Regulators concerned about cybersecurity of electric grid
- By William Jackson
- Apr 08, 2009
The industry regulator overseeing the North American electric grid responded to reports about breaches in the grid’s information technology systems by saying that so far it has seen no problems.
“Though we are not aware of any reports of cyberattacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of,” the North American Electric Reliability Corp. (NERC) said in a statement released today. “NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyberthreats.”
But that statement came one day after Michael Assante, NERC’s chief security officer, expressed concern that power generators and transmission organizations might not be paying adequate attention to security requirements for their critical cyber assets.
The physical power grid and its control systems are designed to be robust and capable of withstanding failures of multiple elements without interrupting the power load or causing instability. “But, as we consider cybersecurity, a host of new considerations arise,” Assante said in an April 7 letter to industry stakeholders. “Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations.”
Risks include a failure or disruption of controls or services or even their deliberate misuse, he added.
In a self-certification compliance survey for the second half of 2008, a surprisingly large number of companies and operators reported that they had no critical assets, which Assante said is cause for concern. An industry audit of compliance with security standards is scheduled to begin in July.
NERC is an international self-regulatory authority for ensuring the reliability of the bulk electric power system in North America. It develops and enforces reliability standards, and under the Energy Policy Act of 2005, it has the power to fine violators as much as $1 million a day for standards violations.
Recent news reports have claimed that some electric grid IT systems have been breached and software inserted into the systems, and the intrusions have been traced to computers in Russia and China. However, no details of the alleged breaches have been released, and NERC could not confirm the reports.
“Cybersecurity is an area of concern for the electric grid,” NERC officials said in their statement. “There is definitely more to be done.”
NERC security standards state that the power generation and distribution system increasingly relies on cyber assets to support critical functions and processes. Therefore, NERC “requires the identification of and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the bulk electric system” through the use of a risk-based assessment.
The assessment for critical systems should cover:
- Control centers and backup control centers.
- Transmission substations.
- Generation resources.
- Systems and facilities critical to system restoration.
- Systems and facilities critical to automatic load shedding.
- Special protections for systems that support operations.
In determining what cyber assets are critical, evaluators should consider systems that use routable protocols for communication or are accessible via dial-up connections. The risks of cyberattacks are different from the type of attacks that grid operators might be used to dealing with, Assante wrote in his letter.
“The majority of reliability risks that challenge the bulk power system today result in probabilistic failure that can be studied and accounted for in planning and operational assumptions,” he wrote. “For cybersecurity, we must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected. This is why protection planning requires additional, new thinking on top of sound operating and planning analysis.”
NERC is asking operators to take another look at their risk assessment methodologies and conduct a new evaluation of critical assets and associated cyber assets. Too many organizations are starting their evaluations with the assumption that no system is critical until it is proved to be so. Assante suggested that they reverse the process and assume that every system is critical until it can be demonstrated otherwise.
NERC plans a series of Webinars to educate organizations about security requirements and what they will need to do to demonstrate compliance with standards in the audits that will begin in July.
William Jackson is a Maryland-based freelance writer.