The White House is looking to add oversight capabilities to strengthen cybersecurity for critical infrastructure. The administration has been working with various cabinet agencies to bolster cybersecurity in water, rail, aviation, energy and other sectors. 

However, Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaking during the Billington Cybersecurity Summit in Washington D.C., raised the possibility of a letter grade rating that would hold key providers accountable for maintaining a certain level of cyber resilience. 

As good as public-private partnerships are, the administration sees that additional enforcement ability as a necessary step. 

“It’s very different when one shares threat information, when one shares a zero-day vulnerability with a pipeline company — with a real company — and the regulator can say: ‘What’s your plan to fix this? And then hold the company to that,” Neuberger said, during a fireside chat with Brad Medairy, EVP at Booz Allen.

Ensuring certain standards for critical infrastructure providers is a “zero-fail mission” that could not allow prolonged disruptions of power or gas or water supplies, Neuberger said.

A rating type system could hold a provider — such as rail, water or aviation — to a letter grade ranging from A through D, based on their level of cybersecurity fitness.

The administration is also working with the private sector to ensure they have more secure technology products through the Cyber Trust Mark program originally unveiled in July.

The consumer labeling program is designed to strengthen the cyber resilience of millions of smart home devices, including home routers, power inverters, smart meters and other IoT products.

Smart IoT devices should have Cyber Trust Mark labeling by Thanksgiving 2024, Neuberger said. 

Criminal and nation-state hackers have leveraged IoT devices, including home routers, to launch attacks against critical infrastructure providers and defense industry targets in the past. 

The Department of Energy is working on a standard for smart meters, while the National Institute of Standards and Technology is working on a standard for smart routers. Major retailers like Amazon and Best Buy have expressed strong support for the program. 

International partnerships

The U.S. will be reconvening its International Counter Ransomware in Washington on Oct. 31. The number of countries involved has grown from 31 to 47. The group is working on a coordinated statement regarding ransomware payments, Neuberger said. 

The U.S. also provided $25 million in digital infrastructure assistance to Costa Rica, which faced crippling cyberattacks after it was the first Latin American country to call out Russia after the invasion of Ukraine, according to Neuberger.

President Biden met with Costa Rica President Rodrigo Chaves Robles at the White House in late August, where they discussed cybersecurity among other subjects.

A House subcommittee held a hearing July 11 on growing threats to the U.S. electric grid, including sophisticated hackers, physical attacks, the rise of inverter-based resources and a reliance on pipelines for gas-fired generation.

While a cyber attack has never caused a loss of load in North America, the threat landscape is “continuously evolving,” said Manny Cancel, CEO of the Electricity Information Sharing and Analysis Center, or E-ISAC. “Among the most pernicious are nation-states, which possess the capability to disrupt critical infrastructure in North America.”

Cancel and other experts testified before the House Subcommittee on Oversight and Investigations at a hearing titled "Examining Emerging Threats to Electric Energy Infrastructure." 

Chinese cyber activities “are probably one of the largest and most dynamic cyber threats to critical infrastructure and continue to demonstrate an increasing sophistication,” Cancel said. “Russia remains a top cyber threat as it refines and employs its espionage, influence, and attack capabilities.”

Iran’s growing expertise and “willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and its allies,” Cancel continued. “North Korea’s cyber program poses a sophisticated and agile espionage, cybercrime, and attack threat.”

The E-ISAC is operated by the North American Electric Reliability Corp., or NERC, and functions as a clearinghouse for power sector security information.

Cancel also noted that ransomware attacks are common and growing in frequency and sophistication. The Federal Bureau of Investigation’s records indicate there were 870 ransomware complaints from critical infrastructure operators in 2022, including 15 from the energy sector, he said.

Recent ransomware attacks by groups like Cl0p, Black Basta, and Royal “remain a significant concern for the industry,” Cancel added. In particular, the MOVEit file transfer breach perpetrated by Cl0p “underscores the significant challenge of ransomware and its impact on supply chain security, with hundreds of widely used vendors being listed as victims.”

Physical attacks on the grid are also “deeply concerning,” Cancel said. There were almost 1,700 physical security incidents reported to the E-ISAC last year, an increase of 10.5% from 2021, he said.

Most physical attacks do not result in grid impacts, but “a trend toward more serious events occurred in 2022,” Cancel said. A series of attacks on substations in Washington and North Carolina within the last year resulted in blackouts and equipment being removed from service.

Other experts focused on threats tied to the transformation of the electric grid.

Wind, solar and battery assets are all inverter-based resources, or IBRs, which open up “significant opportunities to attack the grid,” said Paul Stockton, a senior fellow in Johns Hopkins University Applied Physics Laboratory.

“Adversaries can seek to access IBRs and shut them down precisely when we need the power the most,” Stockton said. “They can attempt to seize control of inverter-based resources and mis-operate them ... to help control frequency and voltage in order to create widespread disturbances. They can use what's supposed to be an advantage, transform it into a weapon.”

While IBRs are most commonly connected at the distribution-system level, Stockton warned they are increasingly used on the bulk power system and tied to high voltage transmission systems. “We’ve got some new potential vulnerabilities to get out in front of and get ready to secure the grid of the future,” he said.

Even without adversarial action, IBRs still require more study. NERC has been sounding alarms over a series of disruptions to IBRs, in particular solar resources that have “exhibited systemic performance issues that could lead to potential widespread outages if they persist.” The IBRs have tripped offline or reduced output in response to grid disturbances.

A growing reliance on natural gas also poses a threat to the electric grid, said Bruce Walker, president of the nonprofit Alliance for Critical Infrastructure Security. China is almost certainly capable of disrupting U.S. critical infrastructure, including gas pipelines, he said.

”This is particularly troubling and pertinent to emerging risks as we are significantly reliant on gas transmission pipelines for electric generation,” Walker said. “The United States reliance on gas fired electric generation is only increasing as government policies and investment move the industry away from other fossil fuel generation.”

Sponsored content

By Dragos

By: Jason Christopher, Dragos Principal Cyber Risk Advisor

The electric utility industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes. A power disruption event from a cyberattack can occur from multiple components of an electric system including disruptions of the operational systems used for situational awareness and energy trading, targeting enterprise environments to achieve an enabling attack through interconnected and interdependent IT systems, or through a direct compromise of cyber digital assets used within OT environments. Attacks on electric systems – like attacks on other critical infrastructure sectors – can further an adversary’s criminal, political, economic, or geopolitical goals. As adversaries and their sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive attack on the electric sector significantly increases.

The number of publicly known attacks impacting ICS environments around the world continues to increase, and correspondingly the potential risk due to a disruptive cyber event impacting the North American electric sector is currently assessed as high. This report highlights multiple threats and adversaries focusing on critical infrastructure and their capabilities. Dragos anticipates the threat landscape associated with the sector will remain high as the detected intrusions continue to rise.

Of the activity groups that Dragos is actively tracking, nearly two-thirds of the groups performing ICS specific targeting and disruption activities are focused on the North American electric sector. Additionally, existing threats to ICS are expanding and establishing new interest in electric utility operations in North America. For example, the Dragos tracked activity group XENOTIME – the most dangerous and capable activity group – initially focused its targeting efforts on oil and gas operations before expanding to include North American electric utilities. Dragos also identified the MAGNALLIUM activity group expanding targeting to include electric utilities in the US. This activity group expansion and shift to the electric sector coincided with increasing political and military tensions in Gulf Coast Countries (GCC).

Dragos research of the CRASHOVERRIDE attack indicates ELECTRUM targeted recovery operations. Such activity, if successful, could prolong outages following a cyberattack and cause physical damage to equipment or harm to operators. These findings suggest the group had greater ambitions than what it achieved during its 2016 attack, and represent worrying possibilities for safety and protection-focused attacks in the future.

Historically, adversaries have demonstrated the capabilities to significantly disrupt electric operations in largescale cyber events through specialized malware and deep knowledge of targets’ operations environments. Although North America has not experienced similar attacks, ICS-targeting adversaries exhibit the interest and ability to target such networks with activities that could facilitate such attacks.

The electric sector, as a whole, has been working for over a decade to address cyber threats through board level decisions, 1 preparedness exercises like GridEx, the NERC CIP standards, and direct investment in ICS specific security technologies. However, adversaries will continue to evolve and the industry must be ready to adapt

Federal agencies have stepped up efforts to boost intelligence sharing and build industry resilience in response to a wave of cyberthreats against critical infrastructure providers, including the energy sector, water and healthcare.

As part of those efforts, the U.S. Department of Energy has begun piloting a program to coordinate information sharing, threat assessments and mitigation between DOE, the Cybersecurity and Infrastructure Security Agency, intelligence community and private sector.

Officials discussed those efforts and others at a House hearing May 16 led by the Oversight and Investigations subcommittee of the Energy and Commerce Committee. 

The hearing comes two months after the White House unveiled its long-anticipated national cybersecurity strategy, which includes a plan to boost the resilience of the nation’s 16 critical infrastructure sectors against rising threats from nation states and criminal ransomware groups.

“Given the immense gravity of the threats we face it is imperative that we employ a whole of government approach to risk management and mitigation,” Puesh Kumar, director of the Office of Cybersecurity, Energy, Security and Emergency Response at the Department of Energy, told lawmakers at the hearing.

Each annual threat assessment from the U.S. intelligence community since 2019 has pointed to persistent and malicious threats against U.S. infrastructure, Kumar said. The intelligence reports warned that Russia and the People’s Republic of China each had the cyber capability to disrupt energy services in the U.S.

DOE helped coordinate efforts to recover from the 2021 ransomware attack against Colonial Pipeline, which disrupted fuel supplies to much of the southeast and east coast of the U.S. for almost a week. 

DOE is piloting a program called the Energy Threat Analysis Center, Kumar confirmed during questioning from Rep. Diana DeGette, D-Colo.

The program at the National Renewable Energy Lab is designed to help coordinate threat information coming from private industry and the intelligence community.

“We’re not putting the pieces together to really understand what is the risk to our national security and what’s the larger trends that are happening in the sector,” Kumar said. “And we need to be doing that if we’re going to stay ahead of the threat we are facing.”

The program has already helped to take threats developed from the Russia-Ukraine conflict and convert those into cyber advisories that were sent out to the entire energy sector, Kumar testified. However, Congress will ultimately need to step in to fully stand up the program, and the current plan calls for a 2027 launch. 

The North American Electric Reliability Corp. and the six regional reliability entities have published a white paper introducing a “cyber-informed transmission planning framework” to help integrate cybersecurity efforts into bulk power system, or BPS, planning activities.

The “relative newness” of the cyber threat largely means the concept of a coordinated attack on the BPS is not modeled in today’s transmission planning practices, according to the May 8 white paper. The framework is designed to drive investments in cybersecurity and be used by stakeholders, regulators and others to perform reliability studies.

The white paper also aims to “potentially reduce the number of critical facilities and their attack exposure.” Minimum physical security standards do not need to be expanded to cover more grid assets, said NERC, but stakeholders need to “evaluate additional reliability, resiliency, and security measures designed to mitigate the risks.”

Transmission planners are “strongly encouraged” to consider the framework and adopt the concepts into their business practices, according to the white paper.

The paper provides a “roadmap for integrating cyber security into transmission planning activities.” The white paper is focused on how the framework can be “established to map cyber security risks to BPS reliability studies,” among other questions.

“The concept of a coordinated cyber attack and its impact on BPS reliability is not currently or generally studied as part of standard industry practice,” NERC said.

NERC and the regional entities “worked closely together to develop this critical framework,” Mark Lauby, NERC’s senior vice president and chief engineer, said in a statement. “The framework sets the stage to plan for a more resilient and secure system, addressing the risk in the long-term planning horizon rather than attempting to bolt on security later in the future.”

Broadly, five steps in the cyber-informed framework can be modified to fit different processes: Transmission planners should define coordinated attack scenarios; translate those scenarios into planning assessments; conduct planning studies with defined attack scenarios and affected assets; identify corrective actions; and implement risk mitigations.

The framework “also seeks to reduce the number of critical stations on the bulk power system through integrated transmission and cyber security enhancements,” Lauby said.

The white paper is part of a series of explorations into grid risks and challenges. In November, NERC published a Distributed Energy Resource Strategy examining approaches to reliably integrate tens of thousands of aggregated megawatts to the bulk power system. A white paper on the security impacts of DERs is expected in the second half of 2023.

Last year, following attacks on substations and other energy infrastructure, the Federal Energy Regulatory Commission asked NERC to determine whether physical security grid reliability standards should be strengthened. NERC concluded current infrastructure protocols for critical substations “appropriately focuses limited industry resources” and should not be expanded.

In its white paper, however, NERC said while it is not recommending an expansion of the CIP-014 applicability criteria, an increase in physical security attacks on BPS substations means there is a need to evaluate additional reliability, resiliency and security measures.

NERC recommended holding a technical conference in coordination with FERC to further explore the topic.

Utilities will be able to receive financial incentives for making certain cybersecurity investments and taking part in threat information sharing programs under a decision released April 21 by the Federal Energy Regulatory Commission.

The rule, approved, 3-1, was required by the Infrastructure Investment and Jobs Act. It largely tracks a proposal issued in September, but the commission dropped a proposed 2% return on equity adder that was supported by investor-owned utilities.

“We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems,” FERC Acting Chairman Willie Phillips said in a statement.

Eligible cybersecurity investments include a list of pre-qualified investments that FERC expects to periodically update.

The initial pre-qualified list has two measures: expenditures associated with participating in the Department of Energy’s Cybersecurity Risk Information Sharing Program and expenditures related to internal network security monitoring within a utility’s cyber systems.

FERC will also consider incentives for investments case-by-case, allowing utilities to request incentives for tailored solutions, the agency said.

Utilities can also seek incentives for early compliance with new cybersecurity reliability standards.

Under the rule, utilities may defer expenses and include the unamortized portion in their rate bases, according to FERC. Approved incentives, with certain exceptions, will remain in effect for up to five years from the date expenses were incurred, provided that the investments remain voluntary, the agency said.

FERC will only grant the incentives to cyber investments that materially improve cybersecurity and are not required by the North American Electric Reliability Corp.’s Critical Infrastructure Protection reliability standards or by law.

FERC Commissioner James Danly dissented, saying the rules are too narrow as they don’t apply to utilities that sell power at market-based rates. There were about 2,500 market-based rate sellers in 2019, according to Danly.

Danly also objected to the requirement that utilities show their investments or participation in an information sharing program “materially improve” their cybersecurity.

In other cybersecurity actions, FERC March 16 approved a new cybersecurity standard extending supply chain risk management requirements to “low-impact” bulk electric system cyber systems.

A coordinated attack on multiple low-impact assets with remote electronic access connectivity could have an interconnection-wide effect on the bulk power system, according to a 2019 supply chain risk assessment by the North American Electric Reliability Corp., FERC said in its decision.

“The vast majority of [bulk electric system] assets today are considered low-impact and that number is only expected to grow,” FERC Acting Chairman Willie Phillips said in a statement. “To not protect these [bulk electric system] assets against one of the most frequent attack scenarios — supply chain — would be a big mistake.”

The standard requires owners, operators and users of the bulk power system to include the topic of “vendor electronic remote access security controls” in their cybersecurity policies. The standard also requires that they can disable vendor electronic remote access and can detect malicious communications through a vendor’s remote access.

As part of its cybersecurity standards, NERC requires “responsible entities” to characterize their assets, such as control centers, power plants and transmission facilities, as being of high-, medium- and low-impact.

The standard takes effect April 1, 2026.

The three-year delay in the start date reflects “consideration that there are a large number of low impact [bulk electric system] cyber systems and that responsible entities need time to procure and install equipment that may be subject to delays given high demand,” FERC said.

FERC and NERC have been tackling supply chain risks since 2016, Phillips said during the agency’s monthly meeting March 16.

“This order is the latest product of our joint cybersecurity efforts with NERC and stakeholders in support of the reliable operation of the bulk power system,” he said. “We must continue to focus on cybersecurity, physical security, extreme weather events, and the rapidly changing resource mix.”

New utility cybersecurity strategies are needed to counter sophisticated intrusions now threatening the operations of an increasingly distributed power system’s widening attack surface, security analysts agree.

There are cyber vulnerabilities in “every piece of hardware and software” being added to the power system, the September 2022 Cybersecurity and Infrastructure Security Agency, or CISA, Strategic Plan 2023-25 for U.S. cybersecurity reported. Yet 2022 saw U.S. utilities propose $29.22 billion for hardware and software-dependent modernizations, the North Carolina Clean Energy Technology Center reported Feb. 1.

New hardware and software can allow malicious actors to have insider access through utilities’ firewalled internet technology to vital operations technology, cyber analysts said.

“No amount of traditional security will block the insider threat to critical infrastructure,” said Erfan Ibrahim, CEO and founder of independent cybersecurity consultant The Bit Bazaar. “The mindset of trusted versus untrusted users must be replaced with a new zero trust paradigm with multiple levels of authentication and monitoring,” he added.

Growing “distribution system entry points” make “keeping hackers away from operations infrastructure almost unworkable,” agreed CEO Duncan Greatwood of cybersecurity provider Xage. But distributed resources can provide “resilience” if a distributed cybersecurity architecture “mirrors” the structure of the distribution system where they are growing to “contain and isolate intrusions before they spread to operations,” he said.

New multi-level cybersecurity designs can provide both rapid automated distributed protections for distributed resources and layers of protections for core assets, cybersecurity providers said. But the new strategies remain at the concept stage and many utilities remain unwilling to take on the costs and complexities of cybersecurity modernization, analysts said.

The threat

Critical infrastructure is already vulnerable to insider attacks. 

The 2021 Colonial Pipeline shutdown started with a leaked password, according to public reports. A 2019-2020 attack known as SUNBURST and directed against U.S. online corporate and government networks went through SolarWinds and other software vendors, CISA acknowledged. And Russia’s 2015 shutdown of Ukraine’s power system was through authenticated credentials, likely using emails, CISA also reported.

In 2021, there were ransomware attacks on 14 of the 16 U.S. “critical infrastructure” sectors, including the energy sector, the FBI reported. And new vulnerabilities allowed attacks that also caused data losses, disrupted network traffic, and even denial-of-service shutdowns, according to technological and research firm Gartner.

Attacks on utility OT can come through distributed solar, wind and storage installations, employee internet accounts, smart home devices, or electric vehicles, Gartner, other analysts, and the May 2021 Biden executive order requiring improved power system cybersecurity agreed.

Existing Critical Infrastructure Protection, or CIP, Reliability Standards established by the North American Electric Reliability Corporation, or NERC, are inadequate, a January 2022 Notice of Proposed Rulemaking from the Federal Energy Regulatory Commission said. They focus only on defending the “security perimeter of networks,” the commission said.

“Vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk,” the rulemaking said. The RM22-3-000 proceeding will provide direction on how to update CIP standards to better protect utilities, federal regulators added.

The most recent Biden administration and FERC initiatives focused on the power sector, though utilities and system operators declined to reveal information about vulnerabilities or actual attacks.

There were an “all-time high” 20,175 new OT vulnerabilities in U.S. networks identified by cybersecurity analysts in 2021, according to a 2022 assessment by cybersecurity provider Skybox Security. And faster and more frequent exploitation of new vulnerabilities in 2021 showed “cyber-criminals are now moving to capitalize on new weaknesses,” it added.

A December 2021 CISA Emergency Directive recognized exploitation of a vulnerability in the Apache Log4j tool that records and scans almost all communications between online systems, the Wall Street Journal reported at the time. Downloaded millions of times, it could allow attackers to send and execute malicious code and is unlikely to be “fully ‘fixed’ for years,” cybersecurity specialist Wei Chieh Lim blogged in May 2022.

The Log4j vulnerability “was so trivial it was first exploited by Minecraft gamers,” showing utilities could be unaware of “hundreds, if not thousands, of vulnerabilities,” said CEO Tony Turner of cybersecurity provider Opswright.

A software bill of materials, or SBOM — an inventory of all system components — could be a solution to vulnerabilities like Log4j, cyber analysts said.

SBOMs were mandated by the May 2021 Biden executive order. And SBOM best practices and minimum requirements were added in a July 2021 National Telecommunications and Information Administration report. But SBOMs “are only one element” in the needed cybersecurity rethinking, consultant and provider Ibrahim said.

Internet technology began with firewalls and outward-facing defenses, but new distributed power systems make penetrations into the outer layers of networks almost inevitable, Ibrahim and other cybersecurity analysts said. Only a multi-faceted cybersecurity architecture throughout a utility’s operations can protect both OT’s new distributed attack surface and its vital operational core, many agreed.

Conceptual solutions

The most common utility cybersecurity approach is compliance with NERC CIP standards, and possibly with narrower International Society of Automation, or ISA, 62443 standards, Opswright’s Turner said. But the NERC CIP standards are being reformed and ISA standards “are narrowly focused on vulnerabilities in automation and control systems,” Turner said. 

A new Department of Energy “cyber-informed engineering,” initiative may offer better cybersecurity for critical infrastructure, Turner said. It proposes to “engineer out” risk “from the earliest possible phase of design” of the OT system’s cyber-defense, which is “the most optimal time to introduce both low cost and effective cybersecurity,” DOE’s paper said.

Utilities need to “close the gap” between IT and OT systems, said Skybox’s Senior Technical Director David Anteliz. But the “complexity of multi-vendor technologies” and “disjointed architectures across IT and OT” increase security risk, as do increased accesses by third parties for which “less than half” of utilities have policies, a Skybox November 2021 survey found.

“I can guarantee you there are people doing things in the background at utilities now,” Anteliz said. “Skybox’s answer is automation of defense-in-depth and layered architecture, which provides ongoing monitoring, visibility, understanding and response to what needs to be secured and where,” he added.

Segmentation in the design can isolate utility control rooms and make them “vaults,” Skybox’s 2022 vulnerability trends paper said. And automated aggregation of data and system information from “every corner of the network” can inform automated reactions and provide “ongoing oversight” that allows utilities to move “from reaction to prevention,” it added.

Other cybersecurity analysts have designed detailed zero trust and defense-in-depth conceptual architectures that can be applied to the U.S. power sector.

The first of “four functional levels of security” is basic “network hygiene,” by establishing user access rules and priority lists, use cases, and necessary transactions, the Bit Bazaar’s Ibrahim said. Properly applied interactions can be limited “to those who need to transact,” he said.

The second level is a “signature-based intrusion detection system,” or IDS, which automates the established priority lists to limit accesses to “authenticated users and a valid use case,” he said. The third level is a “context-based” IDS, which expands on the access limitations by “blocking or flagging” inadequately authenticated transactions, Ibrahim said.

Those IDS function “in stealth mode,” unseen even by insiders, but every network session is monitored, and any “departure from normal transactions and rules” terminates the session, he said. Utility security incident and event management systems detect and analyze all transactions, and respond to and report those questioned or terminated, Ibrahim said.

The fourth level, “endpoint security,” is overseen by automated “hypervisor” software and has three layers of protection, Ibrahim said. An intrusion may “corrupt” target applications, but the “endpoint hardware” will be protected by the hypervisor and a “last gasp message” may allow a network edge mesh or network core defenses to avoid a “cascading” OT network failure, he added.

Mesh “is a collaborative ecosystem of tools and controls” to protect a power system’s expanding perimeter of distributed resources and vulnerable third-party devices, according to Gartner. Its “distributed security tools” offer “enhanced capabilities for detection” and “more efficient responses” to intrusions, Gartner added.

Mesh cannot eliminate insiders with “legitimate credentials,” which is why utility hardware- and software-dependent system modernizations “should have multi-layer defenses and every line of new code checked,” Ibrahim said. But “if a system is compromised at its edge, like at the level of smart meters or EV chargers, mesh can respond to avoid the compromise spreading,” he said.

These conceptual architectures “can increase situational awareness and control,” but most utilities are still focused on complying with NERC CIP standards to avoid fines, Opswright’s Turner said. Many utilities argue that designed cyber-defense “complexities can slow and confuse system monitoring and responses,” and that the increased security does not justify the cost, he added.

It is, however, “not clear there is a better choice,” because firewalling the coming power system’s potentially millions of distributed devices “is not practical,” he said.

A hierarchical zero trust architecture with a firewalled core, a monitored middle layer of gateways protecting operations and a mesh at the network’s edge is the emerging consensus solution to comprehensive OT system security, Turner, Ibrahim and others agreed.

But attacks are proliferating despite federal directives and mandates and proposed provider concepts, showing more work is needed, cyber-experts and power system stakeholders agreed.

A utility-sponsored cybersecurity sandbox

Work continues in the public and private sectors to develop zero-trust tools and technologies that will enable the conceptual architectures to better defend OT for the electric power and other sectors.

The Clean Energy Cybersecurity Accelerator, or CECA, program from DOE’s National Renewable Energy Laboratory, launched in December, is a “sandbox” for innovative cybersecurity pilot projects. It will deploy and test strategies for addressing new power system vulnerabilities introduced by clean energy technologies, the CECA website said.

“U.S. critical infrastructure is increasingly targeted by adversaries,” NREL Director, Cybersecurity Research Program, Jonathan White told a January 17 CECA planning webinar. Funded by the program’s utility sponsors, which include Duke Energy, Xcel Energy and Berkshire Hathaway, or BHE, solutions will be assessed using NREL’s Advanced Research on Integrated Energy Systems, “Cyber Range,” NREL scientists told the webinar.

The Cyber Range is NREL’s proprietary, up-to-20 MW renewables-powered system integrated with distributed resources like electric vehicles and batteries and built for testing innovative technologies, according to NREL. First CECA demonstrations will test Xage, Blue Ridge Networks and Sierra Nevada Corp. cyber defense approaches.

BHE wants to leverage NREL’s “rigorous testing,” to find “technical solutions” and effective “fast-track technologies” to improve cyber defenses, BHE Spokesperson Jessi Strawn said.

CECA will allow utilities and solution providers to “stress-test disruptive security technologies,” and give “defenders” an opportunity to “get ahead of threat actors,” added a statement from BHE Director of Security and Resilience Jeffrey Baumgartner.

Duke Energy is “regularly approached by vendors who have innovative technologies” and CECA is a way to “test them in a non-live environment,” said Duke spokesperson Caroline Portillo. The opportunity is especially valuable because the tests will be “at scale in a sandbox environment,” and will be followed by technical performance assessments by participating sponsor utilities, she added.

Results of initial tests for authenticating and authorizing distributed energy resources integrated into OT environments “will be critical” as Duke and other utilities add those resources, Portillo said.

“The point of the NREL program is to build a neutral ground for solution providers and utilities to collaborate on OT cybersecurity innovations,” said Xage CEO Greatwood. “Tech companies have been frustrated by the stately pace of change in the utility business,” he added.

But if “end user utilities engage” in CECA, “tech companies will gain [an] understanding of their needs” and utilities can “obtain technical validation” of solutions, he added. “Xage already has utility customers,” but this is a chance for it to demonstrate how an automated, widely-present mesh defense like Xage Fabric works “in a zero trust cybersecurity architecture for OT environments,” Greatwood said.

A system “is only as secure as its weakest link” and “the weakest link in power systems with millions of distributed resources is not very secure because it offers a lot of entry points for attackers,” he said. “Mesh architecture mirrors the distributed physical architecture” and “can recognize and isolate, or at least control,” intruders without proper authorization and authentication, Greatwood added.

The power system environment “is evolving” toward “growing network, infrastructure and architectural complexity,” and “vulnerabilities will persist,” Gartner observed in January 2022.

But those vulnerabilities must be addressed because limiting “access to critical systems can be the greatest impediment to cyber breaches,” Ibrahim said. Building the best protections “may take time, money and a change in management processes, but those are small costs compared to the billions that can be lost from a successful intrusion,” he added.

The electric utility sector should “build in cybersecurity proactively” as a “new generation of interconnected hardware and software systems” is developed to manage the nation’s clean energy resources, the White House said in a national cybersecurity strategy released March 2.

It calls for “expanding the use of minimum cybersecurity requirements in critical sectors,” which utilities already incorporate, and shifting liability from end users to software and services developers “to promote secure development practices.”

The changes will likely mean higher costs for the electric utility sector, according to Ethan Schmertzler, CEO of operational technology security firm Dispel. “Utilities and the communities that they serve are going to have to work together with the government to determine a funding path forward,” he said in an email.

The U.S. is making a “generational investment in new energy infrastructure,” and the White House’s new cybersecurity strategy calls for securing it through the 2022 Congressionally-directed National Cyber-Informed Engineering Strategy “rather than developing a patchwork of security controls after these connected devices are widely deployed.”

The U.S. Department of Energy unveiled the engineering security strategy last year to incorporate more cyber resilience during the manufacturing, development and deployment of computer systems used by energy providers.

The agency and its national laboratories are “leading the government’s effort to secure the clean energy grid of the future and generating security best practices that extend to other critical infrastructure sectors,” according to the White House cybersecurity strategy. “DOE will also continue to promote cybersecurity for electric distribution and distributed energy resources in partnership with industry, States, Federal regulators, Congress, and other agencies.”

Experts say the impact of the new strategy may be muted — at least initially — for electric utilities. But could ultimately lead to higher costs.

The electric power sector already meets minimum security standards through the North American Electric Reliability Corp.’s Critical Infrastructure Protection rules and “has nothing to fear from new cyber regulation as a result of the new strategy,” security consultant Tom Alrich said. 

“Other critical infrastructure industries like water or petroleum refining that don’t currently have to comply with cyber regulations, might face them at some point. However, that’s likely to be years in the future,” Alrich said, given that Congressional action will be required.

“The energy sector can be expected to see increased scrutiny and revised best practices surrounding cybersecurity guidelines,” said Antoine Snow, senior public sector solution engineering manager for AvePoint, a platform that optimizes software as a service operations.

“This will be pivotal in ensuring critical energy infrastructure is protected from the increasing amount of cyber threats and further reducing risk,” he said. 

“Stricter standards would be beneficial” for the electric sector, Dispel’s Schmertzler said. He advocates for security guidelines set by the National Institute of Standards and Technology to be made “more compulsory and less of a recommendation.”

The national cybersecurity strategy “clearly indicates a greater role for the government in being the front-line in cybersecurity — rather than individuals and businesses,” Schmertzler said. Though he added that with more regulation, the federal government may need to work with utilities on how increased security is funded.

Utility companies “must turn their focus toward developing a comprehensive defense and prevention strategy,” said Dana Simberkoff, AvePoint chief risk, privacy and information security officer. The White House's cybersecurity strategy “brings to light just how essential it is for utility and power companies to continue safeguarding [their systems] ... [and] makes clear it's no longer enough to have legacy and outdated response policies in place.”

The White House said it plans to work with Congress and the private sector “to develop legislation establishing liability for software products and services” that would prevent “manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios.”

To incentivize secure software development practices, the strategy calls for encouraging “coordinated vulnerability disclosure across all technology types and sectors,” promoting development of software bills of materials, or SBOMs, and developing “a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”

The utility sector has been working with the federal government to utilize SBOMs in procurements.

Alrich said software development processes should be secure but warned against pursuing greater developer liability as an easy fix.

“The liability for almost any cyber breach can be traced to thousands of clueless individuals in all walks of life,” he wrote March 3 on his blog. “If you wanted to assign liability properly, you’d have to trace down all these individuals and spend a year or two figuring out exactly how much of the bill each of those parties is responsible for. Then, you’d have to get each of them to pay their fair share.”

A growing number of hackers are developing capabilities to disrupt energy infrastructure in North America, according to a new report from Dragos. The industrial cybersecurity firm said it is now tracking 20 “activity groups” that target a wide range of industrial sectors around the world, but noted the cyber defenses of the electric sector are among the best.

A group known as “Bentonite” emerged in 2022 with a focus on the oil and gas sector. Also new is “Chernovite,” which Dragos said has developed a modular industrial control system, or ICS, attack framework called “Pipedream” which could initially target the electric sector, among others.

Grid officials do not expect the threat to abate. “Increasingly bold adversaries regularly employ new tactics, techniques, and procedures; they are also exploiting new and legacy vulnerabilities,” the North American Electric Reliability Corp. said Feb. 21 in its annual report. 

When it comes to cybersecurity, last year extended a trend seen in 2021, NERC said.

“The threat landscape continued to demonstrate adversaries’ potential capability to disrupt critical infrastructure in North America,” the reliability organization said. “As a result of sector interdependencies, grid evolution, and an expanding supply chain, the threat surface as well as the potential magnitude of impacts has increased.”

In the electric sector, the increasingly-distributed nature of grid resources means more potential targets, say experts. But Dragos said utilities are largely well-defended and positioned to respond, among industries targeted by hackers.

“Electric utilities showed the best preparedness, followed by oil and gas,” the Dragos report said. “Manufacturing represented the worst results among verticals.”

Attackers continue to hone their capabilities, however. The Bentonite group Dragos began tracking last year “has been active and focuses on targeting oil and gas [companies],” said Ben Miller, vice president of services. Miller hosted a discussion Feb. 23 of the Dragos report.

“They're doing initial access, reconnaissance, and they have demonstrated command and control capabilities within these custom properties and oil and gas facilities,” Miller said. So far, however, the group has “not necessarily demonstrated the ability to gain access into the OT or ICS environments.”

A group of threat actors dubbed “Erythrite” have been targeting U.S. and Canadian companies since 2020 and last year “compromised the IT environments of two large electrical utilities,” according to Dragos.

Dragos also began tracking a group known as Chernovite in 2022, with particular focus on its modular ICS attack framework called “Pipedream.” Initial targets could include the electric sector, oil and gas, and manufacturing, Dragos said.

Chernovite “possesses a greater breadth of ICS-specific knowledge than previously discovered threat groups,” according to the report, The Pipedream malware “includes capabilities to disrupt, degrade, and potentially destroy physical processes in industrial environments” and is the “first cross-industry and repeatable disruptive ICS attack framework known to date.”

Defending against an increasingly-sophisticated threat means developing a response plan that is specific to the OT environment, said Miller. 

“That can be very broad and can be actually quite intimidating,” Miller said. “Our recommendation is to start off with a scenario — whether it is Chernovite and Pipedream or whether it is a ransomware case — and develop that scenario and a clear response plan, before moving on to the next one.”

Entities that have done this with more the than a single scenario are “ahead of the pack,” he said.

NERC’s annual report also highlighted the need for grid security to extend beyond cyber concerns.

“Throughout North America as the year drew to a close, the need for continued vigilance was thrown into sharp focus with attacks on substations in North Carolina and in the Pacific Northwest,” NERC said. 

Multiple substations in Washington were damaged on Dec. 25, leading to more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And a North Carolina firearms attack earlier in the month knocked power out to about 45,000 Duke Energy customers.

“The industry should expect further regulatory inquiries and potential actions from the federal government in response,” according to Jason Christopher, director of cyber risk at Dragos. But with 55,000 substations around the country, “there are obvious risk-based limitations on addressing physical threats that need to be managed.”

The U.S. Nuclear Regulatory Commission has updated a 13-year-old guide to protect nuclear plants from cyber attacks, requiring plans that detail operations and protections against vulnerabilities.

Notice about the updated guide, known as Revision 1, was published in the Feb. 13 Federal Register.

The Regulatory Guide posted on the NRC’s website describes “design-basis threats” to be used to build safeguard systems to protect against acts of radiological sabotage and prevent the theft of radiological material.

Revision 1, according to the Federal Register notice, incorporates references to industry guidance on identifying and protecting critical digital assets. It also clarifies guidance on defense-in-depth, or comprehensive protections, for cybersecurity. And it includes updated text based on the latest security guidance from the National Institute of Standards and Technology and International Atomic Energy Agency.

The NRC in 2010 issued cybersecurity regulations that cover structures, systems and components important to radiological health and safety at NRC-licensed nuclear power plants. Digital assets at nuclear power plants that had been covered by cybersecurity regulations of the Federal Energy Regulatory Commission were transferred to the jurisdiction of the NRC.

Nuclear plants have since updated cybersecurity plans to incorporate balance of plant systems, which are the supporting components and auxiliary systems, apart from the generating unit, that help deliver energy. 

In 2015, the NRC published guidance on cybersecurity event notifications. It set requirements clarifying the types of cyberattacks that require NRC notification, the timeliness of notifications, and other details.

The 160-page revised guidance clarifies issues identified in cybersecurity inspections, technologies and information from a security frequently asked questions process and from international and domestic cybersecurity attacks.

The guidance requires nuclear plants to describe in cybersecurity plans how they have “achieved high assurance” that digital systems are protected from cyberattacks. A plan must demonstrate a safety-related and emergency-preparedness function, including offsite communications.

Plant operators must show how cybersecurity plans protect the integrity and confidentiality of data and software, physical security program and protective strategies and how they would protect, detect, respond to and recover from cyberattacks.

Cybersecurity plans must provide details of a nuclear plant’s defenses against cyberattacks: how a plant’s cybersecurity program works; how a cybersecurity program is incorporated into its physical security program; how a cybersecurity awareness and training program provides training; and how a nuclear plant evaluates and manages cybersecurity risks.

The NRC says a nuclear plant licensee can establish cybersecurity training by defining and documenting roles, responsibilities and authorities and making sure they are understood.

The regulations describe who is responsible for oversight and communications in administering the cybersecurity plan.

The ongoing expansion of the U.S. electric vehicle ecosystem is creating new cybersecurity risks for the nation's power system by offering hackers access through widely distributed and less well-protected charging stations, but solutions are emerging, charger software providers and researchers said.

Recent hacks using Russian charging stations to ridicule Vladimir Putin and British chargers to play adults-only content show cyber threats are real, public and private sector analysts said. Accessing customer personal or financial data has been demonstrated, and an EV boom driven by proliferating transportation electrification policy goals could spread threats across the power system, they added.

With a Biden Administration goal of 50% of new car sales to be zero emissions by 2035 and funding for a national EV charging network, U.S. transportation electrification“is accelerating at a breakneck speed,” said Joseph Vellone, North America head for international charger software provider ev.energy. Innovative utility-managed charging programs could allow “an attacker with malicious intent to destabilize the power system,” he said.

“Permissive access to chargers was adequate for traditional power systems,” but “vehicle-grid integration” to manage charging “adds orders of magnitude of operational complexity,” added Duncan Greatwood, CEO of cybersecurity specialist Xage. Vulnerability is significant because “cybersecurity strategies were only introduced into the energy sector in the last 18 months,” he said.

EVs, now about 1% of the 250 million U.S. light-duty vehicles, rose to 6.1% of new U.S. vehicle sales in Q3 2022 from 3.7% in Q3 2021, Clean Technica reported September 13. By 2030, they could be 52% of new car sales, according to a BloombergNEF estimate reported September 20. And vulnerabilities will increase with that rapid EV ecosystem expansion across the power system’s attack surface, cybersecurity specialists agreed.

Those vulnerabilities threaten more serious impacts than ridiculing Putin or randomly showing adult content, power industry, private cybersecurity providers, and cybersecurity research leaders said. An October 25 Office of the National Cyber Director-led forum recognized that new answers for EV ecosystem cybersecurity are needed. But stopping Black Hat attackers with financial or worse motives who seem always a step ahead will be challenging, those leaders acknowledged.

Detailing the threats

The U.S.’s over 122,000 total public charging ports and its 455,000 new EV sales in 2022 led the individual country rankings in the BloombergNEF EV Dashboard released September 21. And “people are plugging in and charging without attacks,” said Sunil Chhaya, a senior technical executive for transportation at the Electric Power Research Institute.

But “hackers are everywhere,” and the growth and visibility of the EV ecosystem will magnify the temptation to either make money or a political point,” Chhaya said. “The consequences of threats not addressed are real” because “charging infrastructure is a good entry point” for financial, EV ecosystem, or power system attacks, he added.

The EV ecosystem is part of a growing “internet of energy” market that will support the energy transition but comes with the “side effect” of an increased attack surface, agreed Schneider Electric VP for Product Cybersecurity and Chief Product Security Officer Megan Samford.

Most recent attacks focused on vulnerabilities between utility-owned power system assets and chargers to obtain customer personal and financial data or disrupt charging, Samford said.

Few specifics on attacks are made public, but in addition to the Russia and U.K. events, a white hat attack on German Tesla charging stations was reported by Bloomberg News January 11. In addition, international researchers identified 13 vulnerabilities in 16 charging systems, TechRepublic reported March 23. Finally, out of more than 240 attacks on charger stations globally in 2021, 40.1% used charger access to get at charger company servers, according to Israeli EV cybersecurity specialists Upstream’s 2022 report.

Without early detection, attacks such as these could lead to “cascading” power system outages, Samford said.  

Too often, cybersecurity is “an afterthought” in connecting public charging to the power system, according to a 2019 EPRI comprehensive cybersecurity plan. But planning should include principles of data confidentiality, including protections to access and acknowledgment of risks to safety, privacy, reliability, and finance.

Charging stations provide increasingly complex interactions about when and how quickly vehicles are charged and discharged, said Xage’s Greatwood. “The easiest hack is not vertically into the well-protected power system core but horizontally to spread malware across less well-protected EV charging stations and station management systems,” he added.

“The energy transition is making grid edge assets more important,” he said. “A successfully widespread attack could stop traffic” or “create a local outage that leads to a cascading power system disruption,” he agreed.

Distribution system infrastructure like substations are difficult to attack and system voltage and frequency are carefully monitored, said Rolf Bienert, managing and technical director of leading power system standards advocate OpenADR Alliance. But as smart chargers and real-time pricing are used to address demand spikes, attackers might disrupt communications to create reliability failures, he said.

The charging system’s ready public access through remote physical connections, its limited designed-in security, and its expansive attack surface makes it “by far the most vulnerable element” in the EV ecosystem, Roy Fridman, CEO of Israeli cybersecurity specialist C2A Security, summarized in a July 4 blog.

Software “is the connective tissue between utilities and system operators” allowing management of EV charging “to balance loads,” said ev.energy’s Vellone. But EV charger software “could carry a Trojan horse planted by a rogue agent or nation like Russia or China,” he agreed.

In a state with a heavy charging load like California, the attacker “could orchestrate a sudden huge power surge during a peak demand period that could easily be catastrophic,” Vellone said. Cascading circuit outages “could result in something like the August 2003 two-day blackout across the Northeast caused by a fallen tree branch,” he suggested.

U.S. cybersecurity standards like federally-ordered Zero Trust and Defense in Depth strategies are inadequate for fully protecting financial and personal data or regulating charger firmware and software, Vellone and others said.

“The gold standard is the 2018 European Union General Data Protection Regulation’s strict, comprehensive, and forward-looking guidelines,“ and U.S. federal legislation could use the 2018 California Consumer Privacy Act as a template, Vellone said.

Cybersecurity efforts like the General Services Administration’s May 2021 Executive Order 14208 and President Biden’s October 11 Executive Order offer no guidance for the EV ecosystem, stakeholders agreed. And payment card industry security standards for gasoline pumps omit critical EV charger vulnerabilities that should be addressed by the North American Electric Reliability Corporation, they added.

Utilities were quick to answer Utility Dive queries about their cybersecurity efforts but, for good reason, reluctant to detail incidents or the growing threat potential.

The utility dilemma

A conundrum limits utility and system operator public comments on cybersecurity. They want customers and shareholders to know they are aware of and working on solutions to threats, but they cannot detail experiences and preparations because it could reveal their enormous attack surfaces’ vulnerabilities, they unanimously agreed. 

“We would rather not provide details on particular threats,” said Consolidated Edison spokesperson Allan Drury. But ConEd’s experts and government and industry partners are helping develop “a robust defense-in-depth program to mitigate the threats,” he added.

Federal cybersecurity guidance describes a defense-in-depth strategy for charging stations as multiple layers of automated authentication and operations monitoring from the utility to the charger, C2A’s Fridman and other security providers said.   

DTE Energy vehicle-grid integration programs include open access software platforms, but “we coordinate extensively with our industry partners on cybersecurity,” was all DTE Energy Spokesperson Angela Meriedeth could disclose.  

“For obvious reasons, San Diego Gas and Electric does not discuss specifics of our security efforts,” Krista Van Tassel, the utility’s spokesperson, echoed. But “critical systems” are “rigorously” tested for vulnerabilities, security practices and tools are “continually” reviewed, and the utility is working with industry partners on “risk mitigation strategies,” she added.

Southern California Edison is similarly working with industry stakeholders to develop cybersecurity “standards and protocols” to “reduce cybersecurity risk to the grid as EVs continue to grow,” the utility’s spokesperson Brian Leventhal said.

Washington state’s Avista Utilities does not now face a significant cyber threat because chargers and utility control systems are not interconnected, Rendall Farley, its manager of electric transportation, said. But future programs and a “next generation of high-powered chargers” may interconnect utility systems through managed charging to address demand peaks, which would require “mitigating any cyber threats,” he said.

Strategies to mitigate such vertical attacks on utility control systems from public chargers and to securely update cybersecurity software and firmware are being developed, researchers and private sector experts agreed.

Emerging strategies and tools

Many utilities are planning to manage EV charging loads, which will increase vulnerabilities to cyberattacks, most stakeholders agreed. But funding and research are already addressing the challenge, many said.

“The five-year $5 billion funding of a national interstate charging corridor in the Infrastructure Law “is a once in a generation opportunity,” said Idaho National Laboratory Senior Research Engineer Tim Pennington. It can lead to “important new cybersecurity standards” from federal agencies, he added.  

Charger hardware can have “independent certifications” for meeting cybersecurity standards, be programmed with “self-aware, built-in, security capabilities,” and be given routine “system checks,” Schneider Electric’s Samford said. But capabilities are still needed to “detect anomalous behavior across the network and system,” to identify “potentially malicious behavior,” and to “take action,” she added.

INL is developing those capabilities within the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response, or CESER, programs, Pennington said. And its laboratory demonstrations have shown the new strategies and technologies can work, he added.

There is “no official specific intelligence about an adversary or a threat,” INL Energy Threats Program Manager Jamie Richards, working under the CESER programs, specified. But laboratory demonstrations with high-powered chargers showed a new tool can detect and mitigate attacks, she added.

One INL demonstration showed charger vulnerabilities like a piece of readable code, a default password, or an accessible public charger port make serious impacts possible, Richards said. In a second demonstration, INL’s safety instrumented system, or SIS, cybersecurity tool, “recognized adversary behaviors targeting those charger vulnerabilities with a 75% success rate,” she added.

INL is now testing automated SIS interventions like interrupting charging to prevent escalating impacts, Richards said. The SIS tool’s cost-effectiveness “is hard to know at this stage” because “the return on investment for any security solution is not typically justified until the cost of what it can prevent becomes clear,” she added.

A coming but not yet announced EPRI online tool will allow EV ecosystem participants “to assess their cybersecurity strengths and weaknesses and obtain mitigations based on related industries’ best practices,” EPRI’s Chhaya said. 

But best practices from other industries may not provide the cybersecurity needed for the EV ecosystem, Xage’s Greatwood said. “Banks can use manufacturer-installed security certificates in laptops and cellphones, but that level of authentication is not built into today’s EV charging systems,” he said.

A Mesh Architecture defense strategy could provide a higher level of cybersecurity by storing user identity authentication information in multiple, programmed internet “nodes,” he said. “If two nodes of a 20-node Mesh are hacked, the other nodes will recognize the intrusion and deny further access to the hacker to maintain a distributed system’s integrity,” Greatwood added.

“In traditional operational security, the system is as weak as its weakest link and one hack creates access to the entire system, he said. With a Mesh architecture, hacked nodes are “quickly identified and reset,” which means “more nodes in the Mesh makes the system’s security better,” he added. “No protection can be guaranteed, but the Mesh approach makes attacks more difficult and impacts more limited,” he said.

“It is always a cat and mouse game,” EPRI’s Chhaya agreed. “The objective is to combine practices that generally perform securely except for isolated incidents and use them to minimize malicious intrusions and their impacts” because none of the participants in the EV ecosystem “want to end up causing an issue and being in a headline,” he said.

Vellone, whose priority is achieving the 2030 clean transportation mandates, agreed. “Cybersecurity for hardware and software needs to come together at the same time to make this happen and perfect cannot be the enemy of good,” he said. “The commitment must be to continuous proactive improvement and securely updating everything over and over,” he added.