January 12, 2016 | By Barbara Vergetis Lundin

A series of cyberattacks on the Ukrainian electric grid, starting on December 23 of last year and continuing for several days, is a reminder that a 2005 federal law designed to protect the electric grid in the United States has never been comprehensively implemented -- making the U.S. grid increasingly vulnerable to foreign cyberattack.

Chernivtsi, Ukraine. Credit: Присяжнюк Максим/Wikimedia Commons

In October 2014 and again in December 2014, the U.S. Department of Homeland Security (DHS) released alerts informing electric utilities of the risk of infection by "BlackEnergy" malware, reportedly originating in Russia. According to DHS, BlackEnergy malware is capable of taking over electric grid control systems. This same BlackEnergy malware was later used in 2015 to remotely open breaker switches and grid substations to cause the blackout in the Ukraine. In order to restore power, substation switches had to be manually closed by on-site technicians.

What implications does this have for the United States? According to the North American Electric Reliability Corporation (NERC): none.

"There is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident," a NERC spokesperson said.

However, the Foundation for Resilient Societies disagrees, noting that 10 years after Congress passed a law with the intent of protecting the U.S. electric grid from cyberattack, electric utilities increasingly rely on the public internet for critical communications, including those between grid control rooms and transformer substations. As a result, foreign entities have been able to implant malware into the U.S. electric grid. Worse, no current or proposed federal regulation requires encryption or other cyber-protection of grid communications with substations.

Electric utilities continue to use critical equipment and communications that are inherently not cyber-secure. In November 2014, the Foundation for Resilient Societies filed a notice on a docket of the Federal Energy Regulatory Commission (FERC) asking that specific cybersecurity provisions of federal law be implemented. In September 2015, in a filing on FERC Docket RM15-14-000, Revised Critical Infrastructure Protection Reliability Standards, Resilient Societies again asked FERC to require cyber-protection of communications between electric grid control rooms and substations -- a request which is still pending.

The 2003 Northeast Blackout, affecting a population of 55 million from Michigan to New York City, caused Congress to pass a system of mandatory security regulations for the high voltage transmission network of the U.S. electric grid. The Energy Policy Act of 2005 contained specific provisions to require "communications networks" used for the electric grid to be protected against "cybersecurity incidents."

As part of the Energy Policy Act, Congress designed a hybrid regulatory system whereby grid reliability and security regulations would be set and enforced by a private nonprofit corporation, NERC. Congress also decided grid security regulations would be reviewed and approved by an existing economic regulator of long-distance transmission systems, FERC.

The current version of NERC cybersecurity standards, CIP-005-5, specifically exempts "Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters." Instead, "Electronic Security Perimeters," or cybersecurity fences, are established around control centers and grid substations. Newer cybersecurity standards requested by FERC would still exclude many electric grid substations from mandatory cyber-protection.

"The U.S. electric grid and other critical infrastructures are cyber-vulnerable. Many nation-states know that and may already have footholds in our critical infrastructure networks -- Russia, China, and possibly even Iran are examples," said Joseph Weiss, managing partner at Applied Control Solutions and an expert on industrial control systems used for electric grids. "The NERC Critical Infrastructure Protection (CIP) standards provide compliance to programmatic standards. As the NERC CIPs do not provide actual grid cybersecurity, the NERC CIPs would not have prevented the multiple cyber-related electric outages that have already occurred. Moreover, as the NERC CIP process is public, our enemies are aware of the gaping cyber-holes in our electric grid systems."

For more:
- see the FERC filings here and here

© 2016 FierceMarkets, a division of Questex, LLC. All rights reserved.

http://www.smartgridnews.com/story/nerc-ferc-and-ukraine-perfect-storm-brewing-us/2016-01-12