Cybersecurity and the Electric Grid
A computer storing operating cost data for the
Midcontinent Independent System Operator Inc., power
network extending from the Midwest to the Gulf Coast
was compromised this summer. Within the past two
years, sophisticated cyber-attacks, whose colorful
names "Dragonfly" and "Energetic Bear" belie their
disruptive capability, gained access to U.S. and
European power networks. These and other recent
cyber intrusions highlight the persistent risk
confronting the U.S. electricity grid.
The source of a breach to the electricity system is
often closer than one might think. A survey of
global IT and IT security executives in the energy
industry released by Unisys this summer reveals a
majority of companies have had at least one security
compromise in the past 12 months leading to the loss
of confidential information or disruption of
operations. Most survey respondents said the breach
was likely caused by a negligent employee with
privileged access and that their firms'
cybersecurity programs had limited ability to ward
off attacks.
Elected officials and regulators have stepped up
efforts to address cyber intrusionthreats. In
February of this year, the National Institute of
Standards and Technology (NIST) unveiled the
Cybersecurity Framework for reducing cyber risks to
critical infrastructure. The voluntary Framework,
with its origins in President Obama's February 2013
Executive Order, is intended to reduce cybersecurity
vulnerabilities through a risk-based approach to
improve cybersecurity practices. The Framework
provides a structure for industry and regulators
todevelop better ways to protect the nation's
infrastructure to keep pace with changes in
technology, threats and other factors, and to
incorporate lessons learned.
At the national level, cybersecurity for the
electric sector has historically been a concern that
was the responsibility of the Federal Energy
Regulatory Commission (FERC), which assesses the
Critical Infrastructure Protection (CIP) reliability
standards developed by the North American Electric
Reliability Corporation (NERC). Those
standards focus on the bulk, or interstate
transmission, portion of the electric system. Since
2007, FERC has shared responsibilities under the
Energy Independence and Security Act with NIST to
coordinate the development and adoption of smart
grid guidelines and standards, including those
directed at cybersecurity for the remainder of the
grid.
The electric power industry is the only critical
infrastructure industry in the U.S. with mandatory
and enforceable cyber standards. The Energy Policy
Act of 2005 gives FERC the authority to oversee the
reliability of the bulk power system. FERC must
approve all reliability standards or modifications
proposed by NERC. But FERC cannot modify proposed
standards; it can only direct NERC to submit a
proposed standard or modification or to change one
it find unacceptable.
NERC works with electric power industry experts to
develop the reliability standards. This
collaborative process helps to assure that evolving
cyber standards are technically and operationally
sound. In 2008 FERC approved the CIP-002 through
CIP-009 standards to replace voluntary cyber
standards that had been in place. Since then, the
CIP standards have been updated regularly to
institute improvements and address evolving cyber
threats.
The CIP standards cover "Critical Cyber Assets,"
which are those facilities considered essential to
the operation of identified bulk power system
critical infrastructure. These assets include
control centers, control systems, transmission
substations and generators. Facilities designated
Critical Cyber Assets must receive full CIP
protections, such as cyber and physical protections,
cyber and physical access limitations, security
training for appropriate personnel and the
development and implementation of incident response
and asset recovery plans.
In order to provide a more efficient way to address
lesser-risk violations that were seriously clogging
the reliability process, FERC authorized NERC's
Find, Fix, Track (FFT) and Report program in 2013.
FFT procedures permit the streamlined resolution of
possible violations that pose a minimal risk to the
grid through informational filings. The FFT program
has been a success, enabling NERC to reduce issues
dating prior to 2011 by approximately 80 percent and
allowing NERC to focus its resources on issues
posing greater reliability threats to the electric
grid.
In the fall of 2013, FERC approved the most recent
improvements to the CIP standards. These
changes will require major undertakings for all
entities subject to the new rules. Signaling
its desire to tighten up cyber security protections,
FERC rejected a NERC-advocated recommendation to
move away from a "zero tolerance" violations
standard to a more flexible approach. FERC also
announced that all "Bulk Electric System (BES) Cyber
Assets," a newly defined term covering far more grid
assets than in the past, will receive some level of
protection related to the importance of the covered
facilities.
To determine the degree of required protection,
utilities must group facilities into "BES Cyber
Systems" according to the reliability role they
perform and then classify them as "High," "Medium"
or "Low Impact" based on the type of physical
facilities they are associated with, such as control
centers, transmission substations or generators.
High Impact BES Cyber Systems are required to
receive the most protections, Medium Impact BES
Cyber Systems receive fewer protections and Low
Impact BES Cyber Systems the fewest. FERC has
ordered that High and Medium Impact BES Cyber
Systems must meet the new compliance requirements by
April 1, 2016, and that Low Impact assets must be
compliant a year later. It is widely anticipated
that the expansion of requirements for Low Impact
BES Cyber Systems will be a costly and
time-consuming task creating greater regulatory risk
for noncompliance.
As long as the grid is data driven and internet
dependent, it remains vulnerable. Hackers and
terrorists will keep trying to breach the electrical
system. Regulators and the electric industry know
that prevention of cyber intrusions will require
constant vigilance and a strong and unremitting
commitment from all energy stakeholders.
Copyright © 1996-2014 by CyberTech, Inc. All rights reserved.
To subscribe or visit go to: http://www.energycentral.com
To subscribe or visit go to: http://www.energybiz.com
http://www.energybiz.com/article/15/01/cybersecurity-and-electric-grid