NERC’s 2019 ERO Reliability Risk Priorities Report identified and prioritized the major risks facing the utility industry with a particular focus on security issues.
Cybersecurity – A Risk to Manage
NERC considers cybersecurity to be the highest impact and highest likelihood reliability risk. Cybersecurity vulnerabilities can arise from a variety of external and internal sources. Additionally, the operations environment of the electric power delivery system is evolving rapidly, quickly increasing potential cyberattack surfaces. Potential attackers include nation states, terrorists and criminal organizations, exacerbated by insider threats, complex cyber hygiene, uncertainties around new systems and devices and the rapid proliferation of interconnected distributed energy resources (DERs). Additional concerns include IT/OT convergence, migration to cloud-based technology, and workforce knowledge gaps.
Physical Security – A Risk to Monitor
Physical security is often better understood than cybersecurity risks. Actual instances of successful (resulting in significant damage or disruption) physical attacks on utilities have been rare and such attacks are likely to be geographically localized on certain facilities rather than across the entire utility. The current largest physical security risk considerations are codependence with cyber security systems (computer controls for physical access) and the prospective impact of replacing long lead-time equipment (large power transformers) damaged during an attack. There is ongoing evolution of the concerns related to security vulnerability via drones, however.
Electromagnetic Pulse – An Emerging Risk to be Addressed
An electromagnetic pulse (EMP, or HEMP for a high-altitude EMP) is a short-duration, high-energy burst of energy that can be disruptive or damaging to sensitive electronic equipment. The greatest reliability risk to utilities occurs from a major HEMP, such as from the detonation of a nuclear device in the atmosphere, likely to be initiated by a nation-state and thus to have clear national security implications. EMP concerns include the large geographic footprint susceptible to the pulse, the range of power system equipment at risk (generation, transmission, distribution and load) and the lack of ability to predict such an attack.
Mitigating Security Risks
NERC’s report makes specific recommendations and assignment of responsibilities to NERC itself and other organizations to mitigate security risks, including:
- NERC should assess the risks of attack scenarios on midstream or interstate natural gas pipelines, particularly where natural gas availability will impact the availability of generation and the reliability of the BPS.
- The Electricity Information Sharing and Analysis Center (E-ISAC) should encourage continued industry efforts on workforce cyber education to raise awareness of methods and tactics used by cyber attackers (email phishing, credential theft).
- The North American Transmission Forum (NATF) and the North American Generation Forum (NAGF) should develop supply chain cyber security superior practices.
- E-ISAC should execute a long-term strategy to improve cyber and physical security information-sharing and risk analysis and increase engagement within the electric sector, as well as with other ISACs.
- NATF, NAGF, Trades and E-ISAC should develop tiered security performance metrics. Such metrics would track and evaluate events and use predictive analysis to identify and address prospective vulnerabilities on a risk-prioritized basis.
- NERC should facilitate the development of planning approaches, models and simulation approaches that reduce the number of critical facilities and mitigate the impact relative to the exposure to attack.
- NERC’s Electro-Magnetic Pulse (EMP) task force should highlight key risks areas arising from EPRI’s EMP analysis for timely industry action.
NERC CIP Standards Development Projects
As a result of the focus on security, three active CIP standard modification and development projects are underway at this time and shown in the resources listing below. These issues will be discussed in future TRC Regulatory Updates as they are moved toward finalization. The projects reflect the urgency that is being expressed by regulatory authorities relative to the security risks discussed above.
How Does the NERC Risk Report Impact Your Company’s Security Plans?
The security risks identified in the NERC Risk Report are considered high impact and in the case of cybersecurity attacks, high likelihood. Existing mandatory NERC Standards and significant modifications to those standards will continue to demand your attention to adapt internal controls to effectively address the risks. Effective and timely adaptation will assure regulatory compliance with any new requirements. It is important to stay ahead of the issues that NERC, industry organizations and regulatory authorities are addressing. Utilities are advised to review the Risk Report and CIP standards development projects in detail to understand the direction NERC is planning to take the industry to respond preemptively to the identified security risks.
- NERC Reliability Risk Priorities Report – November 2019
- FERC Order No. 850 – Supply Chain
- FERC Order No. 841 – Cyber Security Incident Reporting
- NERC Electromagnetic Pulse Task Force
- Standards Development Project 2016-02 Modifications to CIP Standards
- Standards Development Project 2019-02 BES Cyber System Information Access Management
- Standards Development Project 2019-03 Cyber Security Supply Chain Risks
- TRC Physical and Cybersecurity Services
About TRC Security and Cybersecurity Practice
TRC’s approach to security, including cybersecurity, balances solutions that incorporate appropriate standards, regulatory requirements, best practices, operational goals and budgets. Our successful application of technological solutions in a constantly evolving business and regulatory landscape will provide you with confidence regarding your security programs. Our security and power system experts help you stay ahead of changing regulatory expectations because they stay engaged with the regulatory process and know how to plan, design and install programs that address your financial, technical and scheduling goals including compliance with changing NERC Security standards and guidelines as well as industry best practices and the latest technology developments.
This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that impact your company’s electric system security risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.