade broadband networks for unserved and underserved areas around the country.
Construction of the electricity grid and the broadband network should go hand in hand. We should follow the principle of “dig once” — when bulldozers are in place to build electricity transmission lines, the crews should be laying fiber where possible and otherwise upgrading the communications network at the same time. This approach will speed the deployment of high-speed broadband to dispersed geographic areas, including to far-flung cell phone towers that are often near power transmission lines.
In addition to non-security goals (e.g., energy conservation), the upgrade and spending in the electric utility grid should include providing a sufficiently trustworthy network for control. The requirements are different enough for this sector that funding for cybersecurity research and implementation should be an integral part of the electricity grid stimulus spending.
Today’s electricity controls often “cannot accommodate current enterprise security solutions that soak up central processing unit (CPU) capacity and clog connectivity.” Nonetheless, a Wall Street Journal blog about the electricity story asked: “The big question is whether the move to a smart grid would increase the country’s vulnerability to such attacks, or serve as the best form of defense.” The main point of the WSJ blog post seems to be that we create new vulnerabilities by using the Internet for more parts of governance of the electricity grid and should therefore rely on dedicated communications lines to govern the electricity grid, the way we did in the pre-Internet era.
It would be a mistake, however, to dumb down the electric grid in the name of cybersecurity. The problems facing electric utilities are similar to those facing other sectors. As Professor Fred Cate observes, “increasingly critical information is both controlled by the private sector and carried via the commodity Internet (e.g., ATM transactions, financial data, health data).” The commodity Internet increasingly replaces the old dedicated lines due to enormous advantages in cost, functionality, and ability to upgrade. The path forward for electric utilities, as for banks and hospitals, is to learn how to act securely in this inter-connected world, not to try to use pre-Internet approaches.
Nor can electric utilities rely on the secrecy of their systems, what computer scientists call “security through obscurity.” On the Internet, as the Wall Street Journal story correctly explained, attackers can probe systems repeatedly and thereby discover vulnerabilities. As I have written previously, some aspects of the defense should stay secret, notably the ways that the system would respond to a novel, large-scale attack. But the downside of modern interconnectivity is that most security secrets on the Internet don’t stay secret in the face of the sorts of repeated probes that the WSJ describes.
In conclusion, one portion of cybersecurity for the electric grid should be to look for opportunities to use greater bandwidth to enable better defensive measures. Other upgrades should also be considered, such as improvements in central management and more effective use of virtual private networks to block attackers from access to remote devices. The main point of the smart grid/smart broadband report, however, remains compelling — we should look for opportunities to build the smart grid in tandem with broadband, to use the stimulus money better and also to achieve additional goals such as cybersecurity.