Cyber Mutual Aid for Electric Utilities – It Doesn’t Work

Mutual aid is an agreement through which other utilities offer their restoration services after natural disasters strike and cause widespread outages. The unwritten premise is that a natural disaster in one region won’t affect other regions so that utilities in the unaffected regions can provide restoration support.

Apparently, there is a desire to extend the mutual aid approach from natural disasters to include cyber attacks. Consequently, a Cyber Mutual Aid Workshop was held at West Point sponsored by the Army Cyber Institute, the Carnegie Mellon Software (CMU) Engineering Institute (SEI), and the Energy Infrastructure Security (EIS) Council. The Workshop report was issued by CMU SEI February 2018. I read the report after attending CyberEndeavor2018 in San Antonio June 20-21, 2018. According to the SEI report, "the Cyber Mutual Aid Workshop was intended to explore the interconnectedness of the North American Power Sector and possible sources of aid, should the sector fall victim to a cyber attack."

I believe the premise of cyber mutual aid is flawed for many reasons. First of all, what is mutual aid for a cyber attack? Is it providing technical resources to identify and remediate the cyber attacks? We haven’t been very good at doing this for IT networks. Is it providing replacement equipment if transformers, capacitor bank switches, valves, motors, etc. are damaged by cyber attacks? What happens if the replacement equipment is damaged by recurring cyber attacks? Where will you get the replacement equipment if it isn’t still manufactured in the US? How will you know the new equipment coming from “overseas” is not already infected?

If a utility in one region suffers a cyber attack against their operational systems, other utilities may be ready to respond with mutual aid. However, if another utility in a different region is cyber attacked the next day, every utility will have all available resources dedicated to protecting themselves as the vulnerabilities that were exploited against one utility can potentially be exploited against other utilities using the same equipment.

It should be evident the concern with mutual aid for the electric utilities is not with the IT networks, but the control system (OT) networks and control systems used to monitor, control, and ensure the safety of the equipment used in the North American Power Sector (and other sectors including DOD). Consequently, one would expect that experts on the grid/power plant monitoring (SCADA and DCS) as well as on substation and power plant control system/operations to the field device level would be involved.  After reviewing the Cyber Mutual Aid Workshop attendance list, it was not clear that experts on control systems down to the field level were included which is an all too common occurrence. 

Technical issues that need to be addressed before cyber mutual aid is credible:

- There have been more than 250 control system cyber incidents in the North American utility industry to date yet NERC and the utilities continue to state that cyber has not caused power outages which is incorrect (lack of adequate incident information sharing). How can there be mutual aid when there is denial and lack of actual cyber incident information sharing?

- The lack of control system cyber forensics and training for the power plant and substation engineers makes it difficult at best to identify upset events as potentially being cyber-related. How would know if there is “Cyber Pearl Harbor” if you can’t identify the Operational problems as being cyber-related?

- The focus of the Workshop was on the network (IT and OT Ethernet IP packets) rather than field devices and field device networks (e.g., sensors, actuators, and drives) before they become Ethernet packets. The lack of cyber security and authentication in process sensors leads to lack of authenticated situational awareness (there were no individuals nor even organizations that participated in the CMU exercise that are also participating in the ISA Task Group on field device cyber security). How can there be credible mutual aid when it is not clear that you recognize the operational problems as being cyber-related?

- The lack of addressing cyber/reliability interdependencies of control system equipment. Since the same control system equipment are used in multiple industries world-wide, an attack in one industry can have repercussions in other industries and regions.

Recommendations:

- Since the control system equipment used in the utility industry is the same as used by other industries and DOD, there needs to be cross-industry/DOD information sharing about control system cyber incidents as well as cyber threats and vulnerabilities.

- In addition to the senior executives and IT network experts that are generally invited to conferences such as the Cyber Mutual Aid Conference, engineers that understand the control systems and operations down to the field device level also need to be involved.

- There is a need to identify control system cyber security experts that can be part of cyber mutual aid programs. These experts can come from end-users (not just electric utilities), control system equipment suppliers, control system integrators/consultants, national laboratories, and DOD. As there are so few control system cyber security experts, there is a glaring need to create more. Most of the existing control system cyber security/OT training does not address the field devices and their networks.

- Consider my proposed approach of changing the paradigm for control system cyber security (https://www.controlglobal.com/blogs/unfettered/changing-the-paradigm-of-control-system-cyber-security/) so that we can get away from the losing “whack-a-mole” approach for control system cyber security.

Cyber mutual aid may be a good idea, but there is a lot of work ahead before it becomes a credible approach.

Joe Weiss