A U.S. grid clear of 2016 attacks is hardly worry-free — NERC

By Peter Behr | 06/16/2017 07:10 AM EDT

The interstate grid’s top regulators want a closer look at threats that could penetrate power companies and smart grid networks.

The interstate grid's cyber regulators want a closer look at sophisticated threats that penetrate power companies' unregulated business, computer and smart grid networks.

The interstate grid's cyber regulators want a closer look at sophisticated threats that penetrate power companies' unregulated business, computer and smart grid networks. Ian Muttoo/Flickr

The interstate grid’s top regulators want a closer look at threats that could penetrate power companies and smart grid networks.

The North American Electric Reliability Corp., in its "State of Reliability 2017" report, noted there were no cybersecurity attacks that took down parts of the U.S. grid in 2016, but NERC officials took little comfort in the conclusion.

"Nonetheless, grid security, particularly cyber security, is an area where past performance does not predict future risk," the report said. "In fact, the number of cyber security vulnerabilities continues to increase as does the number of threat groups" (Energywire, June 14).

Advertisement

NERC Vice President James Merlo told reporters yesterday that while the U.S. power sector remains unscathed, "the threat is greater than it’s ever been."

"The risk is really increasing every day," he added.

This year’s report notes the risk that attackers could enter power utility systems through front-office computers and then steal employee identities to pivot into the control rooms or other operating arenas. That was the strategy attackers used to take down three Ukraine power utilities in 2015 (Energywire, July 18, 2016).

Merlo said the mandatory cybersecurity rules overseen by NERC require the absolute separation of regulated power company operating systems from business systems to prevent a crossover cyber contamination.

Regulated companies are also required to report cyberattacks that trigger power losses.

But the report notes, "The mandatory reporting process does not create an accurate picture of cyber security risk since most of the cyber threats detected by the electricity industry manifest themselves in the enterprise environment (email, websites, smart phone applications, etc.), rather than the control system environment where impacts could cause loss of load and result in a mandatory report."

Risk profile map graphic. Image credit: North American Electric Reliability Corporation
The solid numbered circles in the North American Electric Reliability Corp. “heat” map denote the current state for each risk area based on the likelihood of the issue occurring across a wide part of the interstate power grid, and the potential impact. | Wilkinson Barker Knauer LLP

NERC said occasionally its cyberthreat-sharing portal, the Electricity Information Sharing and Analysis Center, gets voluntary notifications that malicious code was found on a power company employee’s workstation or that an attack was detected against a company website.

The next step, NERC says, is the rollout of its Cyber Automated Information Sharing System (CAISS), now in pilot testing. Developed with the Energy Department and its national laboratories, it is intended to capture, screen and compare computer system data from both corporate business and control systems to detect malware, NERC said. CAISS is an automated, machine-to-machine program for sharing cyberthreat signatures among authorized industry companies. It is scheduled to be operational at the end of this year, NERC said.

The "State of Reliability" report is a backward look at the interstate power grid’s performance in keeping power flowing, with analyses of outages due to weather, operator error, physical or cybersecurity attacks, or other events.

Another NERC report issued last November looked ahead at trend lines in various risks to grid reliability.

In preparing this report, a NERC advisory committee queried industry executives’ views of emerging threats and issues demanding more attention.

"Many utilities commented that natural gas currently serves as the base load fuel for their areas, heightening the need for greater focus on gas infrastructure in order to identify potential risks to the BPS [bulk power system]," NERC said.

"Although several industry leaders acknowledged that NERC has no jurisdiction over markets, there is a growing concern that the existing markets do not accurately reflect products necessary to support the new resources being integrated today," the report said.

For example, several U.S. grid regions where renewable power is replacing fossil or nuclear plants may not have adequate market incentives to ensure availability of essential grid services like emergency generation ramp-up, or voltage and frequency stability that the older plants now provide, according to the report.

"A continued theme from 2015 is some leaders are concerned about a workforce shortage, such as protection and control engineers. The aging workforce has been a consistent theme throughout the years, and some leaders provided support for continuing to monitor this risk," the report said.

A shortage of trained engineers and technicians could be a critical factor in a cyberattack that disabled communications between control rooms and substations, forcing operators to bring power back up manually (Energywire, June 12).

Some industry leaders urged NERC to give a greater priority to defenses against an electromagnetic pulse (EMP) attack, particularly an atmospheric nuclear explosion delivered by missile or satellite that could cause widespread grid outages, the organization’s report said. NERC and the Federal Energy Regulatory Commission have developed and approved a defense program against damaging ground currents from a massive solar flare, but not from a similar, potentially much more damaging EMP attack.