|Attacking the problems of cybersecurity in the electric grid from different angles, two US agencies are proposing solutions for different parts of the problems.|
Acting per an early May executive order, a United States’ (US) agency has asked stakeholders for information on supply chain risks facing the US electrical industry. The US Department of Energy (DOE) has released a request for information (RFI) “to understand the energy industry’s current practices to identify and mitigate vulnerabilities in the supply chain for components of the bulk-power system (BPS).” The Department of Defense (DOD), Federal Communications Commission (FCC), and other US agencies are undertaking similar efforts to root out what they consider suspicious, malicious, or compromised parts, equipment, or systems that would allow nations like the People’s Republic of China (PRC) to access, impair, or cripple critical infrastructure. Even though nations other than the PRC are listed in this RFI, as a practical matter, the PRC is the focus since so much of the world’s electronics supply chain originates in that country. Comments are due by 7 August.
On 1 May, President Donald Trump signed Executive Order (EO) 13920 that would direct the Secretary of Energy and other officials to take steps to ensure the United States’ bulk power sector is protected from the threats posed by the manufacture of components by foreign adversaries, most likely the People’s Republic of China (PRC). This EO is of a piece with two Administration priorities: desired changes in trade policies with the PRC and defending the United States from vulnerabilities arising from an information and communications technology (ICT) supply chain that largely originates in the PRC. Trump declared a national emergency with respect to the bulk power system, triggering a range of powers to address this situation. The EO would establish a blanket ban on bulk power utilities from buying systems and equipment from yet to be named foreign adversaries except if allowed by the Department of Energy along with required mitigations.
The DOE stated
The Office of the Director of National Intelligence’s (ODNI) National Counterintelligence and Security Center (NCSC) assesses that China and Russia (near-peer foreign adversaries) possess highly advanced cyber programs and that both nations pose a major threat to the U.S. government, including, but not limited to, military, diplomatic, commercial, and critical, infrastructures. The BPS is a target of these adversaries’ asymmetric cyber and physical plans and operations. A successful attack on the BPS would present significant risks to the U.S. economy and public health and safety and would render the U.S. less capable of acting in defense of itself and its allies.
So-called near-peer foreign adversaries are “attempting to access our Nation’s key supply chains at multiple points—from concept to design, manufacture, integration, deployment, and maintenance—by, among other things, inserting malware into important information technology networks and communications systems. As such, DOE is using NCSC’s supply chain risk management (SCRM) framework to inform this RFI (see https://www.dni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats). The NCSC leads and supports the U.S. Government’s counterintelligence (CI) and security activities that are critical to protecting our Nation; provides CI outreach to U.S. private sector entities at risk of foreign intelligence penetrations; and issues public warnings regarding intelligence threats to the U.S. and establishes the de facto standard for Federal SCRM processes.
The DOE stated
- Although this RFI covers the full scope of BPS electric equipment as defined in EO 13920, the Department seeks comments on specific equipment as outlined below to enable a phased process by which the Department can prioritize the review of BPS electric equipment by function and impact to the overall BPS. In doing so, the Department employs a defense-in-depth, phased approach that addresses risk as well as the dynamic nature of threats and vulnerabilities affecting the BPS.
- Accordingly, the Secretary may establish specific pre-qualification criteria for a set of components that support defense critical electric infrastructure (DCEI) and other critical loads and critical transmission feeders (69 kV and above) reported under critical infrastructure protection reliability standards as formulated by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC). Specific essential reliability services of interest may also include black start systems.
- The Department seeks comment on addressing the following types of equipment:
- Transformers (including generation step-up transformers), reactive power equipment (reactors and capacitors), circuit breakers, and generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations). This includes both the hardware and electronics associated with equipment monitoring, intelligent control, and relay protection. Only transformers rated at 20 MVA and with a low-side voltage of 69 kV and above are included.
The DOE explained
- The Department does not plan to develop a SCRM tool or repeat questions already deemed best practices from well-established SCRM frameworks and tools, including the ODNI NCSC Supply Chain Directorate’s SCRM Best Practices (see https://www.dni.gov/files/NCSC/documents/supplychain/20190405-UpdatedSCRM-Best-Practices.pdf).
- The Department will build upon efforts by standards development organizations, including but not limited to, NIST 800 series standards (see https://csrc.nist.gov/publications/sp800), ISO standards (see https://www.iso.org/home.html), ISA/IEC 62433 standards (see http://www.isa.org/intech/201810standards/), and NERC-CIP standards (see https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx).
- The Department is focused on improving utility owner/operator’s asset/operations risk assessment by incorporating the identification of enterprise risk associated with supply chain vendor/services into the acquisition systems process. For example, the Cybersecurity Capability Maturity Model (C2M2) is an available tool that an organization might apply to continuously assess its cybersecurity posture (see https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0).
The DOE explained its belief “that it is prudent, and in the public interest, to address national security implications in acquisitions. This RFI is designed to specifically address:
(1) Evidence-based cybersecurity maturity metrics and
(2) foreign ownership, control, and influence (FOCI).”
DOE stated “[a]s part of the Federal acquisition process and NERC-CIP standards, the Department is considering:
- Limited procurements,
- select build versus buy,
- the consequences of insufficient SCRM, and
- evidence-based performance metrics that support a continuous improvement process.”
The DOE’s RFI follows two other energy-sector related cybersecurity regulatory actions. In late June, the Federal Energy Regulatory Commission (FERC) sought “comment on certain potential enhancements to the currently-effective Critical Infrastructure Protection (CIP) Reliability Standards.” FERC stated that “[i]n particular, the Commission seeks comment on whether the CIP Reliability Standards adequately address the following topics:
(i) Cybersecurity risks pertaining to data security,
(ii) detection of anomalies and events, and
(iii) mitigation of cybersecurity events.
FERC added it also “seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether Commission action including potential modifications to the CIP Reliability Standards would be appropriate to address such risk.”
Commission staff undertook a review of the National Institute of Standards and Technology (NIST) Cyber Security Framework (NIST Framework), which sets forth a comprehensive, repeatable structure to guide cybersecurity activities and to consider cybersecurity risks as part of an organization’s risk management processes of its critical infrastructure. Commission staff compared the content of the NIST Framework with the substance of the CIP Reliability Standards, and identified certain topics addressed in the NIST Framework that may not be adequately addressed in the CIP Reliability Standards. Commission staff further analyzed whether the identified topics are within the scope of the CIP Reliability Standards. Commission staff then studied whether the potential “gaps” that are within the scope of the CIP Reliability Standards presented a significant risk to bulk electric system reliability.
Comments are due on 22 September.
In mid-June, the FERC released a staff “Cybersecurity Incentives Policy White Paper” that made the case that the agency should create an incentive structure beyond the existing mandatory and binding cybersecurity regulations to prompt utilities to invest more in defending their systems. FERC staff suggested a variety of means by which utilities could better secure their systems, including allowing utilities to classify these expenses under existing categories of costs they may recover or write off. It is possible and perhaps even likely the US government will extend mandatory and binding cybersecurity requirements to other critical sectors even though there are not currently plans to do so as the efficacy of voluntary standards s exceeded by the threats posed by hackers. FERC is accepting comments until mid-August.
[P]ursuant to Federal Power Act (FPA) section 215, the Commission has approved a suite of mandatory Reliability Standards that applicable registered entities must meet to provide for an adequate level of reliability of the bulk power system.5 FPA section 219(b)(4)(A) directs the Commission to establish rules allowing recovery of all prudently incurred costs necessary to comply with mandatory Reliability Standards.6 In light of these mandatory Reliability Standards, and the opportunity for cost recovery pursuant to FPA section 219(b)(4)(A), additional transmission incentives are not necessary to maintain an adequate level of reliability. However, transmission incentives to counter the evolving and increasing threats to the cybersecurity of the electric grid may be warranted. This staff paper explores a new framework for providing transmission incentives to utilities for cybersecurity investments that produce significant cybersecurity benefits for actions taken that exceed the requirements of the Critical Infrastructure Protection Reliability Standards (CIP Reliability Standards).
Providing transmission incentives for cybersecurity investments will require the Commission to establish a new framework for evaluating requests for transmission incentives by utilities for cybersecurity investments. As discussed above, augmenting the current CIP Reliability Standards with an incentive-based approach under FPA section 219 that encourages utilities to undertake cybersecurity investments on a voluntary basis may have significant benefits. However, a first necessary step is to establish approaches that examine the effectiveness of cybersecurity investments in enabling the utility to achieve a level of protection that exceeds the CIP Reliability Standards but also enhances the security of its transmission system. A utility will then be able to identify the cybersecurity investments for which it seeks transmission incentives. The Commission then can evaluate such transmission incentive requests. This section discusses how the typical suite of ratemaking incentives awarded to transmission projects could apply in the context of cybersecurity and two potential approaches for determining which cybersecurity investments warrant incentives.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.