In August 2021, DNV published DNV-RP-0575, “Recommended Practice, Cyber security for power grid protection devices” https://rules.dnv.com/docs/pdf/DNV/RP/2021-08/DNV-RP-0575.pdf . The Recommended Practice is important as it was developed based on the results of a joint research and development project with Fingrid (Finland), Stattnet SF (Norway), and Svenska Kraftnet (Sweden) and used by T&D India following the Chinese cyberattacks. The NIST 800-82, NERC CIP, and the ISA IEC 62443 series of standards are public. Consequently, the DNV Recommended Practice is similar to the one issued by Mojtaba S. who is a an industrial security specialist for the Electric Industry of Iran (https://www.controlglobal.com/blogs/unfettered/iran-is-aware-of-electric-substation-cyber-threats-and-vulnerabilities).
When I left EPRI in 2002, I went to KEMA to start their control system cyber security program (DNV bought KEMA). KEMA (and now DNV) had many skilled personnel in SCADA and grid operations. One of the more important issues then, as should be now, is incorporating cyber security into SCADA procurement and operational specifications which already addressed the grid technical requirements.
As the Managing Director of ISA99, I was gratified to see DNV reference the ISA IEC62443 series of standards (except ISA 62443-4-2- the component cyber security specification, was not addressed), particularly as they are now horizontal standards (apply to multiple industries including electric). It is important to have the electric industry utilize these standards that go beyond NERC CIP compliance and address actual security.
The Recommended Practice is necessary because it addresses Operational Technology (OT) network security including patching, hardening, zones and conduits, secure remote access as well as programmatic elements. However, necessary as it is, the Recommended Practice is not yet sufficient.
To be sufficient, the Recommended Practice needs to address the Level 0,1 devices which have no cyber security, authentication, or cyber logging and the grid physics issues which can cause physical damage. As an example, the Recommended Practice identifies potential cyber security attack surfaces for protection devices and states that incidents exploiting these attack surfaces may, in the worst case, trip circuit breakers or prevent protective systems from working in the case of an actual fault. However, the worst case would not be to trip breakers or keep them from opening, but to reclose breakers out-of-phase causing an Aurora event with consequent physical damage (https://www.controlglobal.com/blogs/unfettered/not-all-cyberattacks-are-malware-incidents-it-didnt-take-any-lines-of-code-to-blow-up-a-27-ton-generator). Another example which is not addressed would be to manipulate grid equipment. We may be seeing such attempts with large Chinese-made power transformers with hardware backdoors (see https://www.controlglobal.com/blogs/unfettered/dni-identifies-chinese-transformers-as-cyber-vulnerable-risks-yet-doe-and-industry-ignore-the-threat/). Without authentication of the process sensors, it is not possible to know if the sensor values are coming from the transformer or “Beijing” which means it may not be possible to know if the grid is being manipulated until it is too late.
The Recommended Practice states that procedures should be put in place to guide the decision to manually shut down parts of the grid in the case of a serious cyber security incident. There are two problems with that recommendation. As there are minimal cyber forensics for Level 0,1 devices, how would you know a grid incident actually was a cyber event? The assumption that cyber security incidents will be readily detected as being cyber-related is questionable. Consider the June 2017 shutdown and restart of the petrochemical plant in Saudi Arabia with malware still in the safety systems – that incident had not been identified as a cyberattack when the plant was restarted. The same concern applies to Incident Response as it assumes that a cyberattack would be readily identified. Manual shutdown is meaningful when there is time make the decision before damage occurs. With Aurora, the damage occurs in milli-seconds, long before an operator can make decisions.
In conclusion, the Recommended Practice is valuable in having another set of recommendations for the OT networks and programs that serve as the front end of the electric grids’ facilities. But it’s not sufficient as the Recommended Practice does not address grid physics issues nor does it address the components that directly operate the grid. This gap can lead to critical grid vulnerabilities being exploited without adequate forensics which is unacceptable.
Joe Weiss
