A U.S. grid clear of 2016 attacks is hardly worry-free — NERC
The interstate grid’s top regulators want a closer look at threats that could penetrate power companies and smart grid networks.
The North American Electric Reliability Corp., in its “State of Reliability 2017” report, noted there were no cybersecurity attacks that took down parts of the U.S. grid in 2016, but NERC officials took little comfort in the conclusion.
“Nonetheless, grid security, particularly cyber security, is an area where past performance does not predict future risk,” the report said. “In fact, the number of cyber security vulnerabilities continues to increase as does the number of threat groups” (Energywire, June 14).
NERC Vice President James Merlo told reporters yesterday that while the U.S. power sector remains unscathed, “the threat is greater than it’s ever been.”
“The risk is really increasing every day,” he added.
This year’s report notes the risk that attackers could enter power utility systems through front-office computers and then steal employee identities to pivot into the control rooms or other operating arenas. That was the strategy attackers used to take down three Ukraine power utilities in 2015 (Energywire, July 18, 2016).
Merlo said the mandatory cybersecurity rules overseen by NERC require the absolute separation of regulated power company operating systems from business systems to prevent a crossover cyber contamination.
Regulated companies are also required to report cyberattacks that trigger power losses.
But the report notes, “The mandatory reporting process does not create an accurate picture of cyber security risk since most of the cyber threats detected by the electricity industry manifest themselves in the enterprise environment (email, websites, smart phone applications, etc.), rather than the control system environment where impacts could cause loss of load and result in a mandatory report.”
NERC said occasionally its cyberthreat-sharing portal, the Electricity Information Sharing and Analysis Center, gets voluntary notifications that malicious code was found on a power company employee’s workstation or that an attack was detected against a company website.
The next step, NERC says, is the rollout of its Cyber Automated Information Sharing System (CAISS), now in pilot testing. Developed with the Energy Department and its national laboratories, it is intended to capture, screen and compare computer system data from both corporate business and control systems to detect malware, NERC said. CAISS is an automated, machine-to-machine program for sharing cyberthreat signatures among authorized industry companies. It is scheduled to be operational at the end of this year, NERC said.
The “State of Reliability” report is a backward look at the interstate power grid’s performance in keeping power flowing, with analyses of outages due to weather, operator error, physical or cybersecurity attacks, or other events.
Another NERC report issued last November looked ahead at trend lines in various risks to grid reliability.
In preparing this report, a NERC advisory committee queried industry executives’ views of emerging threats and issues demanding more attention.
“Many utilities commented that natural gas currently serves as the base load fuel for their areas, heightening the need for greater focus on gas infrastructure in order to identify potential risks to the BPS [bulk power system],” NERC said.
