The top U.S. grid overseer said yesterday there are "no specific threats" to electricity reliability from the novel coronavirus crisis — but there may be pitfalls if the pandemic worsens.
The North American Electric Reliability Corp.'s report offers an unflinching look at how power utilities expect to fare in the coming months as they deal with the COVID-19 outbreak and related threats to the grid. The spring 2020 "Pandemic Preparedness and Operational Assessment" highlights some of the ongoing struggles that utilities are facing, from accessing adequate testing for essential personnel to dealing with hackers.
"The pandemic introduces a significant degree of uncertainly that is without precedent," NERC said. "Such uncertainty permeates an environment that is highly challenging even for the most prepared of industries."
NERC stressed in its report that it has not found "any specific threat or degradation to the reliable operation" of the grid due to the coronavirus, but there were several unique hazards due to the pandemic being a "people event."
One of the risks is that the loss of staff that operates and maintains the grid — either due to illness, family care issues or government-imposed restrictions — could cause such a severe hit to the workforce that "firm loads could no longer be served safely," jeopardizing electricity reliability, according to NERC's findings.
Workforce constraints could also limit the ability of utilities to provide help to one another under mutual assistance programs and could "extend the time necessary to respond to abnormal system conditions," NERC concluded.
In order to preserve the reliability of the grid, regulators and government agencies need to ensure testing is "available and streamlined for essential personnel," such as those who work in control centers, according to the report.
"Giving the testing for individuals working in control rooms, both in transmission and generation, for those key assets is what is being prioritized," said Matt Duncan, senior manager of resilience and policy coordination at NERC's Electricity Information Sharing and Analysis Center (E-ISAC). NERC sets and enforces physical security, cybersecurity and reliability rules for large U.S. power providers.
Duncan called testing an ongoing challenge and said NERC is working with the departments of Energy, Homeland Security, and Health and Human Services to solve the issue. While there has been some success, "we're going to continue to push at both the federal and state levels," said Duncan.
In a guide for control room operators released yesterday, DHS said that electric utilities and other critical infrastructure owners should consider keeping a "reserve force" that can be drawn on in the event "minimal staffing levels cannot be met." The guide also suggests creating a plan to use retirees, supervisors and other backup personnel with the skills to fill in at an operations center or control room if needed.
"Operations centers and control rooms often operate 24/7, depend on unique equipment, and require specially trained staff who are difficult to replace," DHS's Cybersecurity and Infrastructure Security Agency said in the report.
"We're working closely with all critical industries to guarantee their control centers stay operational as they work to keep America running," CISA Assistant Director Brian Harrell said in a statement.
DHS also said the industry should prepare for cyberattacks that are "pandemic-themed" and continue to patch and maintain cyber assets if there are workforce disruptions.
"Unfortunately, it's always cyber season when you talk about cybersecurity risks," and the COVID-19 era is no different, Duncan said.
He pointed to a recent "ransomware" attack on the information technology giant Cognizant, which provides services to several industries, including those in the energy sector, as something E-ISAC has been keeping an eye on. In addition to the usual ransomware tactic of encrypting victims' computer files, the "Maze" malware that reportedly infected Cognizant also steals internal data and threatens to release those files to the public if a ransom is not paid.
"While there are no indications that that has impacted reliability or security of the [bulk power system] and the industry, it's a great reminder for utilities in the U.S. and Canada to check in with their managed service providers and ensure that they're following those cyber best practices," said Duncan.
The hackers behind Maze have sparked a series of copycat attacks since coming on the scene late last year, including the "Ragnar Locker" ransomware that hacked into the Portuguese state petroleum company Energias de Portugal (EDP) earlier this month. The hackers claimed to have stolen more than 10 terabytes of the company's files — enough data to fill several laptops — and are holding them for ransom at more than $10 million, Bleeping Computer reported.
Duncan said the U.S. electric industry has been watching the EDP case "to see how adversaries are attempting to penetrate foreign electricity networks."
"As we have known from experience, a lot of the major [cyberthreats] will use other power grids around the world to deploy those types of tactics and techniques to North American systems," said Duncan.
He added that the electric sector has seen many of the same hacking campaigns that have plagued other U.S. industries during the pandemic, such as upticks in COVID-19-related "spearphishing" email messages. There also has been an increase in malicious activity against platforms that have been widely adopted as more people work remotely, such as Microsoft Office 365, conference applications like Zoom and Webex, as well as virtual private networks.
The Federal Energy Regulatory Commission recently approved NERC's request to postpone several upcoming reliability standards, including three that deal with cybersecurity. While industry leaders lauded the move, others were concerned that delaying the standards — particularly one that dealt with supply chain risk mitigation — would put the grid at greater risk of cyberattacks (Energywire, April 21).
Asked about the potential increased risks due to postponing the standards, Duncan said that many utilities are "already aggressively adopting the architectures needed to meet the standards and even go well beyond it."
Duncan said that deferring those standards is also allowing cybersecurity workers to "spend their time protecting their networks" as the move to a remote workforce has increased the surface area for cyberattacks.
"Thankfully, the electricity industry is very proactive in increasing its cybersecurity posture during this time," Duncan said.
E-ISAC has also seen a small increase in physical thefts at utility facilities, Duncan said, which could be "due to the current economic environment and high unemployment rates."
'Gray sky day'
The pandemic has already affected several power utilities' operations, based on anonymous case studies published in guidelines from the Electricity Subsector Coordinating Council, a group of electricity executives that meets regularly with the federal government to respond to grid emergencies.
In one incident, a generation control room operator nearing the end of their shift started coughing. When the employee came back 10 days later to begin their next work rotation, the cough remained — and the plant manager sent the worker home. Days later, the employee tested positive for the coronavirus, and two asymptomatic crew members self-isolated for 14 days. The plant shut down while the control unit was removed from service and deep-cleaned. The plant soon returned to operation, according to the ESCC document.
The ESCC guidelines are meant to offer a resource as states and local utilities navigate the pandemic. The report is a collaboration of investor-owned electric utilities, cooperatives and public power providers, and it lays out some of the direst possibilities that utilities have to consider to keep the lights on.
"We are trying to plan for the worst-case scenario, and the design basis for the scenario that we're using is to really push ourselves now to think about how bad this could be," said Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, which represents investor-owned utilities.
Right now, said Aaronson, power companies are considering what to do if they lost two in five workers for up to nine months without any outside support.
"What do you need to do as a company today to be completely self-sufficient with a 40% reduction in your workforce over the next nine months? And then anything that's short of that, you're prepared for," said Aaronson.
"Black sky days" is a term reserved for describing such a worst-case scenario for the grid. A "black sky event" could be a massive cyberattack that shuts off large sections of the electric system, or a terrorist attack that uses a powerful electromagnetic pulse to disable everything that uses electricity in its vicinity.
The electric industry is now in a "gray sky day" amid the coronavirus outbreak, Laura Schepis, director of national security at EEI, said at a National Conference of State Legislatures webinar on critical energy infrastructure earlier this month. The goal is to prepare now to prevent a "black sky day" from happening, she said.
One of the more extreme scenarios in the guidelines involves sequestering control center operators who have tested positive for the coronavirus in a single room to continue working. The guidance stressed that this is a last resort and should only be used when a utility can't meet minimum staffing requirements.
NERC's report suggested that some utilities are hesitating on whether to direct essential employees to shelter in place at critical facilities.
"In order to sequester them effectively, you need to test them before you put them into that controlled environment and test them throughout their time in the sequestered environment," said Schepis at the NCSL webinar.
Right now, many utilities are struggling to get tests.
Federal agencies and industry advocacy groups have repeatedly called on states and local governments to give a higher priority for testing operators for generation facilities and control rooms. Many of these groups have referenced DHS's guidance released earlier this month designating workers in the electric sector as "essential."
The National Governors Association sent a letter to all U.S. governors' offices late last month asking for states to place energy workers on a "priority access list" if the shortage of protective gear and COVID-19 testing continues. In early April, a group of electric industry stakeholders sent a similar request to eight national organizations representing state and local government leaders.
Grid operators are also considering whether to pull former employees out of retirement to address potential workforce shortages. In a recent COVID-19 FAQ from NERC and FERC, the grid regulators recommended bringing "capable" system operators back from retirement even if their certification is expired.
Jim Slevin, president of the Utility Workers Union of America, cautioned against this move, saying that "people can get badly hurt or even killed," as there may have been significant changes since the person last worked. Slevin said that those most vulnerable to the coronavirus are likely to be in retirement age and that taking someone out of retirement is "not feasible" and "putting a Band-Aid on a bad scenario."
So far there have been no reports of workers being taken out of retirement. Slevin said that the suggestion is a result of industry staffing levels decreasing over the years, and now electric utilities are trying to "fill in the void of a workforce that isn't 100%."
"It's bad that the virus may kill them," Slevin said. "To see somebody come out of retirement get killed because they're not up to speed on something — it could put them and their families at risk."