Cybersecurity researchers from four universities and one utility company are working together as part of a Department of Energy (DoE) Center for Securing Electric Energy Delivery Systems (SEEDS) to help safeguard the nation’s power utilities from cyber attacks.
The $12.2 million DoE funded initiative is augmented by $3.1 million in matching funds from the research participants.
The team is led by faculty from the University of Arkansas at Fayetteville and includes faculty from the University of Arkansas at Little Rock, Carnegie Mellon University Lehigh University, researchers from Florida International University’s (FIU) College of Engineering and Computing and the Arkansas Electric Cooperative Corporation.
“A cyber attack on any part of the nation’s power grid could leave millions of people without power, resulting in serious health and safety threats as well as a major economic blow,” said FIU Electrical and Computer Engineering Professor Osama Mohammed, who is leading the team of FIU researchers. “Working together, we hope to reduce the vulnerability of our power grid and ensure the security of our energy delivery systems for the future.”
According to an announcement, In the first half of Fiscal Year 2015, the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 108 cyber incidents impacting critical infrastructure in the United States.
And as in previous years, the energy sector led all others with the most reported incidents.
Meanwhile, the National Security Agency reported it has seen intrusions into industrial control systems used in the electrical grid by entities with the apparent technical capability “to take down control systems that operate US power grids,” according to the Congressional Research Service (CRS) report, Cybersecurity Issues for the Bulk, prepared for Congress this past June by CRS Specialist in Energy Policy Richard J. Campbell.
“In recent years,” Campbell wrote, “new threats have materialized as new vulnerabilities have come to light, and a number of major concerns have emerged about the resilience and security of the nation’s electric power system. In particular, the cybersecurity of the electricity grid has been a focus of recent efforts to protect the integrity of the electric power system.”
Campbell highlighted that, “The increasing frequency of cyber intrusions on industrial control (IC) systems of critical infrastructure continues to be a concern to the electric power sector. Power production and flows on the nation’s electricity grid are controlled remotely by a number of IC technologies. The National Security Agency reported that it has seen intrusions into IC systems by entities with the apparent technical capability ‘to take down control systems that operate US power grids, water systems and other critical infrastructure.’”
Roughly two decades ago, NSA cyber sleuths reported they’d been able to hack into unnamed utilities’ Supervisory Control and Data Acquisition (SCADA) systems which gave them access to unplug a sizeable portion of the nation’s power grid.
Campbell said, “Many cybersecurity actions are reactive to the last threat discovered. While intrusion detection is a priority, some experts say that mitigation of cyber threats requires a focus on attackers, not the attacks. Cybersecurity strategies may shift from figuring out whether a system has been compromised to an understanding of who authored the malicious software and why. Although malware intrusions may not have resulted in a significant disruption of grid operations so far, they still have been possible even with mandatory standards in place. The North American Electric Reliability Corporation’s (NERC’s) current set of standards, Critical Infrastructure Protection (CIP) Version 5, is moving toward active consideration of bulk electric system security needs rather than just compliance with minimum standards.”
Continuing, Campbell stated, “Electric utilities emphasize the need for timely information sharing and advocate for liability protection from potential damages resulting from a major cyber event. Some observers argue that it is the responsibility of electric utilities to embrace security as part of their strategic business planning and operations. The National Electric Sector Cybersecurity Organization has identified six failure scenario domains intended to assist utility cybersecurity efforts. These scenarios also illustrate the continuing vulnerability of the grid to potential cyber and physical attacks, or a combination of both.”
Campbell’s report highlighted “several areas for congressional consideration to improve grid cybersecurity,” one of which “is whether electric utilities have the resources to make the financial investment and recruit staff to reduce vulnerabilities. Another issue is that NERC CIP standards do not apply to all points of grid connection to the distribution system, and these connections still may represent cyber vulnerabilities.”
“The adequacy of current standards where they do apply is also an issue,” Campbell pointed out.
In the “Issues” section of his 39-page report, Campbell stated, “The electric utility industry is composed of many different companies of various sizes and various ownership and financial structures. Many utilities seem at present to view the potential for a major cybersecurity event as a low probability concern and to want to balance cybersecurity efforts and expenditures with the perceived risks. NERC’s CIP Version 5 seeks to address that thinking by shifting the focus of utilities to provide the necessary levels of security for BES assets with low, medium or high system impacts. However, many other joint federal and industry cybersecurity activities are cooperative, with voluntary adoption of the measures and metrics developed. The effectiveness of strategies developed and the levels of adoption of recommendations may require congressional evaluation.”
But, “Even with mandatory standards,” he said, “the six failure scenario domains identified by NESCO illustrate the continuing potential vulnerability of the grid to cyber and physical attacks, or a combination of both. While improved cyber intrusion detection measures are a high priority, these are more likely to come from government-industry partnerships than from the utility industry’s efforts alone. However, the advice of several initiatives and observers is essentially for electric utilities to embrace cybersecurity as part of their strategic business planning and operations.”
“Cyber intrusions of the grid are believed to be happening, which may be seen as an indication that that more needs to be done by electric utilities to make the system secure,” he continued, pointing out that, “Whether electric utilities can make the investment financially (and recruit staff) for such a mission, is also an issue.”
Finally, Campbell wrote, “Given the potential for damage to the nation’s economy from a major cyber attack on the grid, some might suggest a greater focus on recovery is needed and should become as much a part of a cybersecurity strategy as are efforts to secure the system.”
He added, however, that while, “The bulk electric system is subject to mandatory and enforceable critical infrastructure protection rules for cyber and physical security under the FERC’s reliability mandate … the energy sector is only one of 16 critical infrastructure sectors identified by DHS.” And, “Given that the grid relies on several of the others (for example, for water and fuel transportation), the question of whether these other sectors should also have similar, mandatory standards focused on support of the electric power sector” is probably an issue Congress needs “to consider.”
In addition, he stated, “FERC still asserts that it does not have the ability to react to a ‘fast moving or imminent’ cyberattack.”
Congress may also want to consider whether FERC should have more regulatory authority to deal with cybersecurity threats in real time, he added.
The researchers of the four universities and one utility company exploring how to help safeguard the nation’s power utilities from cyber attacks will be addressing vulnerabilities and challenges in the delivery systems of the nation’s power grid. Their goal is to protect hardware assets, make systems less susceptible to cyber attack and provide reliable delivery of power if such an attack were to occur.
The researches “will be involved in aspects of the project that include protection of core power grid controls and operations by building security and privacy protection into components and services that include micro-grid assets, smart metering and electric vehicles; protecting the communications infrastructure and providing security management capabilities to address operations beyond human capacity; and providing security testing and validation to evaluate the effectiveness of protective measures on the FIU Energy Systems Research Laboratory’s Smart Grid Test Bed in its College of Engineering and Computing’s Department of Electrical and Computer Engineering.
FIU said the team will be testing “developments with the state-of-the-art Smart Grid Testbed” which “emulates a real-time power grid capable of replicating different types of controls for power generation, transmission and distribution with grid connected renewable resources and energy storage in three microgrids.”
The unique test bed is “also capable of testing developed software and implementing various communication protocols and standards as an integrated energy cyber physical system,” FIU stated.
Photo: Florida International University’s state-of-the-art Smart Grid Testbed, located in the university’s Energy Systems Research Laboratory. The Smart Grid Testbed emulates a real-time power grid capable of replicating different types of controls for power generation, transmission and distribution with grid connected renewable resources and energy storage in three microgrids. It is also capable of testing developed software and implementing various communication protocols and standards as an integrated energy cyber physical system.