The fundamental problem facing the U.S. power industry is simple. It does what it was designed to do: generate and distribute electric power.
The fundamental problem facing the U.S. power industry is simple: It does what it was designed to do.
"And what it was designed to do," notes Jerome Farquharson, the Burns & McDonnell practice manager for Compliance & Infrastructure Protection, "was to generate and distribute electric power."
For most of the industry's history, that was enough. That's because the nation's power infrastructure was designed in an age when cyberspies who manipulate power grid controls for nefarious purposes were fodder for science fiction novels, not the front page of The New York Times.
Since those days, the grid has evolved. Its electrical and mechanical systems have gradually been replaced with digital technologies, Internet-connected devices and smart computer networks that allow remote access to critical systems. "With each addition, the grid — along with the rest of the nation's critical infrastructure — grows more vulnerable," Farquharson says.
What's more, when blackouts occur, the impact ripples in all directions. It can disrupt transportation and health care, close schools and industry, and bring a country's economy to its knees.
Those who wish to cause harm or make a point have taken notice. Then-Homeland Security Secretary Janet Napolitano reported in 2012 that cybercrime had overtaken terrorism as the top threat to the U.S.
Helping the Grid Fight Back
The power industry isn't taking the cyberthreats sitting down. Bolstering the security of its control centers, substations and other critical infrastructure has become one of its highest priorities.
The question is how to do it. And who is responsible for unifying the efforts of the utilities and other independent groups that make up the energy and power sector?
That enormous task — including the development of Critical Infrastructure Protection (CIP) standards and sharing information on cyberevents with the industry — falls largely on the shoulders of the North American Electric Reliability Corp. (NERC), an independent agency formed by the Federal Energy Regulatory Commission (FERC), which regulates the interstate transmission of electricity.
"One of NERC's biggest challenges has been to create cybersecurity standards that keep pace with the escalating threats the industry faces," Farquharson says. "The power industry's challenge is to establish cybersecurity programs that comply with them."
Farquharson manages a cybersecurity center of excellence that, among other things, assists utilities in assessing their vulnerabilities and navigating the NERC CIP compliance process. That is more challenging than it sounds.
Compliance with NERC CIP standards is mandatory. But as Pedro Melendez, senior staff engineer for ITC Holdings, the nation's largest independent electrical transmission company, points out, "They don't come with a prescription. There's no set of rules you have to follow.
"Each entity has the responsibility to look at its businesses, practices and assets, and implement a program that complies with the intent of those standards, and then be able to prove it."
With electrical transmission systems in multiple states, ITC Holdings is one of many power companies that have turned to Burns & McDonnell for help achieving CIP compliance.
"We want to be the best-in-class provider, and we now have a program that supports that and builds for the next generation," Melendez said.
Revolving Door: 5 Standards, 6 Years
There's another reason organizations like ITC Holdings look to firms like Burns & McDonnell for CIP assistance: The standards are constantly changing.
Since the first CIP standards went into effect in 2008, NERC has issued four revisions, each adding new requirements and broadening the kind and number of critical assets affected.
Currently, the power industry is subject to CIP Version 3, even as its members work toward compliance with Version 4, which becomes enforceable in April 2014. There is a strong possibility, Farquharson says, that a fifth version of the CIP standards will be approved before the fourth takes effect, meaning Version 4 would not likely ever reach enforcement. "Many of us hope that Version 5 will simply supplant Version 4," he says.
NERC's latest CIP installment introduces a number of sweeping changes, Farquharson says: "The first four versions of the CIP standard only covered cyberassets that connect to a network. Everything else, including technologies with serial connections, was exempt."
By removing that exemption, the number of critical assets that would require protection under Version 5 would increase substantially. "In a facility with 450 cyberassets, about 80 might be considered critical in CIP Versions 3 or 4," Farquharson says. "In Version 5, that number could easily double."
This newest standard also requires utilities to rate their facilities and cyberassets according to their criticality. A control center likely would be considered a high-impact facility, while a large power generation plant is medium-impact, and everything else is considered low. While all assets would receive some level of protection, greater protections would be required for high-priority critical assets.
A utility that focuses too narrowly on addressing evolving security standards could find itself in trouble. "You can have a security program that is compliant, but not secure. It's better to take a holistic approach, focusing first on creating a strong security program," Farquharson says. "If you achieve that, you will likely exceed the requirements for compliance."
Taking a ‘Defense in Depth' Strategy
What does a strong security program look like? For one thing, it must address a wide range of cyber and physical threats. Physical security and cybersecurity go hand in hand, and programs must address people both inside and outside of an organization.
"On one level, you have employees with infected USB drives and thieves who are looking to steal copper wire," Farquharson says. "On another, you have hacktivists from around the world who would love to use your wireless and private networks to manipulate data and artificially establish electricity prices."
There is no perfect system for keeping intruders out. That's why the Burns & McDonnell Compliance & Infrastructure Protection practice typically recommends a "Defense in Depth" strategy. Based on the military principle that it's harder for an enemy to penetrate a complex, multilayered defense system than a single barrier, the firm's CIP solutions include multiple levels of protection.
A physical security system would include physical security perimeters around critical facilities, equipment and other critical assets. It also would have access control systems that allow only authorized people to enter controlled spaces and access-monitoring systems, with cameras, sensors and other systems to record their presence. In addition, access-limiting systems physically control who can access protected resources.
The technologies used to execute these strategies, too, are growing more sophisticated. Intrusion-detection systems that formerly notified users when an intruder had entered the system now check continuously for anomalies in activity. Should one level be successfully breached, other tools should work immediately to contain and repair the damage, while preventing further penetration into the system.
Attacks can be thwarted other ways, too: more firewalls to protect the systems, more robust networks, more sophisticated and data-driven alert and monitoring systems, and more advanced algorithms to encrypt data.
"The battle is far from over," Farquharson says. "Some believe that cyberwarfare is one of our nation's next big threats. It's our job to do everything in our power to prevent anyone from using the power industry's enormous resources against us."
For more information, contact Jerome Farquharson, 314-682-1628.
NERC Reliability Standards
In 2007, NERC issued 83 mandatory and enforceable reliability standards for the North American power industry. NERC has been revising, updating and expanding them ever since. The standards are organized into 14 categories, including:
- Facilities Design, Connections and Maintenance (FAC)
- Modeling, Data and Analysis (MOD)
- Protection and Control (PRC)
- Transmission Planning (TPL)
- Voltage and Reactive (VAR)
- Emergency Preparedness and Operations (EOP)
- Critical Infrastructure Protection (CIP)