The electric grid is one of the most complex and important physical assets in the United States because all other sectors of the economy rely upon it to deliver essential services. Protecting those assets is increasingly important and challenging. Like many other forms of infrastructure, the physical assets that generate and deliver energy to our homes and businesses depend increasingly on the integrity and security of the information technology and the data that support them. Any disruption to that information or technology poses a significant threat to national security, the environment, the economy and our social well-being.
AEP benefits from strong executive sponsorship for all cybersecurity programs. An Enterprise Security Advisory Council, with representatives from each business unit and security management, is responsible for governance, implementation and operation of AEP’s cybersecurity program. In addition, the management of physical and cyber security report monthly to the chief executive officer, chief operating officer, chief risk officer and other executives on current and emerging security events and trends.
We protect our system by working with government, utility industry and non-utility industry partners to coordinate our efforts, sharing information and best practices, and staying current with emerging threats and risks. Further, we take actions to protect AEP’s information systems, technology and data that support our assets, infrastructure and business networks.
As we push cyber security deeper into the supply chain, we work with our vendors to help them build cybersecurity protections into their services, product design and manufacturing processes. In partnership with our procurement team, we developed a set of security requirements for our vendors that help us better protect the grid.
The Federal Energy Policy Act of 2005 gave the Federal Energy Regulatory Commission (FERC) the authority and responsibility to oversee the reliability of the bulk power system. Given this authority, FERC designated the North American Electric Reliability Corporation (NERC) to be the nation’s Electric Reliability Organization (ERO) to establish, monitor and enforce mandatory reliability standards. These mandatory standards include, but are not limited to, Critical Infrastructure Protection (CIP) cybersecurity standards. The first version of the CIP standards became enforceable in 2008 when FERC approved them and concurrently directed NERC to develop modifications to address specific concerns.
In 2016, a new version of the CIP standards becomes enforceable. This version expands protections against physical and cyber-attacks on the power grid. In 2015, NERC is expected to file another new version of the CIP standards (version 7) with FERC that will seek to further enhance the industry’s approach to infrastructure protection against physical and cyber-attacks.
AEP complies with cybersecurity standards for the Donald C. Cook Nuclear Plant through the Nuclear Regulatory Commission (NRC). The NRC is authorized by FERC as the cybersecurity regulator of nuclear power plants. AEP, in conjunction with other nuclear power operators, coordinates through the Nuclear Energy Institute for effective cybersecurity practices to address the NRC cybersecurity regulations.
AEP partners with a number of other utilities and the Edison Electric Institute to keep legislators and regulators informed about advanced cybersecurity functions. We regularly share our knowledge and expertise with others at the federal and state levels. Although there are no NERC CIP-type cybersecurity requirements at the state level, we are working with our state regulators to help them better understand these risks and how we manage them.
Our efforts to strengthen our threat detection and prevention capabilities go well beyond compliance and we have been an industry leader in promoting private sector cooperation through our Cyber Security Operations Center (CSOC) threat and information sharing program. This was initially designed as a pilot cyber threat and information-sharing center specifically for the electric sector and today is in full operation. The CSOC works with a leading defense contractor to leverage its experience and capabilities.
In 2014, the Department of Energy (DOE), as part of its Cybersecurity Risk Information Sharing Program, invested nearly $2 million in a platform that provides early warning of potential cyberattacks. AEP participates in this program. Since 2010, the DOE has invested more than $150 million in cybersecurity research, development and commercialization projects in which AEP has participated.
We work with a consortium of utilities across the country and the Electricity Subsector Coordinating Council (ESCC), a CEO-led industry group that meets three times a year with senior officials from the DOE, Department of Homeland Security, Department of Defense, White House, FERC and the Federal Bureau of Investigation. Outcomes have included deployment of tools and technologies to improve situational awareness and to develop coordinated plans to respond to an attack on the grid.
AEP also participates and shares threat information with our sector’s threat sharing organization, the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). The ES-ISAC establishes situational awareness, incident management, coordination and communication capabilities within the electricity sector through timely, reliable and secure information exchanges. The ES-ISAC, in collaboration with the DHS, DOE and the ESCC, serves as the primary security communications channel for the electricity sector and enhances the ability of our industry to prepare for and respond to cyber and physical threats, vulnerabilities and incidents.
All AEP employees must complete Security Awareness Training annually, covering physical and cybersecurity. In addition, we frequently communicate and educate our employees about their risk of being targeted. The training gives employees information and tools to help shield our data from threats as it travels across the AEP network. It also places a shared responsibility for security with employees and the company.
AEP will again participate in the GridEx III exercise in November 2015. Sponsored by NERC, the exercise brings together over 200 organizations, including NERC, industry and government agencies and participants from Canada and Mexico. GridEx is an example of the industry’s ongoing efforts to be proactive on cyber and physical security. It is the largest, most comprehensive effort addressing security by the electricity industry to date and serves as an example of the commitment of stakeholders to continuously improve physical security and cybersecurity defenses.