Recent actions initiated by top U.S. officials and agencies demonstrate a consensus that growing cyber threats to critical U.S. T&D infrastructure are not hallucinatory bogeymen we can ignore. First came the president's executive order, issued May 1, stating that foreign threats to the nation’s bulk power system (BPS) represent a national emergency. This was followed by a jointly issued alert dated July 23 from the National Security Agency (NSA) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) recommending immediate protection of operational technology (OT) in critical infrastructure. Finally, also in July, new NERC CIP-013 cybersecurity supply chain risk management standards went into effect. Does our industry now have a handle on the seriousness and breadth of the threat?
A recap of the above actions may provide additional insight. Executive Order 13920 identifies "near-peer foreign adversaries" who possess the cyber capability and integrated plans needed to cause localized, disruptive effects for days to weeks on critical infrastructure such as electric systems and natural gas pipelines. The order contains four directives to address these threats, including identifying existing at-risk equipment on our BPS, resolving the risk or replacing the equipment, developing rules for future BPS equipment purchases, and establishing procurement policies for federal energy infrastructure.
Envisioning serious immediate risk to the nation's OT and industrial control systems (ICS), another national level cybersecurity reminder occurred on July 23 when the NSA and the CISA jointly recommended actions to protect internet-accessible assets. Remote and outsourced asset management/maintenance, the inability to fully protect some legacy systems against malicious cyber activities, and off-the-shelf technology that identifies OT assets connected via the internet were implicated for dangerously increasing U.S. vulnerability. The alert contains useful recommendations for risk mitigation, including putting an OT resilience plan into effect, having backup plans and systems, practicing incidence response, pursuing increased system hardening, creating an "as-operated" OT network map, and implementing a continuous system monitoring program.
The third cybersecurity reminder/motivator was the implementation in July of the NERC's CIP-013 cybersecurity supply chain risk management standard (C-SCRM). This standard reinforces issues raised in E.O. 13920 with requirements for six new risk mitigating provisions applicable to all renegotiated and new BES related supply chain contracts. The requirements include mandatory contract language and technical and process controls regarding changing vendors; receiving notifications regarding vendor identified incidents, equipment vulnerabilities, and corrective measures; control over vendor remote access; and verification of vendor supplied software authenticity.
The term bogeyman is defined by Wikipedia as a non-specific personification or metonym for terror. Cyber threats certainly appear to qualify as real, modern-day bogeymen for our utilities and industries. Based on the above actions, we are receiving the message about the seriousness of the threat; but are we comprehending its breadth and taking sufficient corrective action? Recent intelligence reveals malware may be built into previously ignored hardware, or exist as sensors that can deliver faulty information, or manifest as backdoors of smart transmitters, and the list of potential vulnerabilities grows each day. Will the endpoint be conducting functionality tests for every piece of installed and new equipment that does not possess perfect credentials?
Some experts argue cyber risks have become so pervasive that a more holistic approach than the NERC CIP standards is warranted. They recommend adopting the international standard ISO/IEC 27001 as an added framework for information security management. The logic is this standard provides processes for an enterprise-wide information security management system — suitable for getting ahead of the growing reach of the NERC CIP rules and organizing security controls in areas clearly at risk, but unrelated to the BPS such as distribution assets, smart meters, DERs, and so forth.
Another noteworthy indication of sentiment that more can potentially be done to counter cyber threats is the FERC's June 18 white paper contemplating transmission incentives for utilities that complete cybersecurity enhancements that exceed the requirements of the CIP Reliability Standards. Commission staff suggest that an incentive-based kicker could help keep pace more effectively than regulatory standards alone with the rapid rate of change in technology and cyber threats.
The FERC's white paper contemplates a watershed change in the regulatory treatment of increasingly pivotal cybersecurity improvements made on distribution systems and grid components not covered by the CIP standards. Options include making cybersecurity investments eligible for: a higher earnings rate (ROE), construction work in progress, recovery of abandoned plant costs, and accelerated depreciation. Such treatment could transform some historically expensed costs to earnings opportunities. Comments regarding this white paper are due to the FERC on Aug. 18.
If U.S. utilities and industries are paying proper attention, recent actions are providing additional clear warnings that cyber threats are very serious and we must take increasingly comprehensive precautions or there will be a severe price to pay.