Safety Standards: New initiatives for countering cyberthreats to the US grid

New initiatives for countering cyberthreats to the US grid

Preparing the grid against cyberattacks and intrusions is a key challenge being faced by the US government and grid operators. While advanced automation technologies and digital controls have helped improve the grid’s operational efficiency, they have also made it vulnerable to cyberattacks. The US Federal Bureau of Investigation has rated cyberattacks as the primary threat to the national grid, eclipsing physical damage that may be caused by acts of terrorism or vagaries of nature. A large-scale cyberattack on the grid can trigger multi-day blackouts over vast regions, disrupting the supply of essential services and costing billions of dollars in economic damages.

Cyberattacks have become a greater threat to grid security than the traditional ones. This is because they are less predictable and more difficult to diagnose and overcome owing to the complexity of the grid and the nature of the attack. According to the Federal Energy Regulatory Commission (FERC), sabotaging just nine of the 55,000 substations spread across the country can shut down the US power grid for over a month. As per a recent report, the US power grid is struck by a cyber or a physical attack once every four days on an average. Cyberattacks can cost as much as $1 trillion to the US economy.

Minor incidents of cyberattacks are already being reported. The Center for Strategy and International Studies, and IT security firm McAfee reported that small-scale incidents of network infiltrations occur frequently in the critical sectors of power, oil and gas, and water. While it is nearly impossible to design a foolproof cybersecurity plan, given the rapid pace at which cyberthreats evolve, the industry and policymakers have been focusing on ways to most effectively manage risks, minimise their impact and recover from them.

DoE initiatives

The Department of Energy (DoE), through its Office of Electricity Delivery and Energy Reliability, has been helping utilities address the cybersecurity issue through several initiatives. Since 2010, the DoE has invested over $100 million in cybersecurity initiatives.

Such initiatives include facilitating public-private partnerships (PPPs) to accelerate cybersecurity efforts; funding research and development (R&D) projects for the development of cybersecurity technologies; supporting the development of cybersecurity standards; sharing threat information; advancing risk management strategies; supporting incident management and response; and augmenting the cybersecurity workforce within the power sector.

So far, the government’s cybersecurity strategy has focused primarily on prescribing mandatory standards through the North American Electric Reliability Corporation (NERC), the FERC-designated electric reliability organisation. In January 2008, NERC developed the first version of Critical Infrastructure Protection (CIP) cybersecurity reliability standards, which has since undergone several revisions in line with the changing technological environment. In November 2013, the fifth version of the CIP reliability standards was approved. Further, in response to FERC’s Order No. 791, NERC submitted seven new reliability standards in July 2015. The proposed reliability standards address the cybersecurity issue of the country’s bulk electric system (BES) and aim at improving the existing CIP reliability standards:

  • CIP-003-6 (security management controls)
  • CIP-004-6 (personnel and training)
  • CIP-006-6 (physical security of BES cyber systems)
  • CIP-007-6 (systems security management)
  • CIP-009-6 (recovery plans for BES cyber systems)
  • CIP-010-2 (configuration change management and vulnerability assessments)
  • CIP-011-2 (information protection)

In February 2014, the government had also approved and released a set of voluntary guidelines prepared by the National Institute of Standards and Technology (NIST) to help organisations evaluate, prioritise and improve cybersecurity capabilities. Further, FERC has suggested approving NERC’s proposed implementation plan, and assignments for violation risk factor, and violation severity level. It proposes to approve the retirement of reliability standards CIP-003-5, CIP-004-5.1, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1.

The following is a summary of some of the key initiatives of the DoE:

Mandatory NERC standards

Under the supervision of FERC, NERC develops and enforces CIP cybersecurity standards that apply to the bulk power system including the generation and transmission segments. NERC’s rules and regulations are aimed at encouraging utilities to protect certain parts of the grid in specified ways. Utilities owning assets that meet the CIP criteria must undergo recurring compliance audits, with the penalty for failure  being as high as $1 million per day of non-compliance, at the auditor’s discretion.

The first version of NERC’s CIP standards had its origins in the Federal Power Act passed in 2005, while the subsequent versions have largely been responses to FERC’s Order 706, the Mandatory Reliability Standards for Critical Infrastructure Protection, issued in 2008.

Versions 1, 2 and 3 of the CIP standards gave leeway to utilities for developing their own custom risk management process to determine which of their generators, transmission assets, or control centres should be considered critical and, therefore, subject to mandatory CIP controls and audits. The earlier versions of the standards omitted several cybersecurity basics such as pen testing, encryption and software security. Many utilities erred by excluding assets from their risk management processes. The subsequent versions address security controls more comprehensively. With the fourth version, approved by FERC in 2012, NERC provided “bright line criteria”, wherein every leeway was removed by giving utilities cut-off points for determining critical systems and complying with the CIPs. The latest version (5) of the CIP standards encompasses many more systems by mandating utilities to categorise all their bulk assets as high, medium or low impact.

For ensuring compliance with standards, NERC also conducts an exercise called GridEx that involves North American block power system owners and operators, as well as appropriate government agencies to test NERC’s and the power industry’s crisis response plans. The exercise also serves as an opportunity to enhance collaboration and strengthen industry security processes and capabilities.

Voluntary guidelines 

The Framework for Improving Critical Infrastructure Cybersecurity, developed and released by NIST, is one of the key elements of the government’s efforts to ensure cybersecurity. The NIST cybersecurity framework is a voluntary, risk-based framework that includes a set of standards, guidelines and practices to help organisations manage cyber risks. It provides a common language that organisations, regulators and customers can understand to create, guide or assess cybersecurity programmes.

In addition, the DoE released cyber procurement guidelines in April 2014 for building cybersecurity protections into the design and manufacturing of energy delivery systems. The Cybersecurity Procurement Language for Energy Delivery Systems Guideline focuses on perceived vulnerabilities in the industry’s procurement process including those in software use and account management of energy delivery systems such as supervisory control and data acquisition (SCADA) and other automation tools that are becoming the norm as utilities modernise their grids.

Public-private partnerships

The DoE’s cybersecurity initiatives include several ongoing collaborations with a number of public and private partners including the Department of Defense, the Department of Homeland Security (DHS), private industry, and energy sector stakeholders. The department initiated the Cybersecurity Capability Maturity Model (C2M2) programme, which establishes PPPs for improving organisational cybersecurity capabilities. The C2M2 model focuses on the implementation and management of cybersecurity practices associated with the use of IT and operational technology assets. The goal is to support the ongoing development and measurement of cybersecurity capabilities within an organisation.

The Electricity Subsector C2M2 (ES-C2M2) and Oil and Natural Gas Subsector C2M2 (ONG-C2M2) models are also part of the C2M2 programme. ES-C2M2 includes a maturity model that comprises a common set of industry-vetted cybersecurity practices that are grouped into 10 domains based on their maturity level. It also includes an evaluation tool that enables organisations to assess their cybersecurity practices against best practices.

Another key DoE initiative in the area of PPPs is the National SCADA Test Bed (NSTB), which was set up in 2003 to help the industry and the government in identifying and correcting vulnerabilities in SCADA equipment and other control systems that form a critical component of the energy delivery systems.

In addition, the DoE designed and launched the Cybersecurity of Energy Delivery Systems programme in 2007 under the framework provided by the Roadmap to Achieve Energy Delivery Systems Cybersecurity, which was initially developed in 2005 by the DoE in collaboration with the industry, DHS and Natural Resources Canada and later updated in 2011 by the Energy Sector Control Systems Working Group, another PPP between the government and industry sector experts.

Through the programme, the DoE co-funds and supports core industry-led R&D projects targeted to improve cyber intrusion detection, remediation, recovery and restoration capabilities of energy delivery systems and cyber-physical interfaces. The industry-led project teams work closely with NSTB labs and other private sector partners to develop and commercialise tools and technologies that can make a real and immediate impact on energy sector cybersecurity.

In addition, to promote PPPs, the DoE facilitated the setting up of the National Electric Sector Cybersecurity Organization (NESCO) in 2010 through funding awarded to the Electric Power Research Institute (EPRI) and EnergySec. NESCO is an independent PPP that serves to bring together utilities, government agencies, regulators and academicians that work to strengthen the cybersecurity system of the country’s power sector. NESCO focuses on cybersecurity R&D to identify and disseminate effective common practices, and organise the collection, analysis and controlled release of infrastructure vulnerabilities and threats. EPRI serves as the research and analysis resource for NESCO.

Challenges and the way forward

Ensuring cybersecurity for the power grid is increasingly becoming a national issue in the US. NERC’s CIP standards have been successful in making utilities more aware and more secure. However, they have often been criticised as compliance with them does not guarantee security, and they distract utilities from making more effective security investments. Nonetheless, the CIP standards provide a useful baseline for cybersecurity and will remain a part of the US government’s core strategy for cybersecurity in the coming years.

The NIST framework has also been criticised for not providing enough incentives to organisations to promote actual compliance with these voluntary standards. However, the framework provides a workable approach to protecting bulk transmission. Although the guidelines are not binding, they provide a baseline from which cybersecurity structures can be built within organisations.

Financing investments in cybersecurity is a key challenge being faced by utilities. So far, several utilities have found the investments required for complying with NERC standards to be prohibitive. Moreover, state regulators have been reluctant to approve rate hikes to help utilities recover their investments. Government leadership is required to help regulators better evaluate such investments.

Going forward, there is a need for the government to create more incentives for the continual improvement and implementation of cybersecurity standards as well as for encouraging companies to exceed minimum standards and share information about threats quickly.