NERC CIP Cybersecurity Risk Management: Being Proactive in 2017
Proactive Cybersecurity Efforts
While the recent report that Russian hackers infiltrated an electric utility system in Vermont proved false, hacking of the utility grid remains a very real threat. Consider the Vermont scenario a warning, not a fluke. Who can forget the Ukraine utility grid cyberattack?
FERC Releases Threat Analysis Report
FERC (Federal Energy Regulatory Commission) regulators continue to take Critical Infrastructure Protection (CIP) cybersecurity management seriously. They recently issued “Transforming the Nation’s Electricity System: The Second Installment of the Quadrennial Energy Review” (QER) to help electric utility systems better understand some of the threats facing them.
Threat Environment: Cybersecurity + Extreme Weather
“The emerging threat environment, particularly with respect to CIP cybersecurity and increases in the severity of extreme weather events, poses challenges for the reliability, security, and resilience of the electricity sector, as well as to its traditional governance and regulatory regimes,” the QER report says.
Regulators & Utilities Both Admit Enhancements Needed
Translation: FERC Regulators know they’ve got some work to do, too.
However, never forget the ultimate responsibility lies with those managing the electric utilities across the United States.
Risk Management: Data Analytics Key To Success
The QER report spells out some regulatory expectations – including making it clear that risk management is the foundation for any effective program. Data analysis is an “important part” of today’s utility grid management, the report says, but the granularity, speed, and sophistication of operator analytics will need to increase.
In addition, distribution and transmission level planning will need to be integrated, the report adds.
CIP Cybersecurity Landscape: Evolving Vulnerabilities vs. Slow-Moving Defense
Today’s NERC cybersecurity landscape is characterized by “rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures,” according to the report.
Physical Threats Acknowledged
The QER also recognizes that utility grid owners and operations are required to manage risks from a “broad and growing range of threats.” Threats come in several shapes and sizes, such as physical attacks or a wide range of localized threats based on time of year, e.g. a massive December snowstorm in Minnesota or an August hurricane in Florida.
Voluntary Cybersecurity Framework
A Department of Energy guidance released in 2015 contains valuable information designed to help utilities understand the challenges of cybersecurity. It also includes details on a voluntary Cybersecurity Framework that consists of standards, guidelines, and practices to promote the protection of critical infrastructure.
FERC Regulators + Utility Managers Work Together
The QER also acknowledges some problems can only be addressed adequately if FERC regulators and utility compliance managers work together.
There are several other important issues for industry to confront, including:
- The lack of security-specific technological and workforce resources
- Challenges associated with multi-jurisdictional threats and consequences.
Technology: Double Edged Sword
The increasing use of technology continues to parry a double-edged sword for those in the electric sector. While it is attractive because it can increase efficiencies, QER notes also that its increasing use further expands the “grid’s vulnerability to cyber-attacks by offering new vectors for intrusion and attacks, making cybersecurity a system-wide concern.”
Real World Technology Example: Electric vs. Hand Operated Car Windows
Here’s one way to express that mixed bag: Most cars today have electric window controls. They are more efficient and easier to use – until they break. In that case, a trip to the car repair shop becomes mandatory. In the past, hand rolled windows, while not offering that level of convenience, would rarely stop working at the same time and would also be generally easier to repair.
— AssurXEnergy (@AssurXEnergy) January 19, 2017
Conclusion: The Cybersecurity Threats Are Serious
Even as CIP cybersecurity threats loom larger and larger, there remain a number of other security challenges facing the utility grid, the report says. For example, the time scales of power balancing have shifted from daily to hourly, minute, or second-to-second to millisecond or millisecond at the distribution end of the supply chain. This reality can result in transmission congestion and must be carefully monitored and controlled.
An increasingly bewildering array of cybersecurity threats continue to put pressure on electric systems to update their risk management programs to try to anticipate hacks. It is incumbent on all NERC compliance management professionals involved in electric system, reliability, security and resilience to utilize best practices and the latest tools like AssurX to preserve, protect, and defend against cybersecurity hackers and all other threats.
New AssurX NERC Cybersecurity Compliance Solution
Stay tuned for an exciting announcement about a new cybersecurity patch management solution that will be soon be offered as part of the AssurX Energy & Utilities Enterprise Management platform. This new solution will provide an additional layer of defense against cybersecurity threats.