North America’s bulk power system provided an “adequate level of reliability” in 2016, according to the North American Electric Reliability Corp. (NERC), and by most metrics its reliability is improving. In the area of cybersecurity there were no serious events last year, but that does not mean there are no serious threats.
“In 2016, there were no reported cyber or physical security incidents that resulted in a loss of load,” NERC reported in its State of Reliability report. “Nonetheless, grid security, particularly cyber security, is an area where past performance does not predict future risk. Threats continue to increase and are becoming more serious.”
NERC noted that that National Institute of Standards and Technology reported a 23 percent global increase in cybersecurity vulnerabilities in 2016 and a 38 percent increase in security incidents, a trend that “indicates that vulnerabilities are increasingly being successfully exploited, and reinforces the need for organizations to continue to enhance their cyber security capabilities.” Because of the power system’s status as a critical infrastructure, the need to enhance cybersecurity takes on greater urgency.
NERC is the international regulatory authority that oversees the bulk power system of the United States and Canada. This is the interconnected system of generation and transmission facilities, which does not include local distribution grids.
Determining the actual cyber risk to the power system is difficult because the NERC relies on reports of incidents that result in a system losing its power load. There was just one such incident reported in 2015 and none in 2016. But a lack of incidents does not mean a lack of risk. Vulnerabilities can exist in enterprise IT and operational control systems that have not yet been exploited, or that might have been silently compromised. The agency acknowledges that the mandatory reporting process does not create an accurate picture of cybersecurity risk because most of the threats detected by the electricity industry were in the enterprise environment (e-mail, Websites, smart phone applications, etc.) rather than the control system environment.
This does not mean that the industry is ignoring the threats. The Electricity Information Sharing and Analysis Center (E-ISAC) gathers security information, coordinates incident management, and shares mitigation strategies with stakeholders. It also manages the Cybersecurity Risk Information Sharing Program (CRISP), a public-private partnership with NERC and the Energy Department to facilitate information sharing and protection against sophisticated threats. The program is voluntary, but the participating companies serve about 75 percent of U.S. consumers. The Cyber Automated Information Sharing System (CAISS) is a pilot program to allow grid operators to use known indicators of compromise to help identify malicious activity.
NERC makes a number of recommendations to address the growing security risks to the bulk power system. The first is to redefine reportable incidents to include those with apparently no consequences, which would provide a more granular picture that could help identify precursors to more serious attacks. Other recommendations are:
• Run malware signature comparisons from CRISP data to create threat benchmarks.
• Use data obtained from CAISS and other capabilities to characterize the type and frequency of reported threats.
• Expand outreach to public and private sector data resources, such as the FBI, SANS Institute and corporations.
• Encourage collaborative efforts to strengthen situational awareness for cyber and physical security.
All in all, the power system is not in too bad shape. But, like government and every other industry sector, its cybersecurity is not adequate to face the growing threats it faces from cyberattacks. Its distinguishing feature is that it is a critical infrastructure. Perhaps the most critical infrastructure, because every other infrastructure relies on the electricity it delivers to operate. This makes it critical that the power system’s reliability goes beyond adequate to fully protected and resilient.