The current state of cyber (in)security in the electric industry

June 29, 2012
From the early 2000's when the NERC CIP process first began (it wasn't called CIP at the time), NERC and FERC's intent was to maintain the reliability of the bulk electric system. Unfortunately, the current version of the NERC CIPs actually reduces the reliability of the electric grid and can even impact the safety of nuclear plants.

Background

From the early 2000's when the NERC CIP process first began (it wasn't called CIP at the time), NERC and FERC's intent was to maintain the reliability of the bulk electric system. Unfortunately, the current version of the NERC CIPs actually reduces the reliability of the electric grid and can even impact the safety of nuclear plants.

Background
Until 2006, NERC was an industry organization focused on the reliability of the electric grid. It had no formal authority to levy fines or other punishment for impacting grid reliability. It was also an ANSI-accredited organization meaning it had a majority voting process of its constituency. In 2006, FERC designated NERC as the Electric Reliability Organization (ERO) which gave it "quasi-regulatory" status and the ability to levy fines. Given the fact that NERC was now the ERO, it could have been expected that the standards voting process would have changed as it doesn't make sense to have the regulatees vote on their own regulation. However, the voting process didn't change which created a conflict of interest. It also led to the existing quagmire of what is considered a "Critical Asset - CA". That is because the NERC CIPs allowed the utility to self-define its CAs. If it is not considered a CA, it does not require a physical audit and / or a cyber security assessment. These activities typically should lead to remediation and further audits and assessments. I recently returned from arguably the most comprehensive technical cyber assessment of any facility - an international nuclear plant the utility wanted addressed because of Stuxnet. The results of the assessment were almost the opposite of what is found in facilities under NERC CIP purview - the assessment identified almost all systems to be critical and almost all critical system needed some form of assessment (there were even systems that could NOT be secured). This should be expected - why install new control systems if they aren't critical and since control systems weren't designed for security, they should need some form of remediation. Yet, this is almost opposite of what is occurring with utilities under NERC CIP - very few assets are identified as critical and very few assets are identified as needing remediation.

The NERC CIPs had unintended effects:

NERC CIP Version 4 introduced the "bright line" concept which sets a minimum threshold for size of power plants and substation voltage to be considered critical. This is based on the traditional utility requirement of meeting the N-1 failure criteria of the grid being designed to lose an asset and continue to function. Statistical analysis has shown it is unlikely to lose more than one node unless a natural (not malicious) disaster ensues. This is where the N-1 approach falls down. Cyber is a common cause failure that can impact multiple facilities from multiple organizations - it is not a single node event. Examples like Slammer and Blaster demonstrate that point. Moreover, cyber is a malicious event that methodologies like N-1 and statistical assessments were never meant to address. There is a need to develop "risk" methodologies applicable to cyber that provide a meaningful measure of control system security.

- Cyber is a communication issue. Consequently, the size of the facility is not critical, but whether it communicates with other facilities is relevant. A small (less than 50 MW) generator with compromised communication packets, if dispatched by the independent system operator (ISO), can bring down the entire regional grid controlled by the ISO. Moreover, the conditions currently occurring in Southern California (associated with the unavailability of the San Onofre Nuclear Generating Station) make all available generation critical for grid reliability, not just those above an arbitrary megawatt threshold.

- The utilities used the brightline criteria to further reduce the Commission's authority over some facilities that are considered Critical Assets under version 3 of the CIP standards. The brightline criteria exclude approximately 70% of the generation capacity in North America, 88% of transmission assets, and 30% of the control centers. This provides a clear roadmap for a hacker.

- Many utilities have delegated NERC CIP compliance to their compliance organizations and have minimized the participation of control system experts. This is dangerous to exclude the domain experts when attempting to protect systems without domain expertise. Often, this has led to diligent engineers not being able to do what they consider to be the right thing as internal utility compliance organizations will not allow it.

- Even though serial communications are the most prevalent in substations and power plants and serial communications can be cyber vulnerable, the NERC CIP process excluded assessing serial communications. This has resulted in having many utilities convert Internet Protocol (IP) communications to serial. Since serial communications can also be cyber vulnerable, the NERC CIPs exclude a significant number of cyber-vulnerable systems. These include Intelligent Electronic Devices (IEDs) in substations and Programmable Logic Controllers (PLCs) in power plants.

- Black start facilities (those used to restart the system after a complete blackout) were classified as CAs in CIP Versions 1-4. (In draft version 5 Black Start facilities have gone from medium priority to low). This meant they were required to meet the NERC CIPs and were auditable. In order to avoid the compliance issues, many utilities are no longer identifying black start units in their restoration plans. Moreover, nuclear plants that rely on these black start units can be at risk for a Fukushima-type incident following an extended blackout. As an example, one large utility had 20 units that were providing black start capability. Following the issuance of NERC CIP Version 4, the utility now has only 1 unit identified as black start. Considering this utility has nuclear plants that need some form of black start capability, this seems very problematic. One can only wonder what transmission planners think about the lack of black start capability.

- The recent NERC Cyber Attack Task Force (CATF) report did not address Stuxnet or Aurora. Both Stuxnet and Aurora are known demonstrated vulnerabilities that can lead to significant equipment damage and extended outages. Aurora is a gap in protection of the grid that is a basic engineering tenet for any first year electrical engineering student - don't start equipment out-of-phase. Aurora can only be addressed by hardware remediation as it is a physical process. However, NERC formed a taskforce to consider Aurora but has issued no opinions, recommendations or mandates to utilities to resolve the threat, and today utilities are only required to send in paperwork demonstrating compliance with current requirements five years after the Aurora test demonstration. For Stuxnet, information and source code is publically available and to believe modified malware will not be forthcoming is naive. What are utilities doing to protect themselves from other known issues such as Flame, Duque, and sKyWIper?

- Last month, a paper on Stuxnet and Anti-Virus written by an engineer in Iran was published in Control On-line, demonstrating Iran's knowledge of Stuxnet. What was the rationale for the NERC CATF excluding these vulnerabilities?

- The Smart Grid Security Acceleration Group is working on substation automation. However, Aurora is not being considered. Substation automation cannot be considered secure when a gap in the protection of the grid is not addressed.

These issues are all open. What is the electric utility industry doing to address them? What is government doing?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...