Smart-grid security delayed by questions of government regulation
SAN FRANCISCO — Billions of dollars are being invested into upgrading the nation’s electric grid to an intelligent system capable of handling two-way transmission of information and power, but its security remains uncertain at best, a panel of government and industry experts said.
“Security sucks,” said attorney Stewart Baker, a former official at both the National Security Agency and the Homeland Security Department.
He called the ability to disrupt the power grid a “wonderful weapon,” easy to develop, asymmetric and deniable. “We are going to see an attack on grids by nation states as conflicts become more serious,” he said during a panel discussion at the RSA Conference.
More from RSA:
DOD wants in on protecting civilian infrastructure
Fuss over cyber war distracts from real threats, security pioneer says
But requirements for securing the privately-owned systems are being debated by a Congress divided politically over the role government should play in securing the nation’s critical infrastructure.
“Regulation is not favored by our caucus in the House,” said Kevin Gronberg, senior counsel for the House Homeland Security Committee, where Republicans hold a majority. The regulatory philosophy there is based on the assumption that the owners and operators of the infrastructure know best how to secure it and have an interest in doing so, if they can get the operational information they need from government.
Much of that information is in the hands of NSA, which raises the question of what the role of NSA — a part of the Defense Department — should be in securing private-sector systems. Jason Healey, director of the Cyber Statecraft initiative at The Atlantic Council think tank, said that NSA should make its information more freely available to those who need it.
“If they need to know what the NSA has, NSA should declassify it,” allowing operators to take advantage of NSA expertise without having the agency monitor its networks, Healey said.
But Baker disagreed, saying that making the information public could tip off enemies about what we know. He said that NSA should have an operational role in protecting critical infrastructure, a role that today belongs to DHS — to the extent that it has any role.
DHS has responsibility for protecting civilian government networks and cooperating with the private sector. It shares expertise, performs vulnerability and site assessments and assists with incident response, said Jenny Menna, director of Critical Infrastructure Cyber Protection & Awareness at DHS. But it has little legislative authority to interfere with the private sector, and its work there is voluntary.
It is not doing its work alone, Menna said. “DHS and NSA are already working together,” sharing information expertise. “There is a strong working relationship.”
An aggressive smart grid standards-making program is being overseen by the National Institutes of Standards and Technology, but the final word on who will have authority to oversee security in this infrastructure will have to wait on the fate of competing bills now before Congress.