Vermont Law Top 10 Environmental Watch List for 2020

Not If, But When: The Environmental Impact of Cybersecurity in the Electric Grid

Our country has committed, and continues to commit, a great deal of time and resources to network and modernize the electric grid into the smart grid. The smart grid is the traditional grid, modernized through the inclusion of internet technology.  Because of its reliance on internet technologies, the smart grid is vulnerable to the same cyber hacking techniques that have attacked hospitals, cities, and elections. This vulnerability is a “must address” issue for the environment and environmental law for two key reasons: a cyber-attack can greatly reduce the applicability of smart grids, and an attack would eliminate the benefits of energy efficiency that have been a focal point for utility companies for years. The cybersecurity of our grid is inexorably linked to energy conservation efforts due to our reliance on the smart grid to achieve those goals.

When Ukraine fell victim to a cyber-attack on their grid in 2015 that caused widespread blackouts across the country, the United States directed attention to the cybersecurity of our electric grid. This was a step in the right direction because the grid alone is valued at nearly $2 trillion. If the grid were to go down, the impact to the economy would be anywhere from $243 billion to $1 trillion. The annual losses from intermittent outages alone are estimated to be more than $100 billion. For a country that has over 370 million people, the grid not only has massive economic impacts, but affects our everyday lives, including communication, healthcare, transportation, and social welfare. A successful cyber-attack on the grid would have a catastrophic human toll. The economic and environmental risk, while minor in comparison to the human risk, has weight in its ability to alter the willingness of electric companies to embrace smart grid technology. If electric companies do not embrace smart grid technology, energy conservation efforts would be negatively impacted. After seeing what happened in Ukraine, and other smaller events since then, 48% of power and utility CEOs think a cyber-attack on their company is inevitable. The question is not ‘if,’ but ‘when.’

The ‘when’ is now. Earlier this year, a cyber-attack on the United States grid created blind spots at several small power generation sites and a grid control center. The attack infiltrated the system by exploiting a known firewall vulnerability. This event marks the first disruptive cyber-attack on the power grid in the history of the United States. In addition to the direct economic impact, liability concerns foster a reluctance to use smart grid technology which will directly impact our ability to conserve energy. As technology continues to rapidly increase, the United States’ focus on grid safety must evolve as well.

Although we know cybersecurity is now a major issue, it presents the challenge of how to address it. Since the grid spans the country and many state jurisdictions, the question becomes who is responsible for grid security? At the federal level, the Federal Energy Regulatory Commission (FERC) has the authority to approve mandatory cybersecurity reliability standards. Through the North American Electric Reliability Corporation (NERC) audits, utilities have been fined if they do not adhere to those reliability standards. And, utility obligations do not end with federal mandates. Each of the 50 states has a commission that regulates the utilities industry within their state boundaries. They also have the ability to create and enforce their own standards in addition to the mandatory standards.  This lack of consistency between the federal and state regulation of the electric industry creates a difficult environment for the effective management of cybersecurity efforts and additional cybersecurity vulnerabilities.

The lack of consistency is more important than ever due to the increased number of connection points created as a result of the evolution of the smart grid. This development of the smart grid has resulted in a wide variety of benefits, but also presents a vulnerability challenge. The smart grid uses computer-based remote control and automation that is handled through two-way communication technology. Traditionally, the power grid was seen as unidirectional with the purpose of providing power. The smart grid adds a second lane and allows information to flow to and from individual homes, devices, and other components on the grid. Each component is a connection point to the grid that offers cyber-terrorists access to grid control. With the increased number of connection points comes an increased number of entry points for cyber-terrorists and other predators. When cyber-attacks get more advanced (and they will) and shut down the grid, this not only eliminates the benefits of the two-way communication technology, but also defeats the purpose of the smart grid altogether. If we are not able to collect the data from users and devices, then the energy conservation benefits of the smart grid are eliminated. Investment in the smart grid without similar investment in cybersecurity will undermine the value enhancing the smart grid.

The other aspect of the environment at stake due to grid security is the overall energy efficiency that has been a recent focus for utility companies. With the increased use of renewables such as solar panels and wind turbines, manufacturers can improve their energy efficiency by 15% by adopting automated controls and sensors. However, to benefit from the access of rate payer’s data and the automated control, the grid must be connected through internet technology. Rick Perry, the Secretary of Energy under President Trump, said, “Improved cybersecurity can reduce risks as well as catalyze adoption of more energy efficient technologies in the manufacturing industry.” Not only do the actual cybersecurity vulnerabilities impact the potential increase for energy efficiency, but the perceived cybersecurity vulnerabilities prevent others from even trying to address energy efficiency through automation because of the apparent risk and dangers associated with it.

Cybersecurity vulnerabilities will have a substantial impact on the advancement of energy conservation. Reduced smart grid applicability results in fewer renewables. Fewer renewables will lead to missed opportunities to reduce carbon emissions. The lack of progress in emissions reduction is a step back from the progress made in energy efficiency. Cybersecurity in the electric grid has a substantial impact on our environment and must not only be addressed with greater attention, but also continually revised due to our ever-evolving state of technology in the electric grid. In 2020, we should see if utilities advance their cybersecurity efforts or roll back their grid modernization efforts due to liability risks.