Protecting North America’s power grid is a thankless job. Day in and day out, the good citizens of the United States and Canada wake up with the assumption that when they get out of bed each morning and flip on the lights, the room will illuminate, the coffee pot will come to life and their mobile phone will have been fully charged. After all, we live in a modern First World society, where we have come to depend on timely and efficient power at our fingertips. In reality, that reliable electricity that we all enjoy has many people working around the clock to ensure its reliability, resiliency and security. Today’s grid operators are inundated with natural and man-made threats. As utilities tackle the monster of the moment, which is the evolving cybersecurity threat, we must not take our eyes off the more primitive threat.
Security threats to US grid
Electricity is perhaps the most vital of the critical infrastructures and key resources that support our society. The mission of the North American Electric Reliability Corporation (NERC) is to ensure the reliability of the North American bulk power system (BPS). While electric utility companies are responsible for administering the day-to-day operations of the electric grid, regulators such as NERC and the Federal Energy Regulatory Commission (FERC) are charged with the overall responsibility of ensuring reliability and security. NERC develops and enforces Reliability Standards, annually assesses seasonal and long?term reliability, monitors the bulk power system through system awareness, operates the Electricity Information Sharing and Analysis Center (E-ISAC) and educates, trains and certifies industry personnel. Normal everyday operations of the system are the responsibility of utility owners and operators.
Currently, the most significant reliability threat to the U.S. grid
During emergencies, NERC supports industry actions to respond, mitigate and restore the BPS to normal operation by facilitating effective information sharing and communication with and between NERC registered entities, government agencies and the media. This information is not focused on operational decision making; but instead provides utilities data, best practices and mitigation strategies to help recover from crisis. Obviously as a regulatory body, NERC must stay out of emergency response until the utility has best mitigated the threat or reliability issue.
Currently, the most significant reliability threat to the U.S. grid is associated with squirrels and balloons, and not religiously inspired terrorists. However – and more applicable to grid operators – we have recently seen noteworthy interest in disabling or destroying critical infrastructure. Coordinated attacks specifically targeting the grid are rare, but an attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage. With an interconnected grid of over 450,000 miles of high voltage transmission lines (100 kV and higher) and over 55,000 substations (100 kV and larger), the targets of opportunity are endless.
|An attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage|
Critical infrastructure protection
Critical infrastructure protection is a cyclical process incorporating prevention, detection, mitigation, response and recovery. The key to this protection is the identification of credible threats, which will assist energy companies in assessing risks and potential vulnerabilities (weaknesses) of their facilities. Once a threat has been thoroughly analysed, it is then possible to institute preventative measures to deter, detect and delay an attack. Of course, critical infrastructure protection planning must always include mitigation, response and recovery actions in the event an attacker is successful.
While the security of the grid is a shared responsibility between the government and the private sector, the primary responsibility rests with utility owners and operators. Utility security staff have a responsibility to ensure they are able to receive and act upon criminal intelligence and be prepared to identify risks and vulnerabilities associated with security threats. Any protection programme that is developed must be as efficient and cost-effective as possible, as budgets are limited and ratepayers are sensitive to wasteful spending. Effective security programmes rely on risk management principles and associated tools to establish priorities, allocate budget dollars and harden infrastructure sites. Physical security protection encompasses defensive mechanisms to prevent, deter and detect physical threats of various kinds. Specifically, these measures are undertaken to protect personnel, equipment and property against anticipated threats. Properly conceived and implemented security policies, programmes and technologies are essential to ensure a facility’s resistance to threats while meeting demand, reliability and performance objectives.
Unfortunately, many do not realise
Electricity industry physical security standards
Significant progress has been made in the electricity industry surrounding the issue of security. Unfortunately, many do not realise the amount of reports, guidelines, standards and assessments that have been developed for use. The industry has gone through multiple iterations of mandatory Critical Infrastructure Protection (CIP) Standards that focus on security protections. The CIP Standards, while not perfect, may be an example for other sectors to immolate. These standards are a minimum baseline for compliance and utilities should not assume that because they have a good compliance programme they are somehow immune from attack. In addition, many electric utilities undergo a sector-wide Grid Security Exercise (GridEx) every two years to hone their skills and provide updates to their security practices and policies. This is in addition to annual exercises mandated by the cyber standards. It is fair to say that the industry has been very responsive to the evolving security threat and the mandatory requirements found within CIP compliance.
As a result of the 2013 California substation attack that destroyed $15 million dollars in infrastructure, industry now has a physical security standard. This standard was created to protect the most critical transmission substations and control centres in North America. While protections vary, many utilities have upgraded their security measures to include concrete or non-scalable perimeters, robust access control, cameras, lighting and armed guards. It is highly likely that we will one day see similar standards put in place to better protect non-nuclear generation facilities, but only time will tell.
|Many utilities have upgraded security measures to include concrete perimeters, robust access control, cameras, lighting and armed guards|
The piece that the industry continues to struggle with is information sharing and the ability to quickly obtain actionable threat intelligence; an issue which has been combatted head-on through the sharing of security information amongst utility partners. Large utilities with the manpower and resources to address this initiative are changing the security model from reactive to proactive. If you understand your adversary’s tactics, intent, and capabilities, you can develop strategies to combat their attacks and better plan for future threats. Better, more proactive security, can be achieved through information sharing agreements and partnerships with other utilities, regulatory agencies and intelligence partners. Many utilities do not have the dedicated resources to dissect and aggregate this data and are thus unable to react appropriately, or wind up drawing inaccurate conclusions. As a result, the electricity sector is demanding more access to actionable intelligence and threat streams. With this added intelligence, utilities can better pinpoint threats to specific systems and focus efforts on system recovery and restoration. This will undoubtedly drive better, more informed responses to security incidents.
The FBI, DHS and the DOE have made considerable strides in improving information sharing,
Improving information sharing
Over the past few years, the FBI, DHS and the DOE have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts and secret level briefings. These products have been used to mitigate threats, reduce risk and update internal security policies. Additionally, this data flow has enhanced communications between security teams, management and board members by providing authoritative threat warnings. This ultimately drives better investment strategies by more directly connecting security priorities with business risk management priorities. Unfortunately, utilities still see risks in sharing information with federal partners. Recently, the Washington Post released an article with a salacious headline falsely suggesting that the grid was hacked via Russian malware. Even after correcting the story, the question remains: who leaked the information to the Washington Post? Utilities all over the country were witnessing an information sharing failure.
We must assume that at some point in the future a North American utility will suffer from a planned and coordinated attack against electrical infrastructure. Have we looked at credible threats closely enough and did we prepare our people to respond, recover and communicate? As an industry, we will be judged and hard questions will be asked about how seriously we considered the threats and what we did to mitigate future attacks. Success will be determined by how quickly we are able to respond and the swiftness of system recovery. There is no doubt that security is an “all hands” approach by everyone involved.