Either the utility industry’s key data on grid reliability can’t be trusted or the grid is MUCH more insecure, and possibly compromised, than the U.S. Department of Energy (DOE), Federal Energy Regulatory Commission (FERC) or the North American Electric Reliability Corporation (NERC) have seemed to acknowledge. This concern arises from the data reported to the DOE by the utilities using Form OE-417. The OE-417 data are input by the specific utilities addressing their specific incidents. Assuming the OE-417 data are correct and has been input correctly, there are many unexplainable incidents.
OE-417 Data
The Electric Emergency Incident and Disturbance Report (Form DOE OE-417) collects information from the utilities on electric incidents and emergencies. DOE uses the information to fulfill its overall national security and other energy emergency management responsibilities, as well as for analytical purposes. The OE-417 data covers the time span from 2000 through the end of February 2022 and contains only US utility data. Consequently, the data don’t include the time since the start of the 2022 Russian-Ukraine War or any “off-shore” cyberattacks. The OE-417 forms only address electric incidents and emergencies and so would not address ransomware that does not cause grid incidents or emergencies.
Taken from the OE-417 Forms, NERC Lessons Learned, and my unclassified data, hundreds of actual power grid control system cyber incidents are not being disclosed. This includes the six grid cyber-related outages where power was lost to hundreds of thousands, or even to millions of customers for hours to days. I want to add a caveat that too many “grid OT experts” may not be aware that loss of SCADA does not equal loss of power; they are simply looking only at the attacks, not the consequences. One of the cases in my book, Protecting Industrial Control Systems from Electronic Threats demonstrates this fact. A US utility had its SCADA system targeted and shutdown for two weeks – however, they did not lose power. They were forced to manually operate their substations during this time as all SCADA communications were lost (similar to the 2015 the Ukrainian grid cyberattack). In this case, because power was not lost, the utility chose not to inform local law enforcement, the electric industry ISAC, or the FBI. Consequently, this is one of many actual cases not included in the OE-417s.
Repeating, the OE-417 data are the utilities' data input by the specific utilities addressing their specific incidents. Assuming the OE-417 data is correct and has been input correctly, there are many unexplainable incidents.
Cyber attacks
There have been 37 cyberattacks identified in the OE-417s (only one publicly identified by NERC). According to the OE-417 data, four of those cyberattacks lasted at least one and a half days with one lasting more than 4 months. The long-term case was explicitly identified by the OE-417 as a suspected cyberattack.
Loss of monitoring or control
Another category is “Complete loss of monitoring or control capability at its staffed Bulk Electric System control center for 30 continuous minutes or more.” This category was added by DOE in May 2018. A control system losing monitoring or control capability is clearly a cyber incident, whether malicious or unintentional, whether by the utility or by their telecommunications provider. Losing monitoring or control for more than 30 minutes is a major grid reliability incident. There have been 150 of these incidents reported since June 2018. None of these cases indicated that weather or the utilities’ telecommunications providers were a factor. Even though 150 is a big number, it still remains very conservative. That is because any case where view or control was lost for less than 30 minutes would not be reported nor would any case that is not “complete” loss of monitoring or control. Most of the incidents lasted between 30 minutes (minimum time to require reporting) and less than a few hours. However, several of these incidents lasted from 4 to 25 hours. Moreover, at least 11 of these “loss of monitoring or control” incidents led to demand losses of at least 80 MW and one case led to 130,000 customers losing power. In another case that lasted 10 hours, more than 130MW of load was lost. It is not a stretch to say that our adversaries could be using the approach of compromising monitoring or control to practice for more impactful attacks at a time of their choosing.
The caveat mentioned earlier about specific utility individuals submitting their cases to DOE comes into play with these cases. That is, there were several unexplainable incidents where utilities in multiple locations had “loss of monitoring or control” starting at exactly the same time and ending at exactly the same time. My first reaction was someone from DOE must have made an input error and copied the same times from different utilities. However, that is not the case. In one of the cases, the utilities were in the same state, but they were from different utilities’ control centers. The utilities were in one Independent System Operator (ISO’s) jurisdiction. In another case, there were utilities in three different states with a different ISO. If it was a telecom failure or attack, one would expect to see more than just these “few” utilities involved. Given it wasn’t weather or a common telecommunication provider, the only logical explanation is that a sophisticated attacker, most likely for probing reasons as there was no indication the lights went out from these incidents, got simultaneous access to multiple utilities’ bulk control center SCADA systems and shut off monitoring (and possibly took control). As mentioned, one of the "loss of monitoring" cases resulted in loss of power to 130,000 customers. As mentioned, it is not a stretch to say that our adversaries could be compromising monitoring or control of grid control centers.
Like the Chinese transformer case, there has been no public comment from DOE on these simultaneous SCADA compromises.
Thus, there seems to be a significant gap between the electric industry’s publicly reported control system cyber incidents (less than 5) and actual control system cyber incidents (more than 500). The low number of reported grid cyber-related incidents can be attributed to how the electric industry defines a cyber incident. (https://www.controlglobal.com/blogs/unfettered/control-system-cyber-incidents-in-electric-and-other-sectors-are-frequent-often-impactful-but-not-reported). According to the NERC definition (approved by FERC), a cyber incident has to be a cyberattack, and the definition only applies to high or medium impact systems. That is, the vast majority of the utility industry systems aren’t even covered by the definition of a cyber incident! Is it any wonder the public is not aware of grid cyber incidents other than ransomware? This lack of transparency includes presentations at electric industry meetings as well as last week at RSA despite the numerous panels on critical infrastructure protection.
The NERC CIP approach indirectly assumes that cyber threat actors can’t read and lack imagination. The NERC CIPs publicly identify what equipment/systems are in scope (and conversely what is not in scope). Consequently, potential attackers know what is not being monitored or cyber protected. The NERC CIPs have multiple exclusions such as no electric distribution, no power flows, no control system field devices, and no serial-based protocols. The NERC CIP process also implicitly assumes the cyber threat actors won’t learn from unintentional cyber incidents nor from attacks such as Stuxnet or Triton nor proofs-of-concept like the Aurora demonstration. The Chinese transformer event illustrates how attackers may/might have bypassed established cyber security protections (meaning, the attackers actually did use their imagination) and NERC CIP requirements (read NERC CIP requirements).
Conclusions
To reiterate, this is the utilities’ data. NERC’s perspectives seem skewed, perhaps from a tendency to concentrate on certain types of IT network incidents. DOE might help by providing appropriate guidance to address the frequent loss of monitoring or control of control center SCADA systems. When I brought up the initial OE-417 data to DOE, there was stunned silence. Loss of view or control at multiple utilities at exactly the same time cannot be summarily dismissed. Could it be that our adversaries such as the Russians, Chinese, or Iranians are probing our electric grid networks or worse?
Joe Weiss
