The U.S. power industry was designed to generate and distribute electric power, but the energy grid has evolved since its initial conception and design. Its once mechanical controls have gradually been replaced with digital technologies, computer networks and Internet-driven devices. With each addition, the grid — along with the rest of the nation's critical infrastructure — grows vulnerable in different ways.
The Fight Against Cyberthreats
In 2012, then-Homeland Security Secretary Janet Napolitano reported that cybercrime was the No. 1 threat to the United States, ahead of terrorism. That remains the case today; however, the power industry is not sitting still. Power industry professionals and engineers are fighting back by strengthening control center security, generation plants, substations and other critical infrastructure.
Such a huge task prompts the question: Who is responsible for leading the fight against cyberthreats? This falls largely on the shoulders of the North American Electric Reliability Corp. (NERC), an independent agency formed by the Federal Energy Regulatory Commission (FERC), which regulates the interstate transmission of electricity.
Compliance with NERC Critical Infrastructure Protection (CIP) standards is mandatory; however, as Pedro Melendez, senior staff engineer for the nation’s largest independent electrical transmission company, ITC Holdings, notes, “(the standards) don't come with a prescription. There's no set of rules you have to follow.’’ As you might imagine, that makes the nuances of compliance quite complicated.
Moving Targets: Evolving Protection Standards
As mentioned, the process of providing CIP assistance is nuanced and complicated by compliance standards that are evolving and changing. The first CIP standards took effect in 2008, and NERC has released six revisions since then. At the moment, the power industry is beginning to transition from CIP Version 3 to CIP version 5, which becomes effective on April 1, 2016, for high and medium-impact assets BES cyber systems and April 1, 2017, for low-impact BES cyber systems.
The latest revision requires utilities to rate their facilities and associated cyberassets according to NERC CIP-002 Version 5 of the bright-line criteria. For example, a control center could be considered a high-, medium- or low-impact facility depending on the characteristics of the BES assets they control, whereas the BCS for a large power generation plant at 1,500 megawatts could be considered a medium- or low-impact asset depending on the scope of control. While all assets would receive protection, those of a higher impact would receive the most safeguards.
Implementing a Protection Strategy
There’s no flawless system for eliminating cyberthreats. Burns & McDonnell typically recommends to a "defence in depth" strategy based on multiple levels of protection. With physical security perimeters surrounding critical facilities and equipment, the strategy would implement access control systems, allowing only authorized personnel to enter controlled spaces. Additionally, access-monitoring systems with cameras and sensors would be installed to control access to protected resources.
The technologies that would be used to implement these strategies are becoming more sophisticated and they, too, are ever-changing. Today, it’s as important to protect systems from threats using the best technological tools, including complex firewalls, robust networks, data-driven alert systems and advanced algorithms to encrypt data as it is to protect systems from physical threats. We discussed this topic recently in much greater detail for Benchmark, our corporate magazine. If you are interested in the full article, you can access it via the link below.
What about you? What are your thoughts on NERC’s fight against cyberthreats? What about the ever-evolving protection standards and how increasingly complex it has become to protect cyberassets? What kind of strategies are you employing? It would be great to hear your thoughts on this issue, so please comment here or email me directly. And, of course, if Burns & McDonnell can help you in any way or if you have any questions on cybersecurity, feel free to connect with me on LinkedIn — this is an issue I never tire of discussing!
Jerome Farquharson oversees the compliance and critical infrastructure department in Burns & McDonnell’s St. Louis office. He regularly performs cyber and physical risk assessments for utilities and has extensive knowledge of current government regulations, including NERC Reliability and CIP standards. You can learn more about Jerome’s experience and connect with him on LinkedIn.
Other resources on this topic:
Benchmark: Protecting the Grid