The atmosphere of concern around the security of our grid is inarguably growing. As an industry we are increasingly aware of advances in the development of malware targeted at our SCADA / EMS and other Industrial Control Systems (ICS). This concern was amplified by the recent Department of Homeland Security announcement describing Russian government cyber activities using the supply-chain vector to conduct network reconnaissance, moving laterally, then collecting critical information pertaining to ICS. These evolving cyber threats and increasing points of potential vulnerability are leaving those tasked with protecting the grid sleepless. Not only must they strategize about what a concerted, multi-vector attack by an enemy state might look like and how to defend against it, but they must ponder any potential vulnerability that could be exposed by even a single, rogue hacker.
With the stakes so high, it is not surprising that FERC (Federal Energy Regulatory Commission) is now seeking to impose regulations on the supply chain in an effort to further protect consumers from the disastrous consequences of a compromised grid. Collectively, as an industry, we must continue to balance the operational necessity of our utilities with the needs of the federal regulators to protect our critical infrastructure.
In the same manner that the FDA has broadened their role all the way to the food supply of our livestock by increasing regulations and inspections to protect consumers from tainted food at any stage in the food supply chain, FERC is also expanding their purview beyond control centers, substations, and utility operations and into the related supply chain. Although utilities understand that additional protections to their business and customers are needed, the proscriptive nature of the newly proposed CIP regulations and associated implementation timeframe present multiple challenges.
With FERC’s final order anticipated today, it remains unclear how or if they will address the disagreement over the timeline: a 12-month implementation period versus an 18-month plan of the new regulations or the status for inclusion of Electronic Access Control and Monitoring Systems (EACMS). However, other changes seem certain. First, the regulatory impacts to the supply chain will be limited, for now, to those systems that are categorized as High and Medium Impact BCS using the CIP-002 Categorization principles. As the diagram below indicates, the impacts of these changes will be felt at all points of the life cycle of systems controlling the bulk-electric system. These impacts will continue to be felt as that system operates, gets software updates and is modified.
For most utilities, this is likely to impact a significant number of their vendors. And although these regulations are forward-looking, it is more than likely that most utilities will be involved in CIP-013 based discussions within a few years. It will be vital that these discussions are guided by the utilities who bear the responsibility of meeting the requirements. However, the biggest impacts may well be to the suppliers of these very complicated systems. The utilities must be proactive and develop “vendor compliance requirements” in lieu of leaving it up to vendors to decide. Evaluating whether new or existing vendors can meet these requirements will require a new procurement strategy and a willingness on the part of utilities to re-evaluate long-term vendors that cannot or will not meet the new standards. Some of the key resulting changes may include:
- Vendors being much more transparent about the sources of their software – both at primary delivery and then during the maintenance periods when patches are needed.
- Vendors being aware that some utilities, particularly those that are more risk averse, may seek contract law that spreads any financial risk of penalties or reconstruction to the vendor.
- Utilities including criteria that rate a vendor on their “security record” in their scoring of the vendors’ solutions during RFP or procurement phases.
- Utilities seeking to reduce “direct” interaction of their vendors with their real-time systems.
Need for Action
As the regulations roll out and the dialogue continues regarding the scope of supply chain regulations, FERC has made it clear that the utilities need to take care of this problem or FERC will push for more extensive regulations.
Further, it behooves utilities to work with their vendors, and for vendors to fully cooperate, to develop procurement approaches that are less cumbersome and more transparent. In contrast to today’s procurement approaches, the new regulations will also require utilities to more closely manage vendor remote access and improve the security of the code. Tighter utility/vendor collaboration will yield:
- More automated and continuous compliance processes
- Simpler, more uniform contracting with control system vendors
- Smarter, automated contracting
Whether it’s 12 or 18 months from the time of the final order, utilities and their ICS vendors will need to act quickly to understand their own situation, determine what changes are needed, and launch a program to address the gaps.
Final Thoughts: The Elephant in the Room
What is seemingly missing with all these regulations and industry actions is explicit recognition that cybersecurity threats are not just to the BES but have now spread through distribution to the grid edge. Perhaps because FERC only has BES jurisdiction it is depending on the industry to protect all of its assets regardless of compliance requirements. However, a recent survey by BRIDGE Energy Group found that over 50 percent of North American utilities still look to compliance for its calculation of cybersecurity risk, which is highly insufficient for a successful risk-based approach. Too many in our industry incorrectly believe that a “Ukraine-type” incident is not on the horizon in the United States. Unfortunately, this view may be driven by the fact that the operational necessities and downsizing of most utilities to meet financial earning objectives leaves most on the front lines of the organization without the head space to think otherwise.
If utilities are to stay ahead of the hackers and potential future regulations, it is time to implement comprehensive, risk-based grid security programs that have compliance built-in. It is critical that they manage the security of their infrastructure and systems holistically, from cradle to grave, from generator to the grid edge, and down to the consumers’ homes. Without such a strategy, the cost of compliance will continue to rise and the burdens our utility staff face will continue to drive reactive rather than proactive solutions to threats, leaving our grid poorly protected against the growing threats.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
