Cybersecurity poses a growing risk to electric utility systems. Like many other forms of infrastructure, the physical assets that generate and deliver energy to our homes and businesses depend increasingly on the integrity and security of the information technology and the data that support them. Any disruption to that information or technology poses a significant threat to national security, the environment, the economy and our social well-being.
Breaches to the security of the grid could disrupt the flow of commerce, damage real and personal property, compromise personal information, cause blackouts, and create chaos for society, our industry, our company, our communities and our customers. Therefore, we work diligently to protect the security of our physical assets and information.
We do this in three ways: we work with others to coordinate our efforts, we share information and best practices, and we stay current with emerging threats and risks. Further, we take actions to protect AEP’s information systems, technology and data that support our power plants, transmission operations centers, data centers and business networks.
Given the increasing indications that energy systems in the United States may be vulnerable to malicious and disruptive cyber-attacks, cybersecurity is a national security priority. President Obama signed an Executive Order, “Improving Critical Infrastructure Cybersecurity,” in February 2013 to require federal agencies to coordinate and assist the owners and operators of critical infrastructure to better protect themselves from cyber-attacks. The order identifies the energy sector and the electric industry as critical infrastructure. The cybersecurity framework that is being developed through this presidential order is being reviewed by the Department of Energy. We are participating in the process through our industry trade group, the Edison Electric Institute (EEI), and we are sharing best practices.
The electric industry is one of the few critical infrastructure functions with mandatory cybersecurity requirements under the authority of the Federal Energy Regulatory Commission (FERC). The Energy Policy Act of 2005 gave FERC the authority to oversee the reliability of the bulk power system, including the authority to approve mandatory cybersecurity reliability standards. The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s Electric Reliability Organization, developed Critical Infrastructure Protection (CIP) cybersecurity reliability standards. In January 2008, the commission issued Order No. 706, the final rule approving the CIP reliability standards, while concurrently directing NERC to develop modifications to address specific concerns.
In 2013, FERC adopted enhanced CIP standards to expand protection against attacks on the power grid. These revised CIP standards cover the security of electronic perimeters and the protection of critical cyber assets, as well as personnel and training, security management and recovery plans.
In addition to CIP, AEP supports and complies with cybersecurity standards for the Donald C. Cook Nuclear Plant through the Nuclear Regulatory Commission (NRC), which is authorized by FERC as the cybersecurity regulator of nuclear power plants. AEP, in conjunction with other nuclear power operators, coordinates through the Nuclear Energy Institute for effective cybersecurity practices to address the NRC cyber security regulations.
We participate willingly with NERC and the NRC on cybersecurity, but we are concerned that the ongoing cybersecurity initiatives of other agencies will duplicate efforts already in place within the federal government.
Sharing Information and Working with Others
AEP partners with a number of other utilities and EEI to keep legislators and regulators informed about the advanced cybersecurity functions. We regularly share our knowledge and expertise with others at the federal and state levels. Although there are no NERC CIP-type cybersecurity requirements at the state level, we are working with our state regulators to help them better understand these risks and how we manage them.
We recently took steps to enhance our threat detection capabilities and to share what we learn with our industry, our peer companies and relevant federal agencies. Our efforts go beyond compliance and we have been an industry leader in promoting private sector cooperation with our Cyber Security Operations Center (CSOC). This was initially designed as a pilot cyber threat and information-sharing center specifically for the electric sector and today is in full operation. CSOC works with a leading defense contractor to leverage their experience and capabilities.
We also work with a consortium of utilities across the country and the Electric Sector Information Sharing and Analysis Center to learn how best to share information and collaborate about potential threats. Many of our initiatives include greater threat-sharing information between the government and the private sector, and we work to increase private sector access to government-classified threat intelligence data.
In late 2013, as part of our industry’s continuing program to advance threat sharing and coordination, AEP participated in NERC’s GridEx II exercise. This effort focused on improving the coordination and interaction between utilities and government agencies relative to potential cyber and physical threats against the nation’s electrical grid. We used this exercise to further advance our own internal response and coordination processes and communications.
Taking Action within AEP
For more than a decade, AEP has worked to strengthen its cybersecurity programs and to ensure that those programs evolve to meet new risks. We constantly scan the system for risks or threats and continuously assess our own capacity, including cybersecurity knowledge, staffing, capabilities and the need for future investment.
Cyber hackers have been able to breach a number of others’ very secure facilities, from federal agencies, banks and retailers to social media sites. As these events become known, we continually assess our own cybersecurity tools and processes to determine where we might need to strengthen our defenses.
We use multiple layers of cybersecurity and authentication to protect our data, information technology and supporting systems on a daily basis. We evaluate all known emerging threats and vulnerabilities and continuously improve our detection and defense processes and tools. We also have continuous awareness programs to help our employees recognize phishing, or other potential forms of cyber-attack.
All AEP employees must complete Security Awareness Training annually, covering physical and cybersecurity. The training gives employees information and tools to shield our data from threats as it travels across the AEP network. It also places a shared responsibility for security with employees and the company.
Like all utilities, AEP collects and maintains data in order to provide service to customers. We have worked for many years to protect the confidentiality of customer information and to prevent unauthorized use. We meet or exceed all legislative and regulatory requirements regarding the integrity and privacy of such information, and we operate with a strong sense of responsibility to protect personal data from unauthorized disclosure.
The identification and safekeeping of personally identifiable information (PII) is important to AEP employees, contractors, customers and vendors. AEP collects, uses and retains PII only for legitimate business requirements, and we have internal controls to help prevent or mitigate any unauthorized disclosure of PII.