NGI The Weekly Gas Market Report / NGI All News Access

U.S. Power Grid Under Attack by Cyberspies

The cloak and dagger spy activity of the Cold War era has gone on-line, according to current and former national security officials, who report that one of the main targets of these cyberspies is the U.S. electrical grid infrastructure.

Cyberspies have hacked into the U.S. grid and left behind software programs that could be used to disrupt the system, according to The Wall Street Journal (WSJ). The spies came from China, Russia and other countries, security officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official, according to WSJ. "So have the Russians."

The North American Electric Reliability Corporation (NERC) -- an international regulatory authority for electric reliability of the bulk power system in North America -- said it is doing all that it can to stay ahead of those that would do harm to the North American electric grid.

"Cyber security is an area of concern for the electric grid. Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of," NERC said last Wednesday. "NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyber threats.

"There is definitely more to be done, and we look forward to continuing our work with the electric industry and our partners in U.S. and Canadian government to improve reliability standards, ensure appropriate emergency authority is in place to address imminent and specific cyber security threats, and ultimately ensure a safe, secure and reliable energy future for North America."

Security officials are taking cyber attacks very seriously. Military leaders last week revealed that the Pentagon spent more than $100 million in the past six months cleaning up after Internet attacks and network issues.

"The important thing is that we recognize that we are under assault from the least sophisticated -- what I would say the bored teenager -- all the way up to the sophisticated nation-state, with some petty criminal elements sandwiched in between," Air Force Gen. Kevin Chilton, head of U.S. Strategic Command, told reporters at a cyberspace conference in Omaha, NE, according to CBS News.

In an open letter to industry stakeholders last week, NERC Chief Security Officer Michael Assante said compliance with cyber security standards is key. He said the results from a recent NERC survey raise concern about the identification of critical assets (CA) and the associated critical cyber assets (CCA), which could be used to manipulate them. Only 31% of separate (i.e., nonaffiliated) entities responding to the survey reported that they had at least one CA and 23% a CCA.

"These results are not altogether unexpected because the majority of smaller entities registered with NERC do not own or operate assets that would be deemed to have the highest priority for cyber protection," Assante said in the letter. "In that sense, these figures are indicative of progress toward one of the goals of the existing CIP standards: to prioritize asset protection relative to each asset's importance to the reliability of the bulk electric system. Ongoing standards development work on the CIP standards seeks to broaden the net of assets that would be included under the mandatory standards framework in the future, but this prioritization is an important first step to ensuring reliability."

Assante said closer analysis of the data, however, suggests that certain qualifying assets may not have been identified as "critical." Of particular concern are qualifying assets owned and operated by generation owners and generation operators, only 29% of which reported identifying at least one CA, and transmission owners, fewer than 63% of which identified at least one CA.

"Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations," Assante warned. "I have intentionally used the word 'manipulate' here, as it is very important to consider the misuse, not just loss or denial, of a cyber asset and the resulting consequences, to accurately identify CAs under this new 'cyber security' paradigm. A number of system disturbances, including those referenced in NERC's March 30 advisory on protection system single points of failure, have resulted from similar, noncyber-related events in the past five years, clearly showing that this type of failure can significantly affect the reliability (and) operability of the bulk electric system, sometimes over wide geographic areas."

Assante said the industry must also consider the effect that the loss of a substation, or an attack resulting in the concurrent loss of multiple facilities, or their malicious operation, could have on the generation connected to them.

NERC is requesting that entities take a fresh, comprehensive look at their risk-based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.

Feeling the need to offer reassurances, the California Independent System Operator (CAISO) said it takes cybersecurity of the grid seriously all the time.

"This is something we take very seriously," CAISO spokesperson Gregg Fishman told NGI.

CAISO, which launched a new day-ahead market and technology upgrade with a $200 million price tag April 1, maintains advanced cyber control systems and constantly conducts independent third-party assessments to validate that it has a high level of protection, Fishman said. This includes a 24-hour, seven-day-a-week-staffed security operations center.

"[The systems] use intrusion detection tools to head off any potential hackers," said Fishman, adding that California's grid operator supports the eight cyber security infrastructure protections enforced by the NERC and approved by the Federal Energy Regulatory Commission (FERC).

Some vulnerabilities in U.S. electrical grid security have already been identified. Late last year the U.S. Department of Energy's (DOE) inspector general found that the Bonneville Power Administration (BPA) -- the federal power marketer/transporter in the Pacific Northwest -- may be vulnerable to cyber attacks because it has not done enough to ensure security of its information technology systems. The inspector general's assessment reportedly has identified problems in BPA's cyber-risk management program.

Smart grid technology, which is being hailed as a way to increase electric grid efficiency while reducing electricity demand by giving consumers more information about their individual energy consumption, also has some drawbacks, according to the DOE-backed Advanced Metering Infrastructure Security (AMI-SEC) task force. While smart grids will allow consumers to make more informed choices, the new information provided by an automated grid also leaves the system more susceptible to cyber attacks.

The task force has developed AMI System Security Requirements, a "first-of-its-kind" for the utility industry that will help utilities procure and implement secure components and systems using a common set of security requirements.

Last fall then-FERC Commission Chairman Joseph T. Kelliher asked Congress to amend the Federal Power Act to authorize the Commission to directly order mandatory actions on an interim basis to protect the nation's power grid from cyber security threats.

NERC said it plans to host a series of educational webinars in the coming weeks to help registered entities understand CIP standards requirements and what will be required of them to demonstrate compliance with the standards once audits begin in July. NERC also plans to incorporate a set of informational sessions into this series, designed to allow the industry to share practices and ask questions of each other in an open, but facilitated, dialogue.

"We expect to see a shift in the current self-certification survey results as entities respond to the next iteration of the survey covering the period of Jan. 1-June 30 and when the regional entities begin to conduct audits in July," Assante said.

©Copyright 2009 Intelligence Press Inc. All rights reserved. The preceding news report may not be republished or redistributed, in whole or in part, in any form, without prior written consent of Intelligence Press, Inc.