NERC recently completed a six-month self-certification compliance survey for critical cyber asset identification. It revealed that only 31% of grid owners had identified what NERC defines as critical assets and even fewer 23% had identified the critical cyber assets which could be used to manipulate them, said NERC VP and Chief Security Officer Michael Assante in a letter to approximately 1,500 bulk power industry stakeholders.
NERC acts as an advisor to the federal government in a regulatory role, creating and enforcing standards that govern grid owners and that are meant to maintain electricity reliability.
The bulk of those standards were in response to the massive northeastern U.S. blackout on Aug 14, 2003, just after 4 pm EDT.
The U.S. and Canadian grid experienced the largest blackout ever affecting an estimated 50 million people as over 61,800 mw of electrical load was lost in parts of Ohio, Michigan, New York, Pennsylvania, New Jersey, Connecticut, Massachusetts, Vermont and the province of Ontario, explained NERC in one of many reports generated since then.
Power was restored to most customers within hours but some areas of the U.S. did not have power for two days and parts of Ontario experienced rolling blackouts for up to two weeks due to a generation capacity shortage, reported NERC. The cost of the blackout was estimated between (US)$7-14 billion.
The cause? Branches hitting power lines in Ohio were blamed along with a massive lack of communication across regional grids to stop the cascading blackouts and vegetation management plays a key role in the NERC reliability standards.
But meanwhile security analysts and experts are worried about the smart grid.
Concerns about cyber-security were heightened when a front-page Wall Street Journal article cited national security officials reporting evidence of people from China, Russia and other countries possibly spies that penetrated the U.S. electrical grid to leave behind software programs that could be used for sabotage.
The author of that article, Siobhan Gorman was interviewed on the National Public Radio news show All Things Considered and reported that she wasn't urged by experts to track down that story that she went looking for risks to the grid. While the electric grid is an obvious target, it's connected to most facets of human endeavor, thus making it an attractive target for would-be cyber criminals, she explained. That interview is available via free online audio stream (https://tinyurl.com/dbcofu).
The espionage appeared pervasive across the U.S. and did not target a particular company or region, said her article, quoting a former Department of Homeland Security official who claimed a growing number of intrusions.
But was any harm done this time? Apparently not, according to a follow-up letter released by NERC, saying the firm doesn't know of any specific incidents that directly impacted reliability in North America.
Cyber-security is obviously a concern, a NERC spokesperson told us. It's important. It's a priority. Cyber-security is an ever-changing beast. That's what makes it unique.
NERC referenced a number of non-cyber-security system disturbances in a March 30 advisory, noting how single points of failure have resulted from events in the past five years, demonstrating how such failure can significantly affect the reliability (and) operability of the bulk electric system, sometimes over wide geographic areas.
NERC set standards last year requiring its U.S. and Canadian members bulk power companies of generally 100 kv and up to designate critical cyber assets. Those standards included installing network firewalls between administrative departments and electricity-flow controls plus employee background checks. The regulator is due to begin auditing compliance on July 1.
We must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected, Assante wrote. This is why protection planning requires additional, new thinking on top of sound operating and planning analysis. Such results were not exactly a surprise, admitted Assante, because most of NERC's smaller registered entities don't own or operate assets that would be deemed among the highest priorities for cyber protection.
One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, added Assante in his letter, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once and from a distance. The majority of reliability risks that challenge the bulk power system today result in probabilistic failures that can be studied and accounted for in planning and operating assumptions.
For cybersecurity, we must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected.
NERC defines critical assets as facilities, systems and equipment which, if destroyed, degraded or otherwise rendered unavailable, would affect the reliability or operability of the bulk electric system.
The bulk power system is designed and operated to withstand a severe single contingency, perhaps even multiple contingencies, without significant loss of customer load or risking system instability, noted Assante.
While that's been adequate for most expected or random events, as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations.
We, as an industry must also consider the effect that the loss of that substation, or an attack resulting in the concurrent loss of multiple facilities, or its malicious operation, could have on the generation connected to it, warned Assante.
Thus NERC requested that entities take a fresh, comprehensive look at their risk-based methodology and their resulting list of critical assets with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of owned or controlled assets but also their potential misuse by hackers.