How to avoid shattering private-sector accountability for cybersecurity
With a noticeable deficiency of qualified cybersecurity expert’s and a centralized utility industry focus on "keeping the lights on," the energy sector has become a prime target for cyber intrusion
A cyber-attack of great consequence on the U.S. power grid would shatter the ideal cybersecurity framework of private-sector accountability for maintaining security of this critical infrastructure. Much like the 2003 Northeast Blackout, an elevated and forceful public outcry could shape the outcome of a more stringent and intrusive government review of the public-sectors cyber-risk strategy and response to vulnerabilities that have been identified and discussed at length over the past 5 to 7 years.
This could result in the government expropriating grid security responsibilities and creating different levels of oversight to ensure reliability and resilience of the electric power grid. If it is determined that the attack is state sponsored, it could result in national level action to secure national interest. This overarching issue has a potential cost of remediation of more than $1.2 trillion annually with a projection of $2 trillion by 2019, according to some estimates.
With a deficit of emerging, ground breaking cyber protection strategies, and a continued dependency on legacy Industrial Control Systems (ICS) with bolt-on security solutions, the energy-sector has found itself in a vulnerable role of grid security complacency.
With a noticeable deficiency of qualified cybersecurity expert’s and a centralized utility industry focus on "keeping the lights on," the energy sector has become a prime target for cyber intrusion.
The number of cybersecurity attacks on industries and ICS networks has seen a marked increase in terms of both frequency and intensity over the past five years. Intruder attack data by Frost & Sullivan has revealed that 75 percent of oil, gas and power sectors have been subject to successful cyber intrusions in the past year. The threat is amplified by line of sight to coordinated state-sponsored attacks intended to create larger scale disruptions in critical infrastructure.
Recent cyber (Ukraine attack) and physical (Metcalf Substation in California) events on the electric power grid have driven increased awareness at the highest levels of government and therefore created a heightened emphasis on examining current regulatory rules designed to address cyber and physical security risk and threats directed at the energy delivery infrastructure.
Failing to Meet the Mark
With North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) regulatory violations continuing to rank as the top violated NERC Reliability Standards, and NERC’s recent conclusion that the industry exhibits “a lack of commitment to compliance with the CIP standards” regulators have growing concerns that the risks reliability standards are designed to mitigate are not being well assessed or managed effectively by the private-sector.
An artifact of regulatory urgency is six-figure regulatory fines and penalties levied on entities who failed to meet compliance with NERC CIP standards. In February 2016, NERC publicly posted a settlement agreement with an Unidentified Registered Entity (URE). The URE was assessed a hefty penalty of $1.7 million, in addition to other mitigations as part of the settlement.
In October of 2016, NERC settled with another URE for $1.1 million for “failing to protect substations with firewall." Imagine the fines and penalties that would be levied on registered entities whose complacent cyber protection strategies were responsible for allowing a cascading outage on the power grid.
We can thoughtfully reflect on the above examples and the $25 million fine imposed after the 2008 Florida blackout and predict a massive regulatory response.
It is important for us to understand that the current versions of the NERC CIP standards only help registered entities achieve a minimum level of security competency, if the energy industry is failing to meet these minimum level benchmarks of compliance, it is clear we are not embracing the level of operational and security excellence needed to protect our critical energy delivery systems.
We know the cyber-attack “shots on goal” are extremely high; in a recent interview with the Washington Examiner, Terry Boston, former CEO of PJM, revealed that PJM experienced between 3 and 4,000 cyber attempts (per month) to defeat firewalls and gain access to their systems; that’s upwards of 48,000 attempts per year just for PJM.
We should listen intently when security experts share their greatest concerns. A Black Hat attendee survey earlier this year quoted a respondent as saying “Most information security professionals believe that the US critical infrastructure will be breached by a cyber-attack within the next two years. Most also believe that their own enterprises will be breached in the next 12 months. And most believe that the defenders of those infrastructures are not ready to respond.”
Are we truly examining the recipe of threats and latent organizational weaknesses which greatly reduces our security margin for error? Are we truly resilient enough to recover from a catastrophic cyber-attack event?
We must mature our utility industry focus and proactively include disruptive grid cybersecurity mindsets. We need to examine new approaches using evolving security technology and break free from our reliance on legacy ICS’s and aging protocols designed with no intention of addressing modern security needs. We must solve lingering problems such as ICS network visibility and control and the lack of cybersecurity experts in the energy industry.
We need to set new benchmarks and aggressively promote cyber programs that overreach minimum regulatory compliance obligations to gain regulators trust and proactively protect our critical energy infrastructure. We need to work together, share information, project our effort beyond the attackers and avoid the catastrophic event that will shatter the ideal private-sector accountability of cybersecurity.
About the author: Earl Shockley is the President and Founder of inPOWERd LLC and is a strategic advisor for Veracity Industrial Systems, a developer of industrial SDN-based technology for operational networks.. Shockley has over 40 years in the energy industry and is a former regulator and senior executive with the North American Electric Reliability Corporation (NERC).
He helped lead investigations of major system blackouts including the FERC/NERC Inquiry & Investigation of the September 8, 2011, Arizona-California Blackout, the joint FERC/NERC Compliance Investigation of the February 2008 Florida Blackout, and the FERC/NERC inquiry of the February 2011 Southwest Cold Snap event. Earl is a public speaker and expert witness on complex issues involving regulatory compliance, risk management, internal risk control systems, and event causal analysis.