The Critical Infrastructure of the U.S. has been at an ever-increasing risk of attack since 9/11. As the threat of cyber-attacks increases, so does the susceptibility of our nation’s electric grid. It is essential to protect the Power Grid because it is the foundation on which the country, including other critical infrastructure operates. An attack on the Power Grid could be debilitating and leave the country and other critical infrastructure systems vulnerable.
In 2014, 79 hacking incidents at energy companies were under investigation by the Department of Homeland Security (DHS). It has been reported that third-parties hacked their way into computer infrastructures at 37% of energy companies2. This typically occurs by specifically targeted malware from both domestic and international sources. This trend hasn’t been solely within the Cyber Sector as there have been numerous physical break-ins at critical substations around the country. In March 2015, attackers physically broke into PG&E’s Westpark Substation for two consecutive days and disabled supervisory control and data acquisition before damaging communication systems and other equipment.
This type of attack represents a new threat to the Power Grid, combining physical vulnerabilities with network-enabled threats. This evolution of threats are now becoming the norm for utilities, municipalities, and co-ops across the nation. It is imperative that these threats be deterred and prevented as well as having a plan that limits the impact of an attack and provides the ability to quickly recover.
Even though these attacks haven’t managed to bring about any outages in the US, the international power community had its first recorded outage caused by a cyber-attack this past December when a Ukraine electric utility experienced a malware attack, which caused a blackout for 80,000 customers in Western Ukraine. DHS stated that the “BlackEnergy Malware” used in the attack appears to have infected Ukraine’s systems via a corrupted Microsoft Word attachment. This is the same code that was detected at US facilities in 2014, but there were no successful disruptions of the grid.
One of our nation’s highest priorities for the past several years has been improving security for networks that control critical infrastructure through the development of cyber security standards that incorporates the energy, power, and chemical sectors. The responsibility of creating and enforcing these efforts in the power industry has fallen to the North American Electric Reliability Corporation (NERC), a non-profit agency operating under the Federal Energy Regulatory Commission (FERC). As the federally-designated Electric Reliability Organization (ERO) in North America, NERC develops and enforces mandatory standards that define requirements for reliable planning and operation of the bulk power system. The Critical Infrastructure Protection (CIP) standards provide a cyber security framework for the identification protection of Critical Cyber Assets that control or affect the reliability North America’s bulk power systems.
In previous versions of the NERC Reliability Standards, critical generation facilities, determined by their owner operator, were required to adhere to the NERC Standards. If any of those assets did not have any routable communication protocols, then they would be excluded from compliance with the Standards. This resulted in a large number of generation facilities being left out of the compliance obligation of NERC CIP; however, this has been changing. Each year NERC is expanding the requirements so that an ever increasing number of utilities will be required to be in compliance with at least some level of the CIP Standards in order to better protect the nation’s Power Grid.
NERC’s CIP Version 5 Standards represent a major change to the existing requirements. Within Version 5, NERC has defined a tiered impact rating system, which has classified the Bulk Electric System (BES) Cyber Systems into the categories of High, Medium and Low. The higher the classification, the more protections and controls the BES Cyber Systems are required to have. This allows NERC to bring more utilities into the mix without requiring them to adhere to all of the Standards.
NERC CIP relates to: (1) Generator Owner and/or Operators, (2) Transmission Owner and/or Operators, and (3) Distribution Providers, provided they meet the criteria set forth by the Standards. If a Transmission Owner or Operator owns an asset that can misoperate (i.e., “the failure of a Composite Protection System to operate as intended for protection purposes”)5 and impact the BES, then they would be classified as low-impact. Depending on other factors contained within the Standards, the Cyber Asset could be classified as a medium or high impact. For Distribution Providers, if they currently own an under frequency load shedding (UFLS) or under voltage load shedding (UVLS) system that can shed 300 MW, or have a Special Protection System relating to NERC’s requirements, then they would also be brought in as at least a low impact.
The addition of the lower tier classifications brings in utilities that would have previously been exempt from requirements. This is a trend that has been continuing since the initial inception of the NERC CIP Standards. With each new iteration of the Standards, the requirements for non-exempt utilities increases, and at the same time, other utilities are brought into NERC’s scope that were previously exempt from requirements.
While NERC is focused on the users, owners, and operators of the Power System (typically systems that are operated at 100 kV or higher), the cyber threat to utilities does not make such a distinction. There is a concern that a potential cyber-attack could start at a small or medium size utility, attacking their SCADA system, and then it could spread to a larger utility SCADA systems. The NERC Cyber Security Standards have been designed to protect the larger systems, but even the smallest utility needs to be vigilant and ensure that its SCADA system is secure. Industry groups, such as NRECA and APPA, are actively working with government agencies and NERC to address the continuous threat of cyber and physical attacks on small to medium size cooperative and municipal systems. The Rural Utility Service has also encouraged its borrowers to develop plans similar to what has been required by NERC since 2005, prior to the NERC Reliability Standards becoming mandatory and enforceable.
This highlights the need for utilities to begin to, or continue to, think about protecting their Facilities, and their assets inside those Facilities. Not only is it essential for the protection of the Power Grid as a whole, but eventually NERC’s goal is to bring all utilities into scope for the Critical Infrastructure Protection Standards. This will help NERC and other agencies in the mission to better secure the Power Grid against both cyber and physical threats. FERC has recently issued Order No. 822, requiring the Utility community to follow and to accurately protect their Critical Infrastructure from both Physical and Cyber threats based on the newly updated Version 6 of the Standards. This order from FERC builds on what is written in Version 5, by further clarifying and improving the requirements for High, Medium and Low impact entities. This is needed not only for the reliability of the delivery of electricity, but also for the safety in our communities.
For more information or to comment on this article, please contact:
Bill Bateman, Senior Project Manager | CONTACT
GDS Associates, Inc. – Marietta, GA
Also in this issue: GPNA