Cybersecurity Policy: It's a Team Sport
We encourage federal legislation that facilitates close collaboration and two-way information sharing to support a secure environment.
Sound Cybersecurity Policy Is Needed to Protect Electric Grids
Our nation’s electric grid is essential to national security – and the economy. We work continuously to defend this extensive, complex network of generation, transmission, and distribution infrastructure from cyber threats. When it comes to policy, we strongly support federal legislation that builds on these efforts by creating a flexible framework that goes beyond compliance, and encourages information sharing.
Cyber threats can evolve faster than standards. To safeguard vital interests like electric grids, what’s needed is collaboration and information sharing among federal, state, and local governments and industry.
Facilitating Robust Information Sharing on the Federal Level
Electric utilities are governed by a set of mandatory Critical Infrastructure Protection (CIP) cybersecurity standards established by the North American Electric Reliability Corporation (NERC) and overseen by the Federal Energy Regulatory Commission (FERC). With this in mind, we believe that the introduction of additional cyber standards would cause duplication and conflicts, and the resulting required reporting to multiple agencies would only drive up costs without benefit.
Instead, any new federal legislation should facilitate cyber information sharing. Our utility, Southern California Edison (SCE), supports legislation to create robust, two-way information sharing between the government and private sectors, with appropriate legal and privacy protections. By exchanging specific threat information, both government and business can respond to and mitigate emerging threats to better secure the nation’s cyber assets.
A Voluntary Forum for Information Sharing Needed in California
The State of California, the California Public Utilities Commission (CPUC), and the California Independent System Operator (ISO) can play an important state-level role by developing a voluntary, confidential, and collaborative forum for information sharing.
It’s a smart way to collectively protect the grid that we all rely on.
What We’re Already Doing: Smarter Grids
Cybersecurity is an increasingly important factor in ensuring resiliency, reliability, and safety of the electricity system. Our utility, SCE, is already going beyond compliance by incorporating additional field-proven security technology into our grid, and actively engaging with government agencies to share information on threats and protection measures.
What We’re Already Doing: Simulations & Readiness Exercises
In November 2013, we participated in NERC’s GridEx grid security exercise. It was designed to measure the readiness of utilities and government agencies to respond to a cyber attack. Also participating were 125 other utilities, government agencies, and private companies from across the U.S. and Canada. The two-day exercise put us through a series of simulated exercises that mimic what could happen during an actual combined cyber and physical attack on the electric grid. Exercises like this help to assess current command, control, and communications plans, while training our personnel in more realistic situations, and identifying areas for improvement across agencies.
We also routinely engage independent third-party information security experts to assess the cybersecurity posture of our utility’s networks and operations.
What We’re Already Doing: Pursuing Information-Sharing Strategies
At Edison, we're actively engaged with the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), which in collaboration with the Department of Energy and the Electricity Sector Coordinating Council (ESCC), establishes situational awareness, incident management, and coordination and communication capabilities within the electricity sector through timely, reliable, and secure information exchange.
The ES-ISAC also serves as the primary security communications channel for electric utilities, and enhances our ability to recognize, prepare for, and respond to cyber and physical threats, vulnerabilities, and incidents across North America.