Editor’s note: Starting this month, Mark Weatherford, former chief information security officer for the state of California, will write a regular column on protecting the nation’s electrical grid. Weatherford now serves as vice president and chief security officer for the North American Electric Reliability Corp. (NERC), an organization of U.S. electrical grid operators.
For this first column in the Securing GridSpace series, I’d like to spend a little time discussing the electric grid in North America. Future articles will expand on the cyber-security issues and technical details laid out here.
Everyone talks about this nebulous thing called “the grid,” but what does it mean? The grid comprises three major components: generation of electricity, transmission of electricity and distribution of electricity. Of these, generation and transmission make up what’s commonly called the Bulk Electric System (BES).
The North American BES is divided into three “interconnects,” which includes companies from across all of the Canadian provinces, all of the United States and a portion of northern Mexico. This can be a little confusing, but the diversity of geography and infrastructure is the key to profound reliability across the grid.
Electricity is like water in that it will always seek the path of least resistance, so it helps if you can think of the grid as a lake with streams feeding into it and a dam at the other end releasing water. To keep the water at a reasonably stable level, you can’t have more water leaving than you have coming in. Similarly the grid’s goal is to maintain a steady level of electricity, which means a lot of work goes on by many people to keep the amount of electricity entering the grid equal to the amount required by businesses and homes so when you hit the light switch, the light comes on. This is more complicated than it sounds when you consider the fluctuations in power requirements on an hourly, daily, monthly and seasonal basis.
Here are a few quick statistics: The North American power grid consists of more than 5,000 companies that own and operate more than 160,000 miles of high voltage transmission lines and more than 1 million miles of distribution lines representing more than $1 trillion in assets. With a real-time capacity of more than 4.1 trillion kilowatts, this infrastructure delivers electricity to more than 334 million people. Pretty impressive — and no wonder the North American electric system is called the “largest machine in the world.”
For such an immense infrastructure, the grid’s reliability is impressive, and power companies have a long history of knowing how to prepare for and react to disruptions related to physical security and acts of nature. Think about it, aside from an ice storm, hurricane or similar event thrown at us by Mother Nature, when was the last time you suffered from an extended power outage? Dutch computer scientist Edsger Dijkstra said, “Simplicity is prerequisite for reliability,” and for most of the 20th century, the grid was a simple environment. Technically complex yet simple because it was bounded and risks were relatively well understood.
So how important is electricity? I think the electric industry is the most critical of the critical infrastructures because the reliable generation and delivery of electric power is arguably the most influential factor in a sustainable population in North America. Electricity is as important to modern civilization as water was to ancient Rome except it’s impossible to calculate our dependency on electricity. In fact, the loss of electricity over a wide enough geographical area measured in months (instead of hours or minutes) would result in unprecedented human suffering, economic devastation, profound gaps in national security and a return to the digital dark ages.
Enter the Internet and cyber-security.
Electric grid systems that were previously taken for granted as dependable and relatively static began to change dramatically when they were able to take advantage of the efficiencies offered by the Internet. Unfortunately this also meant that the same security weaknesses that plague daily computer life could, when not accounting for the cyber-security threat, menace our nation’s electricity infrastructure. Those same botnets used by criminals to commit crime by sending spam, distributing malware and performing denial-of-service attacks can be used against unprotected or compromised BES networks.
Just like in IT systems worldwide, cyber-attack vectors are multiplying. System and network intrusions, including malicious code (can anyone say Stuxnet?) are increasing, and a growing reliance on the Internet and the proliferation of the smart grid is creating unprecedented cyber-security challenges for the electricity industry. These threats have resulted in an inconsistent perception of risk and are some of the things I’ll be talking about in Securing GridSpace so stay tuned, it’s gonna be a wild ride.