Analysis
Attacks and Vulnerabilities
Critical infrastructure
NERC-CIP
News
Reports
Threat Landscape
Utilities: Energy & Power, Water, Waste

NERC 2023 State of Reliability finds cyber and physical security continues to create reliability challenges

June 23, 2023
NERC 2023 State of Reliability finds cyber and physical security continues to create reliability challenges

The North American Electric Reliability Corporation (NERC) released its 2023 State of Reliability (SOR) document on Thursday. It states that cyber and physical security remain critical elements of bulk power system (BPS) reliability. The report also indicates that the power system faced a variety of security-related challenges in 2022 that could jeopardize the reliable operation of the BPS.

“However, the BPS remained resilient with none of the incidents impacting overall BPS reliability, despite a number of high-profile distribution outages resulting from physical security attacks,” NERC said in its Technical Assessment of 2022 Bulk Power System Performance. “The growing attack surfaces that result from the increasing penetration of distributed energy resources call for ongoing development and the adaptation of cyber and physical security standards and guidelines to keep up with the ever-changing threat landscape,” NERC identified. 

Furthermore, it added that cyber-informed planning should include designs and be considered when planning and integrating the technologies into the grid to strengthen cyber robustness.

It also added that hostile nation-states persist in targeting North American critical infrastructure, constantly evolving their methods to compromise the grid’s reliability, resilience, and security. “Domestic extremists have demonstrated the intent to attack the electricity infrastructure and take violent action against grid assets.”

The E-ISAC received eight CIP-008-6 reports of cybersecurity incidents or attempts to compromise, which resulted in no customer outages or threats to BPS reliability, NERC reported. “Heightened awareness of security threats underscores the need for responsive cyber and physical mitigations to ensure reliability in the face of the existing security environment. In response to the invasion of Ukraine by Russia in February 2022 and Russia’s resulting threats to nations supporting Ukraine, the Nation’s Cybersecurity & Infrastructure Security Agency (CISA) launched the Shields Up! campaign.” 

Throughout 2022, the E-ISAC observed an increase in physical security incidents that resulted in some level of impact on the grid in comparison to previous years, NERC reported. “The E-ISAC assesses physical security incidents based on their impact or potential to impact the reliability of the grid utilizing a Severity Level Categorization Model. From September through December of 2022, there was a significant increase in the number of serious physical security incidents tracked by the E-ISAC.” 

It added that in November and December, a series of high-profile attacks on substations in the Pacific Northwest and Southeast United States included vandalism, tampering, arson, and ballistic damage. “While there was no impact to the BPS as a result of these incidents, local power disruptions did occur, impacting tens of thousands of customers.”

The report also revealed that concerns regarding growing physical security threats to the BPS led FERC to issue an order that directed NERC to assess the effectiveness of Reliability Standard CIP-014-3, focusing specifically on the inclusion applicability criteria, associated risk assessments, and whether a minimum level of physical security protections should be established for all BPS transmission stations, substations, and primary control centers.

NERC disclosed that none of the incidents or attempts received by the E-ISAC compromised BES (Bulk Electric System) cyber systems or affected reliable operations of the BPS or distribution systems. “NERC remains encouraged that there were no operational impacts and that the entities reported these attempts to the E-ISAC. It also recognizes this represents a very small fraction of cyber activity against industry,” it added.

“The proliferation of new software vulnerabilities enabled geopolitical and criminal actors to conduct a number of ransomware, malware, distributed denial of service, credential harvesting (phishing) attempts, reconnaissance, and scanning attacks against computer networks,” NERC reported. “Several attacks or attempts targeted BES Cyber Systems like electronic or physical access controls and monitoring systems, highlight the need for vigilance.” 

It added that the compromise of trusted third-party vendors also presented a significant risk to the industry as adversaries either exfiltrated sensitive information from engineering, equipment and construction firms used by the industry or sought to compromise software and/or hardware deployed by the vendors.

NERC said that the most common attack vector is the exploitation of software vulnerabilities in unpatched systems. “The number of known vulnerabilities within information technology (IT) and OT networks and equipment continued to grow, including in the electricity industry. These vulnerabilities also manifested in the equipment specifically designed to protect these OT networks and systems.” 

The report also added that the number of entries in the CISA Known Exploited Vulnerabilities Catalog likewise continued to climb in 2022. All adversaries, whether nation-states or ransomware groups, rely on unpatched systems and legacy vulnerabilities to gain initial access. 

“The Apache Log4j vulnerability impact continued into 2022 and highlighted the need for patching and showed the magnitude and impact a common vulnerability can have,” NERC reported. “With IT serving as a likely entry point to enterprise and potential OT networks, vulnerability management should remain an area of focus. As grid transformation necessitates more ubiquitous networking, changes in grid architectures, robust vulnerability management programs for OT environments must keep pace.” 

NERC also identified that the evolution of cyber threats also presented new challenges to IT and OT network defenders. The year 2022 saw the release of a targeted industrial control system (ICS) specific attack toolkit. That toolkit, known as Pipedream (Dragos) or Incontroller (Mandiant), facilitates adversaries’ ability to attack OT equipment from well-known electricity industry manufacturers. 

“While the toolkit did not lead to an attack or outages, its existence highlights the risk to OT environments for industry. Similarly, the Ukrainian energy authority foiled an attempt by Russian-linked actors to deploy the Industroyer2 malware in its high-voltage substations in the spring of 2022,” NERC observed. “Other notable global cyber events included attacks on European wind turbine companies that resulted in a loss of availability to IT systems and malware that successfully exploited virtual infrastructure hypervisors that are widely used in energy IT and OT systems. In OT cyber security, networks with no internal visibility are difficult to protect.” 

Following the White House 100 Day ICS Cybersecurity Spring initiative in 2021, FERC issued an internal network security monitoring (INSM) notice of proposed rulemaking in January 2022 that directed NERC to develop new or modified CIP Reliability Standards to require INSM for all high-impact and some medium impact BES cyber systems. 

Furthermore, NERC’s ongoing actions resulting from the notice of proposed rulemaking and subsequent order include conducting a study to determine the feasibility of future INSM requirements for the remaining medium-impact and all low-impact BES cyber systems.

NERC also reported that ransomware continued to impact the industry and key vendor suppliers. “While financial gain is often the primary motive of the transnational ransomware gangs, several of these groups may also operate with the tacit support of nation-state adversaries like Russia and China. In 2022, the FBI received over 800 ransomware criminal complaints from critical infrastructure operators; this included 15 from energy sector entities like electricity asset owners and operators. The top ransomware variants included LockBit, ALPHV/BlackCat, and Hive,” it added. 

Ransomware gangs also targeted trusted third-party electricity contractors like engineering firms, construction services, and original equipment manufacturers. 

The E-ISAC provided awareness of these events to the industry through all-points bulletins and other cyber bulletins to raise awareness and encourage entities to evaluate their risk. 

“While there were no impacts on BPS reliability from these events, the continued targeting of critical infrastructure and the development of ransomware code to target industrial and OT environments highlighted the need for continued diligence,” NERC reported. “The E-ISAC, in collaboration with industry and government experts, developed ICS “Shields Up” Considerations for the Electricity Industry notice for its members to assist entities in improving their response to OT malware and ransomware threats. CISA also began a #StopRansomware Campaign to assist businesses and infrastructure operators of all sizes in preparing for these types of attacks.”

Looking ahead, NERC reported that understanding cyber and physical security threats through coordinated and timely threat intelligence sharing and mitigating the risks posed by these threats through implementing robust security integration strategies is paramount to reducing risks and defending the reliability of the BPS. “The E-ISAC is working closely with CISA through the Joint Cyber Defense Collaborative, the U.S. Department of Energy’s Energy Threat Analysis Center pilot, and the Canadian Centre for Cybersecurity to improve the operational coordination of intelligence on behalf of the industry.” 

Furthermore, industry advisory groups—like the Electricity Subsector Coordinating Council, the E-ISAC’s Physical Security Advisory Group, and the Cybersecurity Advisory Group—play a critical role in providing asset owners and operators input and context to support the U.S. and Canadian governments’ collective defensive efforts.

It also pointed out that industry cybersecurity practices should go beyond the minimum levels specified in the NERC CIP Standards. Strong multifactor authentication for all remote access and malicious code detection at all facilities is prudent due to the nature of the constantly changing threat environment. 

The NERC document also revealed that extreme weather events continue to pose the greatest risk to its reliability and stability. Transmission system reliability has improved significantly for the fifth consecutive year, and the rate of protection system misoperations also continues to improve. Conventional generation, challenged by more frequent extreme weather, experienced its highest level of unavailability overall since NE​RC began gathering generator availability data in 2​013.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation