- Federal Energy Regulatory Commission (FERC) staff have concluded that some users, owners and operators of the bulk electric system (BES) system are not properly categorizing cyber systems associated with the transmission network, potentially putting system reliability at risk.
- The finding was part of a staff report, released Oct. 4 advising BES entities on compliance with mandatory Critical Infrastructure Protection (CIP) standards and overall levels of cybersecurity. Responsible entities are required to identify their assets as High, Medium or Low Impact.
- Separately, the National Institute of Standards and Technology (NIST) is seeking technology vendors to help develop solutions to secure the "Industrial Internet of Things," potentially including sensors, network monitoring, system monitoring, and data acquisition devices related to grid analysis. A recent assessment from the U.S. Government Accountability Office (GAO) concluded industrial control systems and the rise of distributed resources are making the nation's grid more vulnerable to attacks.
FERC's report "highlights lessons learned" from non-public CIP reliability audits, though it also concludes the industry is generally — but not always — meeting standards.
"Most of the cybersecurity protection processes and procedures adopted by the registered entities met the mandatory requirements," according to the report. "However, there were also potential compliance infractions found. Additionally, staff observed practices that could improve security but are not necessarily required by the CIP Reliability Standards."
The CIP standards require transmission entities to identify generation that could be rendered unavailable if their assets are "destroyed, degraded, misused, or otherwise rendered unavailable." The report recommends BES entities "consider all generation assets, regardless of ownership, when categorizing bulk electric system cyber systems associated with transmission facilities."
The North American Electric Reliability Corporation defines "BES Cyber Asset" as a cyber asset that, if rendered unavailable, degraded or misused would, "within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System."
According to the report, staff observed multiple examples where an entity "only considered the loss of its own generation facilities when evaluating the potential impact of its transmission facilities being rendered unavailable"
The report also recommended BES entities ensure employees and third-party contractors complete required training, that the training records are properly maintained, and that they "verify employees' recurring authorizations for using removable media."
Firewalls should also be reviewed to ensure there are no "obsolete or overly permissive" access control rules in use. While entities were again found generally to be doing a good job, the report said that "in a minority of instances, staff observed that entities maintained firewalls with overly permissive firewall access IP ranges."
The electric sector is increasingly under attack from hackers, though so far the United States has avoided any related electric interruptions. But as the grid becomes increasingly decentralized, experts worry it is also more vulnerable.
The GAO's September report recommended FERC analyze the threat of a "coordinated cyberattack on geographically distributed targets" and consider beefing up its security requirements and compliance thresholds.
How to secure the distributed grid is the focus of NIST's Industrial Internet of Things work. An Oct. 8 Federal Register notice invited organizations to "provide products and technical expertise to support and demonstrate security platforms."
NIST says the call to tech vendors is a first step for the National Cybersecurity Center of Excellence in "collaborating with technology companies to address cybersecurity challenges identified under the energy sector program."