Dive Brief:
- In the wake of December substation attacks that caused blackouts to 45,000 customers in Moore County, North Carolina, Duke Energy changed the way it performed security assessments and shifted to a “tiered ranking system” of assets that focuses more on potential customer impacts, according to Mark Aysta, the utility’s managing director of enterprise security.
- Duke is also improving its “rapid-response protocols” for essential equipment and personnel, but resiliency investments in “self-healing technology” must also be a part of the security conversation, he said Friday at a field hearing of the House Energy and Commerce Committee held near the site of the attacks.
- Information sharing protocols between the public and private sectors must also be improved to ensure the security of critical infrastructure, said a state official familiar with the attack response.
Dive Insight:
Private enterprise owns a significant amount of infrastructure deemed critical by the U.S. Department of Homeland Security, making open information sharing between utilities and government vital to improving grid security, experts say.
“The information sharing protections currently in place do not adequately support open, honest and transparent dialogue” between the public and private sectors, said William Ray, director of emergency management for the North Carolina Department of Public Safety, at the hearing.
Friday’s hearing “sets the stage for a national conversation on grid vulnerabilities,” said Rep. Richard Hudson, R-N.C. He noted the “sophistication” of the North Carolina attacks and “frustration that we still haven't found those responsible.”
“I'll continue to push the FBI to make these attacks a priority,” he said.
On the night of Dec. 3, firearms were used to disable two Duke Energy substations. The attacks are part of a growing trend: Almost 1,700 physical security incidents were reported to the Electricity Information Sharing and Analysis Center in 2022, up 10.5% from 2021.
Despite the importance of information sharing, “current federal or state information sharing or intelligence protections do not fully address the need for open dialogue, while protecting all parties engaged,” Ray told lawmakers.
In a report published earlier this month, the Cyberspace Solarium Commission 2.0 noted utility lawyers at times advise electric companies to withhold information from the E-ISAC “for liability reasons,” potentially including enforcement actions.
Information sharing protections are currently “very narrow and specific,” Ray said. “We need to be able to take a look at those, and broaden them to address these types of complex incidents. ... We need protections that benefit both sides of the of the equation.”
Grid security approaches must be tailored to specific situations, said Rep. Jeff Duncan, R-S.C. “I don't believe there is a one-size-fits-all approach to harden the grid or electrical substations,” he noted, before asking Duke’s Aysta to elaborate on the utility’s new approach to security.
Duke now puts substations into “tiers” that consider both the asset’s “criticality to the bulk electric system” and the potential for customer impact should it be taken offline, Aysta said.
“Over the past six months, we have done a comprehensive review of our electric assets across our six-state service territory,” he said. “As a result of our review, we are shifting from a tiered ranking system focused largely on an asset’s impact to the bulk electric system to a tiered approach with a greater focus on potential impacts to customers.”
If power can be re-routed around a substation, allowing Duke to maintain service to customers, “that is not a substation we are going to focus on,” he said.
Duke’s approach starts with an “intelligence-driven program,” Aysta said. It includes understanding the threat, the tactics and techniques of bad actors and why they want to disable the grid.
“By understanding that, now we can start implementing controls on those bulk electric system assets where there is customer vulnerability,” Aysta said.
Duke uses “overlapping security controls” that allow the utility to detect threats earlier, decrease its response time and allow quicker law enforcement response to mitigate the attack, he added. The attack on Duke’s stations in December was “a very serious attack,” he said.