The 2018 President’s National Infrastructure Advisory Council (NIAC) report “Surviving a Catastrophic Power Outage – How to Strengthen the Capabilities of the Nation”, was issued December 2018. NIAC was tasked to examine the nation’s ability to respond to and recover from a catastrophic power outage of a magnitude beyond prior experience. There were two overarching recommendations: 1) design a national approach to prepare for, respond to, and recover from catastrophic power outages and 2) improve our understanding of how cascading failures across critical infrastructure will affect restoration and survival.
Cascading failures generally do not involve damage to critical equipment (e.g., transformers, turbines, motors, etc.), certainly not wide-spread equipment damage and are short-lived (hours to days). As such, cascading failures such as the 2003 Northeast Outage, the 2008 Florida Outage, and the 2011 Yuma outages were short-lived similar to the 2015-16 Ukrainian cyber attacks as there was minimal critical equipment damage. NIAC was tasked to examine the nation’s ability to respond to and recover from a catastrophic power outage of a magnitude beyond prior experience. To me, this means wide-spread critical equipment damage leading to outages of many months not hours to days.
The Aurora vulnerability was demonstrated in early 2007. It demonstrated the ability to cause critical equipment damage. The information was declassified in July 2014 with specific slides showing how an Aurora attack could damage critical equipment in refineries/chemical plants, water systems, and natural gas pipeline systems. In 2015, it was demonstrated that the SEL Aurora mitigation device could be compromised and turned into an Aurora initiation device (https://www.controlglobal.com/blogs/unfettered/the-use-of-protective-relays-as-an-attack-vector-the-cyber-vulnerability-of-the-electric-grid ).
Stuxnet occurred in 2010 and was able to impact Siemens controllers (and many others) in multiple industries. These same Siemens (and other PLC vendors) controllers continue to have DHS ICS CERT cyber vulnerability notifications.
The lack of cyber security in process sensors, actuators, and drives can cause cross-industry equipment failures as well as prevent grid restoration (https://www.controlglobal.com/blogs/unfettered/can-the-grid-be-restarted-after-a-cyber-attack-it-is-not-clear).
However, the NIAC report does not address these issues. The concern should be cyber threats that can damage critical long lead-time equipment in all industries – turbine/generators, pumps, valves, motors, transformers, etc. These hardware-based cyber threats are generally physics and not malware-based. Therefore, they generally would not be detectable from network monitoring. There are minimal control system cyber forensics or training for this equipment. It is clear that many of our adversaries are aware of these weaknesses that can affect our critical infrastructures. Yet, DOE, DHS, FERC (Federal Energy Regulatory Commission) Nuclear Regulatory Commission (NRC), and the North American Electric Reliability Corporation (NERC) have not adequately addressed these issues.
How can we respond and recover from catastrophic power outages when we continue to ignore the devices that can prevent “respond and recover”?
How can we improve our understanding of how cascading failures across critical infrastructure will affect “restoration and survival” when we don’t know we have a problem?
Joe Weiss