Utilities bear heavy cost of securing infrastructure

In February, the nation’s top intelligence officials from the Homeland Security Department, Office of the Director of National Intelligence, CIA, FBI and other agencies expressed their concerns about the threat of cyberattacks on our nation. One official said it would be hard to overstate the implications of such an event. At the same time, cybersecurity experts in the private sector warned that direct government takeover of private-sector networks — the critical infrastructure assets — could be a dangerous move during a cyber crisis.

This warning came as Army Gen. Keith Alexander, head of the Cyber Command, said it's time to refine the roles of government and the private sector in securing the nation's critical networks. Let's also include the recently released report from the office of the Energy Department’s inspector general that illustrates the need for increased efforts to secure the nation's power grid.

What do you get when you add all this up? That is easy: a case for action. When you combine all those, it equals a new push for federal legislation and actions that deal with securing and defending the nation’s power grid and other critical infrastructure assets. It is clear that this problem is getting a level of attention that it has not seen before.

So where do we stand? It is clear that we must build security into our critical infrastructure, and that includes our smart-energy and green-energy programs. However, on the condition of anonymity, one individual deeply involved in green energy said, “Developers generally do not look at security. We rely on the component and system manufacturers, and I cannot speak to what they are doing security-wise because we did not evaluate their efforts.” In a separate conversation I had with a former utility executive, also speaking on anonymity, he told me it is clear we are behind and must play catchup, but that is difficult in these economic and regulatory conditions.

No one knows these critical systems better than the owner operators. It is also true that no one knows the true state of cyberattacks and the cyber weapons used in these attacks better than our defense and intelligence organizations. We must also consider the role of Congress in this. Collaboration and cooperation among all those stakeholders is essential if we are to rapidly and economically deal with the threat of cyberattacks on the power grid and the rest of our critical infrastructure.

Without this cooperation and coordination, regulations often result in the opposite effect. Done wrong, businesses will balk and try to avoid some of the costs of regulatory compliance. Because  there are an estimated 85,000 critical infrastructure assets in the United States, the costs of protection are sizable. How can the utilities be expected to absorb the substantial costs of protecting the power grid and other assets from cyberattack? The answer is they cannot. The cost of securing the nation’s critical infrastructure, including the power grid, must be included in the rates they charge.

A rate case must be developed based on best available estimates of replacement of out-of-date equipment that is vulnerable with new security hardened products, refurbishment and security reinforcement of assets that are still maintainable, and integration of security planning into current and future critical infrastructure projects.

Although rate cases were created to regulate the cost of public utilities, in this case, that has a negative effect: delay. Correcting this situation will take months, if not years. It is impossible to know if we have that much time until a cyberattack compromises the integrity of our infrastructure and causes disruption. Until public utilities get some type of financial relief from the cost of security and cyber defense, we will likely remain in a weakened at-risk state of defense and will not take the steps necessary to improve the security and integrity of these critical assets.