The Federal Energy Regulatory Commission has agreed to evaluate the potential risk of a coordinated cyberattack on geographically distributed targets on the electric grid, as recommended by the U.S. General Accounting Office. The North American Electric Reliability Corporation has pushed back.
Prompted by a 20-month U.S. General Accounting Office (GAO) analysis, the Federal Energy Regulatory Commission (FERC) is launching a two-part review of U.S. grid cybersecurity.
The Commission will evaluate both upgrading its approved cybersecurity standards, and applying more stringent standards to geographically distributed grid assets that are at “potential risk of a coordinated cyberattack.”
“Cyberattacks on industrial control systems have disrupted foreign electric grid operations,” notes the GAO report, helpfully providing a definition from the National Institute of Standards and Technology (NIST):
Industrial control systems are typically network-based systems, and include supervisory control and data acquisition [SCADA] systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.”
Many types of grid assets are geographically dispersed, and may be controlled by an industrial control system. These may include gas pipelines that feed gas-fired generators, as illustrated at the bottom of the featured image; grid substations that are controlled by SCADA systems; solar power plants each controlled by a power plant controller; and distributed solar and storage resources that may be controlled by a distributed energy resource management (DERM) system, a technology many utilities are evaluating. Substations were targeted in a 2015 cyberattack on Ukraine. (GAO’s report did not consider nuclear reactors, for which cybersecurity standards are issued by the Nuclear Regulatory Commission.)
GAO raised the concern that “a cyberattack could target, for example, a combination of low-impact systems, each affecting a generation capacity below 1,500 megawatts that, in aggregate, might present a significant risk to the grid.” The most stringent cybersecurity standards approved by FERC currently apply only to generating units of at least 1,500 MW, and to “systems used by and located at certain control centers,” explained GAO.
GAO’s analysis has prompted FERC not only to review whether certain grid assets should be subject to more stringent FERC-approved cybersecurity standards, but also to review the cybersecurity standards themselves. The standards review follows an unflattering GAO comparison of FERC-approved standards with NIST’s cybersecurity framework. In this table from the GAO report, showing a subset of GAO’s comparisons, any circle not completely filled-in indicates a deficiency:
The North American Electric Reliability Council (NERC)—which develops the cybersecurity standards that FERC approves—pushed back, however. NERC “has found substantially more overlap [with the NIST framework] than GAO found,” said NERC President and CEO James Robb in a letter provided in an appendix to GAO’s report. “The intended purpose of NERC’s mandatory standards differs from the NIST framework’s voluntary nature,” Robb added. “The voluntary nature of the NIST framework allows entities to customize protections for their particular needs depending on specific situations. NERC must ensure that each mandatory standard requirement is auditable and consistently implemented by electric organizations across the continent.”
FERC agrees; NERC evaluates
GAO made the following two recommendations to FERC, both of which relate to NERC:
“I believe that [GAO’s] recommendations are constructive,” said FERC Chairman Neil Chatterjee in a letter provided in an appendix to the GAO report, “and I have directed Commission staff to develop appropriate next steps to implement them.”
For NERC’s part, Robb said “we agree with” a concern “that low-impact systems may be more vulnerable to cyberattack.” He added that “NERC continues to evaluate the level of protections required for low-impact cyber systems, and the appropriateness of the existing thresholds for low-, medium-, and high-impact cyber systems. The threat of a coordinated attack against multiple low-impact cyber systems is a risk that NERC continues to monitor. We are evaluating whether the current bright line [assigning a lower impact rating to groupings of generation units below 1,500 megawatts] is appropriate given evolving risks to the system.”
“We recognize the importance of a secure and resilient grid,” said Jason Burwen, vice president of policy for the Energy Storage Association. “Indeed, that’s a key value that storage provides. We look forward to working with FERC, NERC, and other stakeholders to understand and address appropriate cybersecurity risks facing all grid resources.”
SunSpec Alliance Chairman Tom Tansy noted that a new standard for distributed energy resources, known as IEEE 1547-2018, mandates that these resources incorporate at least one standard communications interface, “presumably so that utility grid operators can monitor and control these systems remotely.” The Alliance “promotes the incorporation of cybersecurity technology into manufactured distributed energy resource components,” he added.
GridLab Executive Director Rick O’Connell said “From a cybersecurity perspective, this is another reason why I like [the option of] autonomous grid so much. If all the inverters are operating ‘autonomously,’ you can’t hack into the control system (like DERMS) and then suddenly control hundreds/thousands of inverters.”
Roles of the Department of Energy, and states
GAO also recommended that the Department of Energy “develop a plan aimed at implementing the federal cybersecurity strategy for the grid, and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.” The Department of Energy has concurred with the recommendation, saying that it is consistent with ongoing work that the department expects to complete by year-end 2019.
“State regulators generally oversee the reliability of distribution systems,” notes the GAO report, “and cybersecurity regulations related to the distribution grid may vary across states.” The report points to a 2017 cybersecurity primer for state utility regulators, by the National Association of Regulatory Utility Commissioners, as a guidance document, noting that “the primer highlights the NIST Cybersecurity Framework as well as the FERC-approved cybersecurity standards as helpful tools for utilities and state regulators.”
GAO’s study was requested in January 2018 by four members of the U.S. House of Representatives, all Democrats: Rep. Frank Pallone (D-NJ), chairman of the Committee on Energy and Commerce; Rep. Bobby Rush (D-IL), who chairs that committee’s Subcommittee on Energy; Rep. Jerry McNerney (D-CA); and Rep. Paul Tonko (D-NY).
GAO’s report is titled Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid. The agency conducted its study through analysis of federal reports related to grid vulnerabilities, interviews with industry experts and government regulators, and review of historical examples of grid incidents worldwide.