- While traditional grid resiliency continues to grow, the North American Electric Reliability Corporation says there is a growing threat that cyberattacks could be used to cause widespread outages on the nation's bulk power system.
- NERC has issued its 2017 State of Reliability report, concluding that resiliency to severe weather continues to improve, but transmission outages due to human error showed a slight increase last year.
- The report comes as the industry is focused on new analysis that shows the malware used to cause a 2015 Ukraine power outages could be modified to attack the United States' grid.
There were no successful grid attacks last year, and no loss of load, but NERC's latest reliability assessment cautions not to read too much into that accomplishment.
"While this indicates NERC’s efforts with industry have been successful in isolating and protecting operational systems from various adversaries, this does not suggest that cyber security risk is low," the nonprofit reliability agency said in the report.
Looking to better address risk management, the report notes NERC Critical Infrastructure Protection Committee, NERC’s Electricity Information Sharing and Analysis Center developed a "roadmap for future metrics development," including refining the initial set of metrics that are based on operational experience. The roadmap also addresses challenges associated with security-related data collection.
Part of the difficulty in collecting data, but what helps protect the bulk power system, is the sheer number and type of cyber systems and equipment used by the industry. NERC's report said the array is "vast, making it difficult to develop metrics that are meaningful to individual entities across the industry."
Earlier this month, cybersecurity firm Dragos issued a report concluding malware that was used in a 2015 cyberattack resulting in power outages in Ukraine could be modified by its Russian developers to target the United States.
NERC issued a statement responding to the report, noting that to date there are "no reported instances of the malware in North America."