The current landscape of security approaches within Utility and ISO Programs is reminiscent of the early DITSCAP, DIACAP, and Rainbow Series progression of the Department of Defense world from the 80s and 90s.
Given the ongoing Russia-Ukrain war and current geopolitical events, the urgency to bolster grid security and protect critical infrastructure in the US cannot be understated. Ageing power distribution systems are vulnerable to cyberattacks that can potentially jeopardise national security and bring the nation to a halt.
We need the Federal Government to bring together a common framework under the auspices of critical infrastructure that applies to today’s technology stack and approaches. Just say it aloud - Make NIST the standard and give a timeline. It will go a long way to at least bring awareness to how bad the grid is with evidence versus just sentiment.
The Critical Information Infrastructure (CII) in the power sector in the US has outlived its utility limit, especially with some of the grid infrastructure and power lines being more than 30 to 35 years old. As a result, they are vulnerable to various types of disasters, including physical and digital attacks and natural calamities. With the entire US economy and industrial sectors entirely dependent on power supply, any significant disruption can have catastrophic consequences. I wanted to use this post to make a nudge, neigh push, for standardisation on NIST RMF as a basis versus the variety of other more limited frameworks.
The lack of a federal, state, and local policy means we are stuck with conversion matrices to understand how one control applies to another framework. We need the advancement of approaches quickly to ensure this inefficiency does not limit the technology.
Grid Security and CII in the US - Statistics
Some quick hits:
- There are over 1600 utilities with varying approaches and security guidance for technical, process, and data access.
- Nearly 70% of power transmission lines in the US are over 30 years old.
- Around 60% of circuit breakers have far outlived their utility period of 20 years.
- ICCP and DNP3, critical protocols that run the current grid, are over 30 years old, respectively. The most common approach for security is simply to layer in an IPSEC VPN, and bulk encrypt the protocol.
- OpenADR, the defacto modern standard for curtailment of energy on the grid in a few geographies, is incredibly complex and has a few unintended gatekeeper issues with the alliance.
- Smart Meters are plagued with the promise and reality being very different. Mission:data (great group of folks) have published numerous articles on the topic. We have yet to see the benefits of smart meters due to implementation.
- There is a fight for who “owns” the data, and often the customer has funded Green Button Connect implementations to ease their access. Their utilities make it challenging to access significant historical data or real-time moving forward due to one-off implementations or implied data privacy concerns from utility companies.
- The patchwork of approaches and advancing technical attacks mean things only worsen if things do not improve significantly. The Colonial Pipeline Ransomware Attack in 2021 should have been a prominent wake-up call for the US to put on their coveralls and muck boots to overhaul our grid security infrastructure.
- I have spoken about this professionally in multiple contexts. Still, this impending flip in traditional BMS/SCADA software solutions and prosumer IoT is coming into play for interactive grid technologies. Each has a security and risk profile unfit for purpose and will only exacerbate this risk without industry guidance.
Grid Security and CII - What’s At Stake?
While all feel the existential threat of climate change and the threat of a lack of resiliency well understood, for whatever reason we do not currently give security the same importance despite having a much more significant risk. A Nation State cannot decide when it’s so hot the grid fails, but it can choose to exploit SCADA networks to turn off the power. The effect is the same even if the cause is not. We cannot compromise on grid infrastructure security because it is critical to its domestic and industrial consumption requirements — the threats to the power grid infrastructure fall under the following three categories.
- Physical attacks from terrorist organisations and vandals
- Cybersecurity attacks from state-sponsored and individual threat actors
- Natural disasters like floods, earthquakes, tornadoes, climate change, and other calamities
Both 1 and 2 are within our purview and control, but as of right now it feels that 3 gets the majority of attention.
Current US Regulatory Ecosystem Challenges
Most US power organisations use SCADA (Supervisory Control and Data Acquisition) networks to control industrial systems. They require constant updating to meet the challenges of the latest cybersecurity threat landscape, especially with malicious actors being innovative with their attack vectors. The recent example of the Colonial Pipeline ransomware attack exposed the vulnerabilities of the existing SCADA and IT networks, demonstrating the need for a significant overhaul of the cybersecurity framework for preparation for cyberattacks and incident response.
It is not so dissimilar to the early “high side” networks. You didn’t need to worry about patching or software updates because they were air-gapped. Right? RIGHT?! Many of these SCADA networks are deployed with no requirement for total lifecycle and instead treat them as appliances versus the little computers they, in fact, are. It means one network misconfiguration and the complex boundary protection falls apart, as we have seen.
The most significant challenge facing the US energy grid infrastructure is that it operates in a digital environment accessible by the internet. Hence, they become vulnerable to the latest cybersecurity threats, as explicitly stated by the GAO (Government Accountability Office). It also notes that the US CII’s most significant threats come from nations and malicious groups.
While the FERC (Federal Energy Regulatory Commission) has mandated grid cybersecurity standards, it still needs to take the requisite steps to address the shortcomings adequately. Besides, the measures do not include a complete cybersecurity risk assessment of the grid. The US GAO’s recommendation to FERC to adopt the necessary changes and evaluate the potential risks of a coordinated cybersecurity attack has yet to be implemented, making the grid more vulnerable. The NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a grid security standard developed to regulate, enforce, monitor, and manage the US Bulk Electric System (BES) security. Thus far, it has focused on large power plants rather than the currently advancing distributed grid. With FERC 2222/841 pushing behind the meter (BTM) participation, it means smaller assets and sites will now become just as important. The policies of FERC/NERC are simply too burdensome for these smaller BTM installs and will reduce deployments for security.
The US GAO has also discovered that the Federal Government needs to fully understand the gravity of potential cyberattacks and their consequences on the vulnerable US grid that is not compliant with FERC’s standards. Therefore, it recommended that DOE coordinate with the DOHS, the state, and industrial partners to address the potential risks to the US distribution systems.
If only there were some sort of Risk Framework that the USG had invested millions of dollars, decades of validation, and built a market knowledge around!
NIST has recommended steps to combat and deal with the constantly evolving cybersecurity threats. Other safety measures include adhering to authentication and data encryption standards, ensuring zero-trust architecture, and securing cloud services. In fact, NIST was brought in to help with the exact institutional issue of DIACAP, DITSCAP, Rainbow Guides from the NSA, AF, ARMY, etc., having differing guidance. In addition, NIST had to deal with the “fit to purpose” issues, where smaller vendors could not meet one policy, but instead needed a simple and traceable flowdown against a risk profile.
That brings us to NIST 800-53 and NIST 800-171 and their focus on the supply chain for DoD procurement. They require vendors to comply with stringent purpose-fit cybersecurity requirements, and they are audited to ensure proper compliance. Before, the vendor was not part of the boundary necessarily, but opened up a considerable backdoor for the DoD. While it wasn’t a perfect fix, things like supply chain and SBOM work have only reinforced how an understanding of how bad things are through an audit is better than no understanding at all. Adequate compliuance with NIST 800-171 minimises cybersecurity risks and secures the grid and CII.
According to the NIST, interoperability on the grid is a critical aspect of grid security. The fourth release of the Smart Grid Framework emphasises the importance of interoperability. It describes its various economic and environmental benefits while outlining a new cybersecurity strategy to support the development of interoperable devices and equipment. Interoperability is essential because more numbers of devices get connected to the grid.
NIST’s Cybersecurity Framework is a free tool highlighting the overlap between the framework and FERC’s standards to help improve cybersecurity practices while complying with mandatory requirements.
Instead of the hodgepodge approach of a self-attestation to NIST 800-53, ISO 27001/27002, CIS Security Benchmarks, and Top 20 Critical Controls (pulled from a State’s actual approach), you are given a standard and level-set approach for all assets and vendors to design to. Right now, with a lack of a single standard, we have no standard, frankly.
Modernising the US grid infrastructure has become essential because it still depends on legacy technology, whereas threat actors use innovative ways to infiltrate power network systems and wreak havoc. The DOE Federal Notice of Intent recommends modernising the grid to enhance the electric system’s resilience and minimise failings. The objective is that consumers must get a secure power supply when they need it the most. Besides, the DOE’s CESER (Cybersecurity, Energy Security, and Emergency Response) has announced funding for up to 15 research projects, including automated cyberattack prevention and mitigation. These measures pave the way for resilient energy delivery systems with a prime focus on minimising as many grid security and critical infrastructure-related risks as possible.
It is a start, but the CISA and Federal Government could help by simply mandating the NIST Framework as the starting point.