Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 

622 Members

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Compliance, Cybersecurity, & Reliable Operation

Photo by NASA on Unsplash

The Energy and Utility sector like so many other industries have been improving operations and meeting their markets’ demand by way of advancing their technology. Smart grids, smart meters, etc., all enhance the flow of operations and can maximize service reliability. However, one of the downsides to these industry advancements are the vulnerabilities that come along with having cyber assets.

Vulnerabilities that can be exploited by malicious actors, who unfortunately are gaining sophistication as fast as cyber technology advances. These cybercriminals could have the potential to expose weaknesses in an entity’s infrastructure.

What does it take for a hacker to infiltrate a control system?

If a hacker was able to get into any of the I/O networks such as Ethernet IP, PROFINET, or Modbus TCP they could easily change variables within the controller and open it up to unauthorized connections as well as malicious code injections.

The cybercriminal could then interfere with operational functions, for example, by stopping and starting drives, turning valves on or off, or even worse.

Each entity has hundreds and in some cases thousands of people who already have access to their I/O networks, beyond their own staff which includes — but not limited to — vendors, IoT technicians, and other contractors.

All it takes is for one unsecured device to be connected to the responsible entity’s network for a determined hacker to gain access.

The United States has 3 power grids and the count of Energy & Utility companies are estimated at over 3,300, with around 200 of them providing power to the majority of ratepayers. Needless to say, with an estimated number of 818,486 of energy and utility employees. (2017). That’s a lot of grid access!

Whereas, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards go into great depth to prevent this sort of infiltration by providing the industry with critical cybersecurity standards.

For instance, and very simply put, the energy compliance standards cover protocols for the following:

● Endpoint authorization — For example, each registered device knows the device it’s communicating with and vice versa.

● Message authentication — Where transmissions that are generated from a device are validated and verified by the receiving device.

● Integrity — This means that the signals transmitted between the origin device and the receiving device were not altered or changed during transmission.

● Confidentiality — That data and messages transmitted between devices stay within the appropriate authorization and access confines of said responsible entity.

The above-mentioned standards are just a small fraction of preventative requirements and standards of operation that NERC CIP compliance addresses. From password creation, device authorization, vendor access protocols to the documenting of all tasks, activities and so much more, which can be found in this 2356 page compliance document. Nevertheless, the standards are only as effective as the responsible entity that implements, applies, and executes them.

In the case of March 5, 2019, a Utility company reported the first-ever recorded disruptive cyber event on the U.S. power grid. Although the event didn’t demonstrate that the hacker was targeting the power grid according to the expert who assessed the event. Stating that it was most likely a script kiddy using an automated bot seeking vulnerable internet-facing devices.

Nevertheless, the incident does warrant alarm — had the cyber intruder realized the magnitude of their intrusion they, they would have had the ability to cause major outages for that region or worse.

In this case, the malicious actor was able to force reboots and expose a vulnerability within the entity’s firewall interface which allowed an unauthenticated user to access and cause glitches across the particular grid.

The firewall interface was internet-facing which made it easier for a hacker to exploit. According to what was reported, we can assume that this is a result of a poor software patch management program, and most importantly that the entity neglected to comply with NERC standards. The entity will likely be penalized and can expect to undergo major scrutiny in the months ahead. However, could this have been prevented if they had properly implemented CIP standards? Could the security protocols required by NERC such as Patch Management prevent the company from being penalized?

What is patch management for the energy sector?

NERC-CIP compliance requires Bulk Power System or BPS operators to know their patch sources and the tools that they utilize to monitor for new security patches. NERC-CIP Reliability Standard CIP-007–6 states that an entity must manage system security by specifying select technical, operational, and procedural requirements in support of protecting Bulk Electric System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the BES. Within which focuses on energy and utility entities monitoring their networks for vulnerabilities as well as maintaining a documented patch management process. This standard ensures that entity Bulk Power System (BPS) operators, whether the assets are a standalone cyber system or one that can be accessed remotely, they maintain a level of conscious security of the grid.

 

Continue reading

Tiffany Aliano's picture

Thank Tiffany for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Sep 20, 2019 9:24 pm GMT

Nevertheless, the incident does warrant alarm — had the cyber intruder realized the magnitude of their intrusion they, they would have had the ability to cause major outages for that region or worse

There's a lot of concern about not propagating any sort of 'chicken little' type panic, but each and every incident absolutely has to be taken seriously, as was done here. 

Tiffany Aliano's picture
Tiffany Aliano on Sep 21, 2019 5:56 pm GMT

Oh, I absolutely agree with you Matt, and with every incident, there are lessons to be learned.  

Richard Brooks's picture
Richard Brooks on Sep 21, 2019 2:01 pm GMT

Excellent points Tiffany. As you have indicated, a lot more needs to be done to prevent and mitigate damage from cyber attacks. The NERC CIP Supply Chain (CIP-013-1) standrd will help on the front end processes, but may be challenging for some smaller entities lacking cyber security expertise. Software object integrity and authenticity (CIP-010-3 R1 1.6) is particularly difficult, as I pointed out in this article

Tiffany Aliano's picture
Tiffany Aliano on Sep 21, 2019 7:09 pm GMT

Thank you, Richard, I just read your article as well as your SAG link.  Very interesting!
By an entity employing "software background checks" prior to patching (CIP-007-6) would create a solid layer of cyber protection.
As far as smaller entities are concerned, I too see how certain standards could be especially difficult. Nevertheless, without proper precautions, failures can ripple throughout the rest of the system where it is imperative that each entity large and small take the preventative measures as stated within the NERC standards.
However, challenges breed innovation as you have demonstrated with SAG.  Excellent!

Richard Brooks's picture
Richard Brooks on Sep 22, 2019 1:56 pm GMT

I concur: "By an entity employing "software background checks" prior to patching (CIP-007-6) would create a solid layer of cyber protection."

Here again I totally agree with your position: "failures can ripple throughout the rest of the system where it is imperative that each entity large and small take the preventative measures as stated within the NERC standards."

Oscillations in particular can cause real problems on the Eastern Interconnection, or any interconnected grid. Stuxnet is living proof that machines can be manipluated to produce operational disruptions, such as oscillation.

Thanks for bringing light to these very important issues and prudent preventative measures.

Tiffany Aliano's picture
Tiffany Aliano on Sep 24, 2019 2:24 pm GMT

Thank you, I have enjoyed our discussion.

Richard Brooks's picture
Richard Brooks on Sep 24, 2019 7:25 pm GMT

Likewise. Thanks.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »