The electric power sector in the United States has a long history of facing threats to our infrastructure–whether they are natural or man‐made. While cyberthreats are indeed much more complex, particularly when you consider that some of our cyber adversaries are nation states, the industry has a strong foundation of preparedness, resilience, and response. Though much progress has been made, we recognize that the capability of cyber adversaries continues to evolve at a rapid pace and that requires a more strategic approach to this threat.
The electric power sector established the CEO‐led Electricity Subsector Coordinating Council (ESCC) to tackle strategic, policy, and operational/tactical efforts to prepare for and respond to all threats facing the sector. The ESCC includes representation from utilities of all sizes and accomplishes its objectives of collective defense, collective response, and preparedness and resilience through close coordination at senior levels within the federal government, such as the U.S. Departments of Energy (DOE), Homeland Security (DHS), Defense, FBI, and the Office of the Director of National Intelligence, along with state elected and appointed officials.
One of the many successful initiatives championed by the ESCC has been bi-directional cyber threat information sharing between energy sector owners and operators, and the government. These programs allow energy sector owners and operators to voluntarily share cyber threat data in near-real-time, analyze this data using U.S. intelligence, and receive machine‐to‐machine threat alerts and mitigation measures. The success of these programs has been recognized by the president's National Infrastructure Advisory Council as a model for other sectors to consider.
The ESCC promotes ongoing collaboration with the federal government, the national laboratories, and the investment community to align cybersecurity research and development (R&D) needs and priorities with those in the industry. The ESCC also encourages the deployment of high‐priority technologies, especially in the operational technology space, and how we should develop resilient systems that are able to identify, protect, and detect cyber incidents.
Finally, it should be noted that the electric power sector is the only sector with mandatory regulatory requirements for cybersecurity outside of the nuclear sector. This ensures a consistent set of standards and requirements across the industry. However, we appreciate that regulatory requirements are only a baseline and therefore many of us leverage tools such as the National Institute of Standards and Technology Cyber Security Framework, and maturity models such as DOE's Cybersecurity Capability Maturity Model, to continually improve our efforts across the board.
The concept of continuous improvement is the bedrock of the utility sector because we recognize the tremendous responsibility to provide electric power to homes, businesses, and other critical infrastructure sectors across the country. This is why federal agencies such as DOE and DHS partner so closely with us–they recognize that electric power is an instrument of national and economic security and therefore we must do everything we can to protect against cyber adversaries that wish to cause harm.
–Todd Inlander is senior vice president and Chief Information Officer with Southern California Edison.