- The Federal Energy Regulatory Commission is reconsidering how cybersecurity requirements are applied to bulk electric system assets, potentially moving away from prescriptive standards for broad categorizations of low-, medium- and high-impact facilities.
- Given the growth of distributed resources and the risk of supply chain hacks, “there’s a growing realization that maybe it’s not the right approach anymore,” FERC Chairman Richard Glick said Thursday at the commission’s annual reliability technical conference.
- Rather than automatically applying stricter security requirements to larger facilities, experts on the panel urged the development of standards based on risk assessments and the potential impact an attack might have. “Not all of these assets, despite their [size] categorization, are created the same,” Manny Cancel, senior vice president at the North American Electric Reliability Corp. (NERC), said at the reliability event.
NERC’s critical infrastructure protection (CIP) standards have been in force for more than a decade, and experts on Thursday’s panel acknowledged the hard work done to protect the bulk electric system. But the digitization of the grid, convergence of information and operational technology systems, and rise of distributed resources, has changed the threat equation, they said.
Typically, the most stringent security requirements have been applied to larger assets. High-impact facilities, such as large electric grid control centers, include resources 3,000 MW in aggregate or larger. Medium facilities include resources beginning at 1,500 MW in aggregate, while other assets on the bulk power system are considered low impact.
“We recognize there’s a need to re-look at this, in the context of the recent attacks,” Cancel said.
The SolarWinds software supply chain hack, for example, exposed about 25% of electric utilities to malware, according to NERC. The Colonial Pipeline attack began with ransomware on the company’s information systems, but ultimately led to the shutdown of the largest gasoline pipeline on the East Coast.
“This past year we’ve seen a step change increase in the volume and complexity of cyber threats, and this is clearly a trend that shows no signs of subsiding,” said Cancel. “These attacks demonstrated how a coordinated attack could compromise our systems and I think it really underscores the need for heightened visibility, more comprehensive logging of events, and potentially other controls that go across all asset environments.”
But security controls should be applied through a risk-based approach, he said, and one solution is increased visibility into networks through data monitoring and a broad rollout of sensors.
Cancel pointed to work the utility sector has done to roll out additional sensors and monitoring equipment, as part of President Joe Biden’s 100-day push to secure the grid. “We can get more visibility into the [operational] networks, to understand the threat and maybe inform the potential consequence,” he said.
“You can’t protect everything at the same level,” Ben Miller, vice president of professional services and research and development at Dragos, said at the technical conference. He advocated for more monitoring, and said NERC’s current regulations may overemphasize “prevention” and focus too little on “response, recovery and monitoring.”
“From my perspective, if you can’t protect [an asset], you should at least be able to monitor it,” said Miller. The way NERC rules for low-impact facilities are currently structured, he said, “that is not necessarily the case.”
“There’s a lot of implementation of perimeter controls and some other protective controls,” for low-impact facilities, said Miller, “but there’s not a concept around detection and monitoring of these systems, and in some ways the standards de-emphasize monitoring.”
According to Miler, about 70% of NERC’s CIP standards are focused on prevention and “everything else” is in the remaining 30%. “That is felt even higher within the low category where there simply isn’t good visibility into what is occurring in these environments.”
Improving visibility into assets smaller assets can help guard against attacks and mitigate their impacts, even when there are fewer protective systems in place.
Monitoring is “very important,” said Tony Hall, manager of the cyber infrastructure protection program at Louisville Gas and Electric and Kentucky Utilities. “Not all lows are created equal,” he said, referring to assets that may not be as well-protected. Categorizations should be reassessed on set timelines or when certain events trigger a review, he added.
“If you are focusing on traffic in and out, zero trust, things like that, that gains you some advantages, if you’re not protecting everything to the same extent,” said Hall.