The Federal Energy Regulatory Commission (FERC) had its annual commissioner-led Reliability Technical Conference last week to discuss policy issues related to the state of the reliability of the bulk power system (BPS), including cybersecurity issues that affect OT/ICS environments within the electric sector. The annual conference was composed of four panels to address reliability issues related to the BPS and was made up of executives from companies and government agencies.
Pitching its testimony on its recent 2021 ERO Reliability Risk Priorities Report, the North American Electric Reliability Corporation (NERC) identified acute cyber threats from China, Russia, Iran, North Korea, and their surrogates. Increased vulnerability disclosures by security and equipment vendors and increased voluntary sharing by entities gave the Electricity Information Sharing and Analysis Center (E-ISAC) increased insight into the cybersecurity issues faced within the threat environment.
The E-ISAC works closely with its members, FERC, and other partners in the Canadian and U.S. governments to produce timely, actionable, and useful defense information for all segments of the electric industry. Apart from these measures, FERC said last year that its Office of Electric Reliability (OER) would be rededicating an internal group to better focus solely on cybersecurity issues. An additional group, within the Office of Energy Project’s Division of Dam Safety and Inspections focused on cybersecurity issues, was also announced at the time.
“Sharing of cyber security information on the E-ISAC’s secure portal increased by 96% in 2020 compared to 2019, leading to greater industry awareness of threats,” NERC said in its testimony. “Furthermore, the pandemic created an increased remote cyber security attack surface for industry due to increased telework. This required greater sharing and collaboration by the E-ISAC with all levels of the electricity industry, United States and Canadian governments, and partners than ever before,” it added.
NERC also said that cybersecurity and physical security of the BPS remains a key focus area. The agency continues to leverage its existing tools, such as information sharing through the E-ISAC, studies, and assessments, and the standards development process to evolve with these increasing risks and vulnerabilities.
Another important tool that NERC uses is the Cybersecurity Risk Information Sharing Program (CRISP) for near real-time bidirectional exchange of cybersecurity information. Last year, CRISP started new pilots focused on operational technology (OT) that will increase access to data and analytic capability at the E-ISAC. The CRISP pilots further complement new work the E-ISAC is doing this year to support the White House and DOE 100-day cybersecurity initiative for industrial control systems (ICS) in the electricity subsector by increasing its visibility on these critical OT systems.
Based on the effectiveness of E-ISAC programs, NERC encourages the industry to increase voluntary information sharing as adversaries adopt new tactics, new vulnerabilities are exploited, and the magnitude of potential impacts change as the grid evolves and cross-sector interdependencies increase, to deal with rising cybersecurity issues, the agency added in its testimony.
Ransomware within OT/ICS and the North American BES has been deployed within various facilities, both in North America and globally. Such attacks are defendable; though they require more visibility of both the OT/ICS environments and their threats than is often available within OT/ICS environments, Ben Miller, Dragos’ vice president of professional services and R&D, said in his testimony at the FERC conference.
“That said, incentives do not adequately exist to detect, log, or gain visibility needed to properly identify, investigate, and respond to today’s multi-staged, and often unpredictable, intrusions,” according to Miller. “Additionally, third party suppliers and networks offer a clear potential for wide scale supply chain attacks against their customer OT/ICS environments similar. The SolarWinds, Kaseya, and M.E.Docs (NotPetya) attacks serve as clear and well understood case studies.”
There is increasing awareness that OT/ICS that helps run the BES is unique and defending it is not the same as defending our traditional enterprise systems. The threats continue to evolve but so does the market, Miller added.
Last year, Dragos identified EKANS ransomware with ‘ICS awareness,’ including the ability to identify an HMI (Human Machine Interface), historian, and other OEM software. That said, much of the ransomware observed within OT/ICS environments was rooted in opportunistic compromises that moved from traditional internet or corporate environments using weak network segmentation. This includes taking advantage of poor authentication practices and/or the allowance of Microsoft Native protocols between trust zones, such as an electronic security perimeter.
Roy Jones, CEO of ElectriCities of North Carolina, also testified as part of a national panel of experts to discuss the challenges to the reliability of the nation’s electric grid. Jones, testifying as one of nine experts invited by FERC to the virtual Reliability Technical Conference, spoke on behalf of public power communities nationwide, including the 89 community-owned electric systems in North Carolina, South Carolina, and Virginia that are members of ElectriCities.
Taking on the supply chain, Jones said that the FERC must assist the industry by pressing for additional government assistance to influence supplier cybersecurity practices. “If vendors are to take on what we believe should be a fundamental responsibility if they are to serve the electric industry, the Commission, and governmental partners at the Department of Energy (DOE) and the Department of Homeland Security (DHS) must bring the vendors to the table to discuss certification criteria and a consensus-based approach to participation,” according to his submission.
“Electric utilities and other NERC Responsible Entities do not, individually, have the authority or leverage to make this happen. In addition, risks to the reliability of the BES have ramifications far beyond the electric industry, including on the vendors herein discussed, thus warranting a coordination role for federal authorities,” Jones added.
To inform an integrated approach to security and establish a whole-of-industry approach to converged threats, utilities should begin with a holistic cybersecurity maturity assessment to evaluate current cybersecurity maturity, benchmark capabilities against industry peers, and identify opportunities to build incremental capabilities, McKinsey said in a recent insight. In addition, they should map key business functions into a value chain, allowing business units to prioritize and protect the most critical information assets and systems that drive business value, it added.