EVENT RECAP: Resilience Panel on Cyber Security & Resilience Issues of the Grid with Richard Mroz and Suedeen Kelly | Global Resilience Institute

View event recording below.

Dr. Elizabeth Moore began the presentation by introducing the Global Resilience Research Network (GRRN) and guest lecturers, Suedeen Kelly and GRI Distinguished Corporate Fellow Richard Mroz. Ms. Kelly and Mr. Mroz are both involved with Protect Our Power, an independent advocacy organization that focuses on making the American electric grid more secure and resilient, especially in the face of growing cyber attacks.

Ms. Kelly briefly discussed the history of Protect Our Power. Founded in 2016 in response to the emergence of cyber attacks, the organization was formed to unite key industry groups (utilities, grid owners, security experts, government officials, public policy influencers, etc.) so they may work together to fortify the electric grid. Since its foundation, several philanthropic organizations have provided funding for Protect Our Power to continue its important work in building security and resilience of the electric grid in the United States.

Mr. Mroz explained that one area in which Protect Our Power has been actively working is advocating for specific regulatory treatment and focus in the states, particularly with distribution companies and utility organizations. Another area of focus for Protect Our Power is working with federal agencies and advocating in Washington D.C. Most recently, Protect Our Power has been advocating for stronger cybersecurity measures to be integrated into the new infrastructure bill passed by the Biden Administration. Finally, Dr. Mroz discussed the focus area of supply chain, specifically supply chain vulnerabilities as they relate to the electric and utility sectors. Protect Our Power has been working to develop standards for interconnection across supply chains, so that our increasingly smarter and more digitized grid can remain secure.

Mr. Mroz confirmed that vulnerabilities to cyber security threats are real, as officially reported by national security agencies and national security experts, and have become a strong focus of the U.S. Department of Energy. As a result, discussions have developed among industries, such as the global electric and manufacturing industries. According to Mr. Mroz, emerging standards among these industries are beginning to be created in response to growing cybersecurity concerns. However, there are still no specific directives nor implementation enforcement measures in the United States regarding power systems.

According to Ms. Kelly, the U.S. Department of Energy is looking at coordinating efforts to secure supply chains and the electric grid. Additionally, the Department of Energy is considering mandating security measures. In order to better understand regulation of the electric grid, Ms. Kelly explained that we do not have competing electric gids. Rather, we have a single electric grid that is owned collectively by many entities, which makes it subject to regulation. Smaller parts of the system are controlled by the states in which they exist, whereas interconnected parts of the transmission system are regulated by the federal government. According to Ms.

Kelly creating any regulations in this area is a very time-consuming, bottom-up process. She posited that “an industry collaborative approach that is not mandated would likely be very welcomed by the administration.”

Mr. Mroz discussed a very recent development currently being set in motion by a work order, which allows for the aggregation of distributed energy resources. In other words, “a virtual power plant.” Therefore, a two-way flow of electrons may start to enter the system in coming years, assuming the necessary technology can be developed. According to Mr. Mroz, this development would cause an even greater need for security because of the increased interconnectedness a virtual power plant would create within the national electric system.

Speaking in regards to cost of these recommended changes and regulations, Ms. Kelly addressed the need for a revenue stream that is available to grid owners. According to Ms. Kelly, this continues to be a significant issue because the entities that need to establish cyber security measures are the utility companies that own pieces of the grid, and there are a lot of them. Thousands of entities own small pieces of the grid and nearly all of them have their own regulation systems. Therefore, it is very difficult for utility companies to make investments up front for the establishment of cyber security measures. Payments are often made in advance or after the fact, which can be extremely time consuming and complex. For these reasons, Ms. Kelly suggested that a universal cybersecurity service fund, consisting of small charges placed on the bill of every electric consumer, would be extremely helpful in providing the revenue needed to invest in the security of our electric grid. Additionally, Ms. Kelly suggested the coordination of cybersecurity efforts among one entity, in order to ensure that smaller utility companies are not left behind or overshadowed by large utility companies.

The presentation was followed by a Q&A session.