As Texas considers whether – and how – to protect its electric grid from potential cyber threats, a University of Houston researcher said the state can be a national leader in a subject that is drawing increased attention.
Art Conklin, director of the Center for Information Security Research and Education at UH, testified before the Federal Energy Regulatory Commission in January and a state legislative committee earlier this month. A key finding in both hearings was the lack of clear accountability for dealing with cyberattacks.
“We need to figure out how we can assure people we have the right protections in place,” he said. “There’s no set of rules that says, do XYZ and we’ll be safe.”
In fact, he said, there’s no guarantee any regulations can prevent every attack. With prevention not possible, the goal is for the system to be resilient, or to quickly recover from an attack.
Joe Straus, speaker of the Texas House of Representatives, charged lawmakers with identifying and addressing potential gaps in cybersecurity policies before the Legislature convenes in January. Conklin, along with representatives of state regulatory agencies and utility companies, addressed the issue at an April 5 meeting of the House Committee on Urban Affairs and the Committee on Government Transparency and Operation.
Conklin told the legislators that any proposals should be flexible. “Government cannot pass a law that’s going to fix it,” he said. “Hackers don’t obey the laws. There is no way to have enough laws to keep up.”
UH educational and research programs in cybersecurity and cyber defense have been recognized by the National Security Agency and the Department of Homeland Security, one of just three universities in Texas with the dual designation. In addition, Conklin last fall was named principal investigator for a $1.1 million federal grant to improve security for critical energy infrastructure, an area of expertise for the UH College of Technology faculty.
The details of recommended legislation will be determined by a working group, expected to be appointed later this spring. But Conklin said the fact that legislators have recognized the issue already is a win.
A few states in the Northeast began to consider infrastructure resiliency after Hurricane Sandy, but Conklin said Texas has an advantage over other states: It has an independent electric grid, overseen by the Electric Reliability Council of Texas and responsible for 85 percent of the state’s electric load. Other states are part of multi-state grids, making it more difficult to set regulations.
“Texas has the opportunity to be leading the way on this issue,” Conklin said.
Federal standards were tightened after a 2003 blackout affecting 50 million people across the Northeast and Midwest lasted for several days, blamed on a combination of equipment failures and human error.
“We’ve come light years since 2003,” he told legislators before describing a December attack that cut power to more than 220,000 people in Ukraine, thought to be the first cyberattack to knock a power grid offline.
“Are we subject to that type of attack? Could it happen to us?” he asked. “The protections we have in place would not prevent what happened in Ukraine.”
Not all utility systems are equally prepared, he said, although all are at risk. And all would need to recover quickly in the event of an attack.
While federal regulations have established some frameworks for protecting the grid, Conklin said the Legislature would have to clearly define responsibilities for regulators, companies and other parties. A set of usable, clearly defined rules to ensure system resiliency is needed, and this is something that the working group can help create, he said.