With a compliance deadline for new federal utility cybersecurity standards looming, utilities around the U.S. are assessing and addressing risks -- at least for bulk power grids.
But security for local power distribution grids may be getting overlooked in this rush to meet the standard.
The standard is commonly referred to as NERC CIP. (The longer version is the North American Reliability Council’s Critical Infrastructure Protection standard, v5.) It’s designed to strengthen regional resilience to cyberattacks by ensuring that power delivery companies operating along the transmission system follow best practices in cybersecurity.
NERC CIP has done a huge amount to protect the bulk electric system (BES). But it only covers part of the threat, said Justin Lowe, a cybersecurity expert with PA Consulting.
“The standard addresses the most critical assets of the BES, but a lot of utilities haven’t been looking as hard at the rest of their grids, leaving key areas of the grid unprotected,” said Lowe.
That threat was made clear last November, when NERC hosted a mock attack as part of GridEx III.
GridEx brought together more than 4,400 individuals from 364 North American utilities, law enforcement and government agencies to simulate a coordinated physical attack.
According to a report on the exercise released in March, the simulated attack highlighted needed improvements to distribution-system cybersecurity. These include better communication and information sharing between (and within) organizations and agencies; simpler fail-safe operation; and clearer priorities for re-establishing power after a major outage.
In a separate 2015 simulation of a massive (but technologically possible) cyberattack, called Business Blackout, Lloyd’s of London found that 15 U.S. states could be plunged into darkness under the right conditions. While power could be restored within 24 hours to many parts of the grid, some parts might remain without power for weeks -- especially due to local distribution grid issues.
Distribution grids contain many of the same kind of assets found on transmission grids. While the regulatory oversight differs for transmission and distribution, the line between the two is blurry.
It will take careful analysis to distinguish whether part of an information technology (IT) and operational technology (OT) system sits within the NERC footprint, said George Gamble, a cybersecurity expert with PA Consulting.
“Electronic access control and monitoring systems can be deeply connected, not only within utilities, but between business and operational systems. A smaller utility might share some equipment with a larger utility through the use of a jointly owned substation, and there might be physical and logical access to each other’s sites and systems,” said Gamble.
This requires many utilities to look beyond NERC CIP to consider vulnerabilities more holistically.
There are some unique challenges to securing local grids. Smart metering systems represent one of the most acute cyberattack vectors to distribution networks. And utilities that moved earliest on smart meter rollouts may face the greatest vulnerabilities.
Starting in 2009, many major smart meter deployments were expanded through matching grants from the American Reinvestment and Recovery Act. The rush helped grow the smart meter market -- but it also left many potential gaps.
“This influx of funding led to many immature products hitting the marketplace,” said Gamble. “Some of these products lacked important security functionality, such as robust encryption and access control, as the rush to deploy meant there wasn’t sufficient time to design in security.”
Smart grid deployments that received stimulus grants were required to implement an initial security plan. They also received annual government security reviews during the grant period. But after this, many utilities relaxed their cybersecurity practices -- especially lagging on updates and patches to smart grid systems and communications, as well as connected internal systems in IT, OT and business departments.
With over 100 companies getting stimulus grants for smart grid and AMI meters, “It’s probably an area of concern for boards and senior managers in the way smart grids are operating at this point,” said Gamble. “The issue also applies to more recent smart grid deployments where there is little regulatory requirement to be ‘secure by design.’”
Many municipal and cooperative utilities are flying under the radar of NERC CIP entirely, since they only have distribution grid assets.
“State utility commissions are starting to look at what’s escaping NERC CIP,” said Lowe. “Utilities should be getting ahead of the curve on distribution grids and getting their strategic plan in place. Otherwise you’ll just be constantly playing catch-up and have difficulty keeping pace with the rising security threats."
Smart grid and AMI deployments pose a challenging threat vector because they are so deeply connected to other systems throughout many utility departments: business, IT and OT.
Cyber intrusions are often opportunistic. Cyber vulnerabilities can be exploited by the lack of a properly implemented and maintained layered defense.
According to Lowe and Gamble, the solution for many of these threats -- at all levels of the grid -- is proper understanding and management of the risk together with control implementation and monitoring of people, processes and technology.
“Appointing someone with responsibility and accountability for security is the place to start, as this cuts across the organization,” said Lowe. “It needs to happen at the executive level.”
This shift is starting to happen.
“The trend we’re seeing is that utilities are moving from firefighting compliance mode, to an enterprise risk-based cybersecurity group focused across OT and IT, with top-level leadership,” said Gamble. “This way, compliance becomes an output of security, rather than a driver.”
Meanwhile, employee retirements are creating another challenge. The steady turnover of utility technical and security staff is starting to have a profound impact on cyber and physical security.
As utility personnel depart, the people assuming their responsibilities typically do not bring the same knowledge of how the systems all work together. New staff being hired for their cybersecurity expertise often come from different industries and may not have a deep understanding of how utilities function.
Orienting the staff with various departments and process can instill a broader sensitivity to operations as well as security.
This applies to all staff throughout a company. In their work developing a security program for one utility, PA Consulting devoted an entire training track to risk management.
“The key is creating 'security by design' -- learning how to embed risk-thinking into everyday activities,” said Lowe.
“Realizing how security risks add up across an organization is essential,” said Gamble. “Often these risks rise from, and are seen as, technical problems; however, human aspects or business processes are a significant part of the solution.”