What is the actual state of electric industry cyber security - Responses from EPRI's Mark McGranahan?

March 18, 2011
Enclosed is a follow-up to my blog yesterday with responses from EPRI’s Mark McGranahan. 
Enclosed is a follow-up to my blog yesterday with responses from EPRI’s Mark McGranahan. 
1. Original quote: "SCADA has the control to open and close switches on the transmission grid. That's why the concern exists. When one thing happens in a power system, it can result in other things happening automatically from a protection point of view.  It's unlikely that doing something at one switch, or even a number of switches, would be likely to result in a cascading outage. We have had a number of those over the years and every time we learn and put in additional protection to prevent the problem." 
2. Mark McGranahan’s response: I don’t remember this quote exactly but the concept is valid.  Cascading outages require more than a misoperation of one or two breakers or switches.  There are backup systems and redundant systems that come into play before these operations cause cascading failures.  Regardless, misoperation of devices on the transmission grid are extremely serious and problems in a single location have caused large blackouts in the past – UK, Italy, etc.
3. My response: The 2008 Florida Outage was a control system cyber incident where one faulted switch and several layers of bypassed protection cascaded into an outage that affected about 3 million people. I have not seen utilities making changes to their SCADA systems to prevent this type of incident from recurring. Natural disasters (eg, the Japanese earthquake and tsunami) or malicious attacks (eg, Stuxnet) have demonstrated that back-up and redundant systems can be defeated. Next week I will be attending a government-sponsored workshop discussing whether defense-in-depth is still a viable mitigation approach against cyber attacks.
1. Original quote: "I don't know if the grid is vulnerable anywhere, but the further up in the chain you go, the more things that are affected by any potential problem that gets created. At the distribution level, you are affecting a much smaller number of customers than you are if something has been compromised at the SCADA transmission or generation level,"
2. Mark McGranahan’s response:  This is an accurate quote - If a hacker causes a breaker to misoperate on the distribution system, it can interrupt a thousand customers.  This is obviously not good but it is not the same as a blackout impacting a large part of the transmission grid. Note that I don’t think this means that securing distribution systems is less important than securing transmission systems.  However, a basic concept that is involved in deciding on security measures that need to be implemented is the risk involved.  This is one of our biggest challenges.  If security measures associated with distribution SCADA may not be the same security measures as those required for transmission SCADA because the risks are different – this has to be evaluated on a case by case (application by application basis).  The NISTIR was a good start on this process.
3. My response: There have already been more than 20 control system cyber incidents in the North American electric industry some of these initiated by distribution systems that impacted transmission systems. Consequently, distribution systems that can impact transmission systems should have a higher risk level than those that cannot propagate into the bulk electric system.
1. Original quote:"Utilities have security right at the top of the list. I can tell you from talking to executives that they are making sure they are addressing security concerns in every way possible. Some of it is a problem from an R&D point of view, really being able to understand and characterize all of the potential vulnerabilities and threats." 
2. Mark McGranahan’s response: This is an accurate quote.  We have a Sector Council consisting of utility VPs that provides guidance for our research activities and they have put cyber security at the absolute top of the list of issues that we should be addressing and they are looking for EPRI to take a leadership role in addressing them.  We have research program dedicated to this, we are part of the National Cybersecurity Research Organization (DOE project) and we are starting an industry-wide initiative to help contribute to requirements development, technology assessments for cyber security hardening of legacy systems, and approaches for securing new smart grid systems.
3. My response: If the utilities are serious about cyber security, they would adopt the NIST Risk Management Framework which is mandatory for all federal agencies and is being applied to nuclear plants. The NERC CIP Version 4 brightlines, exclusion of telecom, exclusion of non-routable protocols, exclusion of distribution, exclusion of market systems, etc. is simply not a path to secure a system, much less the electric grid.  
Joe Weiss