It’s not just the cynics; a large number of the experts in our industry (maybe secretly) admit that it is practically impossible to prevent every possible security threat to our electric grid. The more important question is: Can we quickly detect, contain, mitigate and rectify any intrusion or damage?
In just a few weeks, the electric industry will be witness to a first of its kind test to help us determine how ready we actually are for a major disruption caused by an attack. Beginning on Nov. 1, the U.S. Department of Energy will run the Liberty Eclipse exercise to test the electrical grid‘s ability to recover from a blackout caused by cyberattack. This will be a real-world exercise conducted on an isolated island site off of New York to learn whether the blackstart procedures and systems in use today can effectively handle a substantial blackout caused by hackers. The exercise will include an evaluation of system operators’ ability to restore and energize a blackstart cranking path corrupted by a malicious intrusion. Here’s to the expectation that the exercise will go well.
Another kind of threat recently brought into focus is the use of drones to cause an attack. Immediately following the alleged use of a drone to bomb a foreign dignitary this summer, the Nuclear Energy Institute (NEI) issued a press release to assure everyone that nuclear power plants are extremely well protected against essentially any kind of aerial attack, including drones. Nuclear facility defenses include their construction using reinforced, high strength concrete; comprehensive physical security, protective strategies, including force on force training exercises and emergency response training and preparedness; data islanding and other cyber security defense strategies; and, unified response plans that include FAA, FBI and local law enforcement responses to possible aerial threats.
It appears that our nuclear plants are in good shape. The concern with drones, of course, is that these unmanned aerial vehicles (UAVs) have become extremely common and they have the ability to fly into, over and around areas that are not otherwise accessible. So the question becomes, how well protected from a drone attack are all of our other generating plants, transmission facilities and major distribution substations?
Ironically, drones are now being employed to provide useful situational awareness information to utilities and government agencies during response and recovery operations after storms, earthquakes, and floods. Unfortunately, that does not take away from the fact that drones may also be used for nefarious purposes or by people without common sense at any time in ways that could damage or destroy critical infrastructure. One consultant reports that utilities are addressing such potential threats to critical facilities by deploying frequency jamming security systems. While this approach may be effective and necessary, utilities rarely have control rights to the airspace above their facilities, so this is not a universal solution. At a minimum, utilities should be knowledgeable of local drone laws and Federal Aviation Administration (FAA) operator rules to ensure they are operating within the law.
Other measures being taken by utilities to address threats such as drone strikes should be addressed in their North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plans. NERC CIP-014 contains the physical security standards for critical substations and other bulk electric system (BES) infrastructure across North America. While utilities may not be able share the specific measures included in their plans for drone strikes, they may wish to allay public concern as the NEI has done by indicating plans are in place.
Back on the cyber front, the Federal Energy Regulatory Commission (FERC) issued Order No. 848 in July instructing NERC to expand CIP reliability standards to include mandatory reporting of cyber security incidents that could harm the BES. Apparently, a lack of cyber-related incident reporting under NERC’s current reliability standard for Cyber Security Incident Reporting and Response Planning (CIP-008-5 ) lead to FERC’s action. Regulators believe the order will engender a more proactive view of cyber security and enable a more effective evaluation of BES risk exposure. One observer indicated that this action aligns with industry best practices of adopting CIP models for risk-based, pre-emptive measures to protect the BES.
U.S. agencies are working with the power industry to test our security practices and procedures, shore up soft spots in our reporting and response protocols, and generally, help prepare for and respond to human initiated disruptions. The power industry may benefit from being more vocal about its training for and response plans against such attacks, potentially deterring some would-be idiots from acting. Sadly, we know in today’s world the threat of hackers, terrorists and idiots never goes away completely, but every day our industry gets better prepared for when they appear.