Critical infrastructure
News
Utilities: Energy & Power, Water, Waste

New NERC report highlights cybersecurity risks as a threat

August 17, 2021
NERC report

A NERC report said that operational security is an essential element of a highly reliable bulk power system (BPS). Cyber and physical security are interdependent aspects as exploitation of either physical or cybersecurity vulnerabilities could be used to compromise the other dimension, according to the North American Electric Reliability Corporation (NERC) report. 

Additionally, the operational and technological environment of the BPS is evolving significantly and rapidly, potentially increasing the potential cyber-attack surface, the NERC report, titled, ‘2021 ERO Reliability Risk Priorities Report,’ said. Resultant impacts could cause asset damage, functionality loss, or limit the situational awareness needed to reliably operate or promptly restore the BPS, the report added. BPS refers to the large interconnected electrical system made up of generation and transmission facilities and their control systems.

Sources of potential exploitation include increasingly sophisticated attacks by nation-states, terrorists, and criminal organizations. Vulnerability to such exploits are exacerbated by insider threats, poor cyber hygiene, supply-chain considerations, and dramatic transformation of the grid’s operational and technological environment, according to the NERC report. These transformative changes include the convergence of information technology (IT) and operational technology (OT), reliance on cloud-based technology, and potential workforce knowledge gaps. 

Automation and integration of OT networks are increasing the attack surface of cyber risk, while the use of cloud-based hosting or services introduces the risk of code and/or data breach vulnerabilities through the use of third-party software and/or hardware, NERC highlighted in its report.

Exploitation could occur directly against equipment used to monitor, protect, and control the BPS or indirectly through supporting systems, such as voice communications or interdependent critical infrastructure sectors and subsectors such as water supply and natural gas used for electrical power generation, the report said. 

A coordinated cyber and physical attack scenario that is potentially targeted to occur simultaneously with an extreme natural event could further impact reliability and/or complicate recovery activities. A man-made EMP event targeted at the BPS may impact operations and result in damaged equipment that may require extensive time to replace, NERC added in its report.

The exploitation of cybersecurity risks could arise from a variety of external and/or internal sources. Additionally, the operational and technological environment of the electrical grid is evolving significantly and rapidly and potentially increasing the potential cyberattack surface. Sources of potential exploitation include increasingly sophisticated attacks by a nation-state, terrorists, and criminal organizations, the NERC report pointed out. Vulnerability to such exploits is exacerbated by insider threats, poor cyber hygiene, supply chain considerations, and transformation of the grid’s operational and technological environment, it added. 

Additional areas of concern related to cybersecurity risks include the potential for increasing cyber-attacks across all sectors, according to the NERC report. The 2020 SolarWinds supply chain attack and the Colonial Pipeline ransomware attacks, for instance, accentuate supply chain vulnerabilities and the prevalence of threats from both foreign actors and domestic adversaries. 

Artificial intelligence and machine learning can also be used as tools that cybercriminals employ. The potential trend toward virtualization and the housing of critical systems in the cloud could expose the electric industry to additional risks for which industry must both account for and plan, it added.  

Supply chains are a targeted opportunity for a nation-state, terrorists, and criminals to penetrate organizations without regard to whether the purchase is for IT, OT, software, firmware, hardware, equipment, components, and/or services, the NERC report said.

Significant and evolving critical infrastructure sectors, such as communications, water/wastewater, financial, and sub-sectors, such as oil and natural gas interdependencies, are not fully or accurately characterized, resulting in incomplete information about prospective BPS response to disruptions originating from or impacting other sectors or subsectors and resultant reliability and security implications, the NERC report said. Furthermore, as there are increasing interdependencies between these critical infrastructures, impacts on one can have a rippling effect on another.

The NERC report also listed grid transformation as being the most significant factor that has an impact on reliability, resilience, and security. It also listed increased vulnerability due to extreme events such as ​​storms, wildfire, extreme temperatures, causing a significant proportion of major BPS impacts. 

“The report provides a holistic view of the risk landscape facing the BPS now and in the future,” Thomas Coleman, NERC’s chief technical advisor and liaison to the RISC, said in a media statement. “It serves as a road map for the identification of key emerging risks and potential mitigating activities to address those risks.”

In its 2020 Annual Report released in February this year, NERC said that reducing OT and IT risks to the electricity industry is crucial to the cyber and physical security of BPS equipment and facilities in North America. Achieving the security objectives depends on the effectiveness and efficiency of NERC’s E-ISAC (Electricity Information Sharing and Analysis Center), which helps members and partners with resources to prepare for and reduce cyber and physical security threats to the North American electricity industry.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Sprinting Toward NIS2 Compliance
Sprinting Toward NIS2 Compliance
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography