Push on to protect utility supply-chain from cyberattacks
The utility industry isn't happy about the idea of mandatory standards, but federal regulators are weighing rules designed to deal with security vulnerabilities posed by technology installed throughout bulk power transmission networks.
On Thursday, the Federal Energy Regulatory Commission has scheduled a technical conference to begin to map out where new federal standards for utility supply chain cybersecurity might make sense.
The risks, experts agree, are enormous. On Dec. 23, the first power outage believed to have been caused by a cyberattack left 80,000 customers in the Ukraine without power for six hours. The incident has drawn widespread attention from utilities and regulators around the world. Washington-based SANS ICS, in a report on the attack, said hackers likely caused the outage by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack.
In the U.S., the utility industry is gearing up to meet an April 1 compliance deadline for the latest North American Reliability Corporation standard, CIP 5, which includes cybersecurity requirements - but not specifically related to the utility supply chain. FERC's effort seeks to close this gap.
Last summer, FERC and NERC proposed seven updates to CIP reliability standards. These updates seek to address risks to industrial control system hardware, software, communications and services associated with bulk electric system operations; and also to develop new security controls for supply chain management.
In this proposed rulemaking, FERC noted, "These malware campaigns represent a new type of threat to the reliability of the bulk electric system, where malicious code can infect the software of industrial control systems used by responsible entities."
In public comments to FERC, a coalition of utility trade associations has opposed mandatory supply chain cybersecurity requirements.
"While the trade associations agree that CIP and cybersecurity risks form a high priority strategic matter for the electric industry, no events or disturbances have taken place that indicate a problem or emerging pattern or trend," the group said in a statement.
The coalition includes the Edison Electric Institute, the American Public Power Association, the National Rural Electric Cooperative Association, the Electric Power Supply Association, the Electricity Consumers Resource Council, the Transmission Access Policy Study Group and the Large Public Power Council.
According to Scott Aaronson, managing director of national security policy at EEI, the industry's preferred approach would be coordination across the industry, in collaboration with government and supply chain vendors, rather than the imposition of regulatory requirements absent that feedback.
The Ukraine attack, and other incidents, illustrates how the line between cybersecurity and physical security of assets is getting blurry - challenging the traditional division of information technology and operations technology within utilities.
As Aaronson observed, "I don't differentiate between cyber and physical threats anymore. We have a digital overlay for our physical infrastructure. We can operate the assets independently of that overlay if necessary, but far less efficiently. From a threat perspective, all physical attacks have cyber implications, and vice-versa. So response must be holistic."
Whatever emerges from the effort to craft new utility supply chain cybersecurity standards, EEI has identified four areas that it says deserve closest attention:
1. Information flow. It's crucial that accurate information about system and device conditions gets to the right people, from CEOs and government official to field operators, instantaneously. The challenge is ensuring the accuracy of data from network devices, and the integrity and redundancy of communication networks.
2. Tools and technologies. Aaronson noted that many technologies developed by the federal government, especially for defense and intelligence, could be applied to improve situational awareness on bulk power networks. NERC's Electricity Information Sharing and Analysis Center is a hub of communication and collaboration in this effort.
3. Incident response. "This is about resilience," said Aaronson. "With the Deepwater Horizon incident, all of the other oil companies said, `That's not our well, not our problem.' But the power grid is one big machine with thousands of owners and operators. We all have a vested interest in mutual resilience. If one of us is hit by a cyberattack, the rest of us need to kick in to support the response, like a bucket brigade. This can be organized through partnership at a very high level, involving CEOs and top administration officials."
4. Cross-sector coordination. Supply chain cybersecurity involves more than just electric utilities. Active cooperation with related sectors such as manufacturing, telecom and transportation/warehousing is key. Coordinating councils could support this goal.
Whether FERC and NERC push forward on supply chain cybersecurity standards remains to be seen. But such standards would not address cybersecurity in local distribution networks, where vulnerabilities also exist.
In the meantime, utilities may work to strengthen their corporate policies on supply chain cybersecurity - perhaps building on industry and government initiatives, such as Supply Chain Risk Management from the National Institute of Standards and Technology. Also, state public utility commissions and local officials might also seek to regulate distribution network cybersecurity.