SUPPORT ELECTRIC GRID SECURITY THROUGH
STRATEGIES THAT INCLUDE MANDATORY STANDARDS,
INFORMATION SHARING, AND STRATEGIC PARTNERSHIPS
"There has been a lot of talk over the years about hypothetical dangers of a cyber Pearl Harbor, and it's certainly become a bit of a cliché in cybersecurity circles. I would argue, however, that the threat of a catastrophic and damaging cyberattack in the United States critical infrastructure like our power or financial networks is actually becoming less hypothetical every day.
Foreign cyber-actors are probing Americans' critical infrastructure networks and in some cases have gained access to those control systems. Trojan horse malware that has been attributed to Russia has been detected on industrial control software for a wider range of American critical infrastructure systems throughout the country. This malware can be used to shut down vital infrastructure like oil and gas pipelines, power transmission grids and water distribution and filtration systems."
– Admiral Michael Rogers, Commander, U.S. Cyber Command and Director, National Security Agency
It's no secret that America's power grid is a prime target for cyberattacks, which creates enormous challenges for the electricity sector. The majority of Americans receive electricity that is generated at centralized power plants, then delivered through a complex system of transmission and distribution lines – making an attack on any one of these services extremely disruptive to a large number of Americans.
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. In November 2017, NERC released a long-term strategy that acknowledged: "Global threats in physical and cybersecurity are creating new challenges for the electricity sector, and both policymakers and the public are increasingly aware of and concerned about these threats. The security landscape is dynamic, requiring constant vigilance and agility. The ERO Enterprise <the informal affiliation of NERC and eight Regional Entities for the purpose of coordinating goals, objectives, metrics, methods and practices across statutory activities> supports grid security through a comprehensive series of strategies involving mandatory standards, information sharing, and strategic partnerships."
But they also warn, "NERC’s mandatory critical infrastructure protection standards are a foundation for security practices and they provide universal baseline protections. However, due to the ever-evolving nature of cyber threats, security cannot be achieved through standards alone. Additional resources and capabilities are required to respond to an ever-changing threat landscape."
In June 2013, President Obama initiated a quadrennial cycle of energy reviews to provide a long-term strategy for United States energy policy. The Quadrennial Energy Review (QER) is developed by twenty-two (22) federal agencies with a stake in energy.
The second installment of the report was released in January 2017 and included the following:
"The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities juxtaposed against the slower-moving prioritization and deployment of defense measures. This gap is exacerbated by difficulties in addressing vulnerabilities in operational technologies that cannot easily be taken offline for upgrades, and the presence of significant legacy systems, as well as components that lack computing resources to incorporate new security fixes. Also, any operational changes must be implemented by the thousands of private companies that own and operate electricity infrastructure. Sector transformation based on a two-way flow of energy and information between grids and consumers brings to the foreground the importance of Federal Government engagement in helping to manage and mitigate vulnerabilities inherent in 21st-century modernization (read the entire chapter here)."
"While cyberattacks on the U.S. grid and affiliated systems have had limited consequences to date, attacks elsewhere in the world on energy systems should be seen as an indicator of what is possible. Threats can emerge from a range of highly capable actors with sufficient resources, including individuals, groups, or nation-states under the cloak of anonymity. The 2015 cyberattack on the Ukrainian electric grid was the most sophisticated cyber incident on a power system to date. On December 23, 2015, Ukraine experienced widespread power outages after malicious actors remotely manipulated circuit breakers across multiple facilities in a series of highly coordinated attacks. The event compromised six organizations, including three electric distribution companies; disconnected seven 110 kilovolts and 23 35-kilovolt substations (which would straddle Federal and state jurisdiction in the United States); rendered equipment inoperable; overwhelmed the call center with a denial-of-service event to prevent people from reporting outages; and left 225,000 without power for 1 to 6 hours."
Evidence:
United States. National Security Agency. "Hearing of the House (Select) Intelligence Committee Subject: 'Cybersecurity Threats: The Way Forward.'"
Witness: Admiral Michael Rogers, Commander, U.S. Cyber Command and Director, National Security Agency. 20 Nov 2014
"About NERC." North American Electric Reliability Corporation. 27 June 2018
"ERO Enterprise Long-Term Strategy." North American Electric Reliability Corporation. November 2017
United States. Department of Energy. "Quadrennial Energy Review: Transforming the Nation's Electricity System: The Second Installment of the QER."
January 2017
"The number of constituencies at federal, state, provincial, and local levels that are focusing on resiliency, security, and reliability is also growing. This increases the need and importance of accurate, coordinated, and timely information sharing between the electric industry and government."
"Interoperability standards, in particular, have the potential to enhance cybersecurity. Improved tools, analytic methodologies, and demonstrations would serve to clarify the circumstances where improved interoperability can improve grid cybersecurity by standardizing security solutions such that utilities can select ‘plug-and-play’ options to mitigate cybersecurity issues. To this end, there is a role for the Federal Government to facilitate state and utility adoption of interoperability standards that provide high societal net benefits through providing high quality and trusted information to decision makers."