The Federal Energy Regulatory Commission has terminated a proceeding on cybersecurity for grid control centers for the wholesale power markets.
FERC said comments it received indicated that current cybersecurity measures provide sufficient protection from cyberattacks and that some of the proposed modifications could pose operational risks.
- FERC added it intends to continue to provide support on the issue, and would engage with the North American Electric Reliability Corp., industry, and other stakeholders to explore cybersecurity strategies more thoroughly and address possible risks.
A 2015 cyberattack on the Ukraine grid affected 225,000 customers and grabbed the attention of utility executives around the world. The message was: it can happen here. A new survey by Accenture found that 63% of utility executives globally see at least a moderate risk of a grid cyberattack in the next five years; that number rises to 76% among utility executives in North America.
And utility executives named cybersecurity a top priority in Utility Dive's annual State of the Electric Utility survey.
It would seem surprising, then, that FERC would end an inquiry into the need to modify cybersecurity standards. FERC launched the Notice of Inquiry (NOI) in July 2016 in response to the Ukraine attacks. The NOI was focused specifically on the cybersecurity of control centers used to monitor and control the bulk electric system (BES).
FERC sought comments on possible modifications that would involve strategies that would isolate BES cyber systems in control centers that perform transmission operator functions from the Internet. Those strategies would also use computer administration practices to prevent unauthorized applications from running, such as application whitelisting.
In comments, stakeholders told FERC that current standards provide flexibility on implementing security controls and that with continued information-sharing, they would be better able to implement security controls.
Stakeholders also told FERC that isolation and whitelisting, while effective in certain circumstance, can also present risks that could impede an the ability to maintain awareness of the conditions on the BES and achieve business efficiencies under normal conditions.
The stakeholders also said that isolation or whitelisting could be difficult to develop, given the diversity of configurations that exist on the BES. The termination of the NOI notwithstanding, FERC said it would continue to engage with industry and stakeholders to encourage and explore cybersecurity strategies.
However, the White House and the North American Electric Reliability Corporation steps up efforts to prioritize cybersecurity efforts. Last week, NERC proposed new reliability standards to bulwark the vendor supply chain delivering software and critical updates that manage the BES system, a separate proceeding from this one.