The 2018 NIAC Report does not address its own recommendations

Dec. 17, 2018
The 2018 President’s National Infrastructure Advisory Council (NIAC) report “Surviving a Catastrophic Power Outage – How to Strengthen the Capabilities of the Nation”, was issued December 2018. How can we respond and recover from catastrophic power outages when we continue to ignore the devices that can prevent “respond and recover”? How can we improve our understanding of how cascading failures across critical infrastructure will affect “restoration and survival” when we don’t know we have a problem?

The 2018 President’s National Infrastructure Advisory Council (NIAC) report “Surviving a Catastrophic Power Outage – How to Strengthen the Capabilities of the Nation”, was issued December 2018. NIAC was tasked to examine the nation’s ability to respond to and recover from a catastrophic power outage of a magnitude beyond prior experience. There were two overarching recommendations: 1) design a national approach to prepare for, respond to, and recover from catastrophic power outages and 2) improve our understanding of how cascading failures across critical infrastructure will affect restoration and survival.

Cascading failures generally do not involve damage to critical equipment (e.g., transformers, turbines, motors, etc.), certainly not wide-spread equipment damage and are short-lived (hours to days). As such, cascading failures such as the 2003 Northeast Outage, the 2008 Florida Outage, and the 2011 Yuma outages were short-lived similar to the 2015-16 Ukrainian cyber attacks as there was minimal critical equipment damage. NIAC was tasked to examine the nation’s ability to respond to and recover from a catastrophic power outage of a magnitude beyond prior experience. To me, this means wide-spread critical equipment damage leading to outages of many months not hours to days.

The Aurora vulnerability was demonstrated in early 2007. It demonstrated the ability to cause critical equipment damage. The information was declassified in July 2014 with specific slides showing how an Aurora attack could damage critical equipment in refineries/chemical plants, water systems, and natural gas pipeline systems. In 2015, it was demonstrated that the SEL Aurora mitigation device could be compromised and turned into an Aurora initiation device (https://www.controlglobal.com/blogs/unfettered/the-use-of-protective-relays-as-an-attack-vector-the-cyber-vulnerability-of-the-electric-grid ).  

Stuxnet occurred in 2010 and was able to impact Siemens controllers (and many others) in multiple industries. These same Siemens (and other PLC vendors) controllers continue to have DHS ICS CERT cyber vulnerability notifications.

The lack of cyber security in process sensors, actuators, and drives can cause cross-industry equipment failures as well as prevent grid restoration (https://www.controlglobal.com/blogs/unfettered/can-the-grid-be-restarted-after-a-cyber-attack-it-is-not-clear).

However, the NIAC report does not address these issues. The concern should be cyber threats that can damage critical long lead-time equipment in all industries – turbine/generators, pumps, valves, motors, transformers, etc. These hardware-based cyber threats are generally physics and not malware-based. Therefore, they generally would not be detectable from network monitoring. There are minimal control system cyber forensics or training for this equipment. It is clear that many of our adversaries are aware of these weaknesses that can affect our critical infrastructures. Yet, DOE, DHS, FERC (Federal Energy Regulatory Commission) Nuclear Regulatory Commission (NRC), and the North American Electric Reliability Corporation (NERC) have not adequately addressed these issues.

How can we respond and recover from catastrophic power outages when we continue to ignore the devices that can prevent “respond and recover”?

How can we improve our understanding of how cascading failures across critical infrastructure will affect “restoration and survival” when we don’t know we have a problem?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...