The nation’s grid monitor has proposed new cybersecurity standards for low-voltage systems, citing increased concerns that a coordinated attack could impact the bulk electric system.
The North American Electric Reliability Corp. issued a draft white paper on Friday that proposes updates to the critical infrastructure protection reliability standards. The proposal would apply to assets that have a “low impact” on the bulk electric grid if something goes wrong; that can include low-voltage equipment like substations or a transmission station.
The proposed regulations would require authentication for remote access, add protections for user and password information and require owners and operators to add new methods to detect malicious communications.
They come as concern over cyberattacks on critical infrastructure continues to increase. Public supply-chain cyberattacks have also highlighted the complex nature of the grid and the large-scale impact of simultaneous attacks on otherwise low-risk infrastructure.
“A coordinated cyberattack with control of multiple facilities may result in an interconnection wide [bulk electric system] event,” NERC wrote in the white paper.
Patrick Miller, CEO of Ampere Industrial Security and a former NERC auditor, said utilities are unlikely to embrace the proposal, as low-impact assets are much higher in number than medium or high assets.
“The industry is going to push back on more requirements … because it’s the largest number of assets that they’re dealing with,” Miller said.
But the proposal, he said, was “positioned very well so it’s hard to argue with.”
“I think it will help it go a long way towards getting adoptions, both in the industry and through the NERC process and the process for modifying standards,” Miller said.
‘Cookie-cutter’ vulnerabilities
The NERC paper was prompted in part by the massive Russian cyber espionage campaign that distributed malware through an update in the widely used software from SolarWinds Inc. The campaign infiltrated at least nine federal agencies, including the Department of Energy, and hundreds of businesses.
The electric sector appeared largely unscathed by the Russian espionage, as there was little evidence of malicious activity, according to both DOE and the Electricity Information Sharing and Analysis Center (E-ISAC) (Energywire, April 14, 2021). But NERC has warned that it could be a weak point in security; the malware could have jumped from a supplier to customers who didn’t use SolarWinds.
A recent NERC report also highlighted supply-chain attacks on the grid as an increasing concern. The grid monitor has also warned that, compared to other threats to the grid such as extreme weather, cyber threats are unique because of the constant change and adaption by defenders and hackers.
Low-impact assets are not highly regulated. In its Friday white paper, NERC said that was because those assets do not individually pose a large threat to the reliability of the bulk electric system — and resources are thus instead used to better protect higher-voltage systems.
But while the widespread impact from hacks against individual low-impact systems may be minimal, a collective attack can have a widespread impact on the bulk electric system.
Typically, cyberattacks on multiple networks can be difficult to pull off, particularly for complex industrial environments, experts note. Hackers would have to infiltrate each system, which can take more time and resources.
But Miller warned that for utilities, it’s often easier just to build “cookie-cutter” equipment, which, in turn, can make it easier for hackers to have a widespread impact.
“If you’re rolling out a transmission segment, you’re likely going to do that all at once and you’re likely going to buy common equipment, and these are common integrators,” Miller said.
In addition to the proposed rules, NERC’s Friday white paper included plans to develop best practices for more secure communications between networks, procurement risk evaluations and voluntary reporting to E-ISAC, the grid monitor’s information clearinghouse.
Such guidelines are often not as helpful as rules, Miller said, because utilities can “wholesale ignore it.” The National Institute of Standards and Technology also already produces widely adopted guidance for cybersecurity defense.
While the proposal would add new rules, NERC standards don’t cover all portions of the grid. Distribution lines, for example, are often out of the scope of the authority given to the Federal Energy Regulatory Commission and NERC. Some of those authorities belong to the state.
The “low-impact” designation is also limited, Miller said. For example, NERC’s proposed regulations wouldn’t cover some solar and wind generation facilities.
“[NERC] only covers some transmission, some generation and no distribution,” Miller said.
Comments for the draft white paper are open from July 29 to September 12.