Cyber Security and the Grid: We’ll Leave the Lights on for You (If We Can)
The U.S. power grid plays a vital role in the nation’s health and welfare. The U.S. relies upon a consistent and continuous supply of electrical power to fuel transportation, power its industries, and sustain its healthcare system. Yet, this critical asset is often taken for granted, even though just a minor disruption of the vast network of our power grids could have devastating impacts. The loss of power—in even a small, isolated area—can leave homes without heating or cooling, interrupt local businesses, and down traffic control devices. A regional or national disruption could bring commerce and manufacturing operations to a halt, or even worse, disable critical care and surgical facilities. The ripple effects could mean catastrophic economic loss or loss-of-life. Furthermore, the short-term and long-term national security implications that would arise from an attack on our critical infrastructure would be significant.
The goal of this white paper is to provide a deeper understanding of the role of the grid in our critical infrastructure paradigm; the current grid regulatory scheme; and the technical and non-technical cyber threats facing the grid, including legal liability for operators.
As an introduction, we provide an overview of critical infrastructure and specifically, the power grid, as well as technical and non-technical issues facing the grid. Next, we offer an overview of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards that provide a regulatory framework. Finally, we address best practices, risk mitigation, risk transfer methods, and security risk assessments in the context of operations, IT operations, and compliance.
 The original paper was authored by: Joseph Abrenio, Christopher Folk, and Joel GridleyThe paper was published in the Journal on Terrorism & Security Analysis as well as the Journal of Science and Technology Volume 33.
The internet of things and cybersecurity: what does a lawyer need to know?
We live in an increasingly interconnected world with smartwatches, smartphones, internet-enabled vehicles, wearable biometric devices, and implantable connected devices, to name a few. In this age, we have shifted from a world in which the exception used to be the connected device to a new paradigm, where the standalone device is now the exception. The realm of interconnected networked devices is known as the Internet of Things (“IoT”). In this IoT world, information and privacy concerns are raised to new levels as the number of devices we use multiplies, and their use becomes ubiquitous meaning that either a breach or a loss of a device could compromise copious amounts of personal and private data. In such a world where personally identifiable information (“PII”) exists in multiple permutations across a vast array of devices and media, cybersecurity is of paramount importance. While reports of identity theft and financial harm are pervasive, the advent of implantable medical devices raises concerns far beyond merely exposing data to theft, for in the medical technology field a cybersecurity breach could result in loss of life. With the pervasiveness of connected devices we (as individuals) need to recognize the threats and vulnerabilities to our privacy and information. Similarly, companies must also identify, assess, and mitigate these risks in order to limit unauthorized access to information and the resulting legal exposure.