Are We Doing Enough to Secure the Power Grid?
An Executive Order from US President Donald Trump in May this year overhauled the backbone of the nation’s electricity infrastructure, highlighting gaps and vulnerabilities in the operations of power systems and bulk power equipment, to attacks by hackers, terrorists and other state adversaries.
The need to safeguard the U.S. bulk-power system, prohibit transactions with foreign adversaries for BPS equipment, and to allow only secure components from American companies and other trusted sources were part of the crackdown carried out on foreign entities by the administration.
Following the EO, the Department of Energy issued a Request for Information (RFI) in July seeking public input to understand, among other things, the energy industry’s current best practices to identify and mitigate vulnerabilities in the supply chain for specific components of the BPS. This RFI is intended to address cybersecurity maturity metrics, and foreign ownership, control and influence.
The DOE further extended the comment deadline to Aug. 24, 2020.
The president’s move aims to bring national security considerations in line with government energy security and cybersecurity policymaking, while maintaining BPS grid reliability and resilience. His administration seeks to take steps to identify threats to the electric grid.
On completion of the evaluation, the problems can be mitigated and asset owners – public or private – can replace, isolate or monitor affected equipment when necessary. However, it leaves open the question regarding how existing equipment and technology will be impacted.
Supporting the EO, financial services firm Moody’s Investor Services in a Twitter message said, “The order, which addresses cybersecurity risks related to the supply chain of US electric utilities, is a credit positive for the sector.”
Immediate Effects of Trump’s Order
While President Trump does not specify any country in his order, experts say it will likely impact imports from China and Russia, and to a lesser extent North Korea and Iran.
“The Chinese (and Russians) are already in our grids,” Joe Weiss, managing partner at Applied Control Systems wrote in a blog post. Unfortunately, the intent of industrial control system cybersecurity has been changed by the operational technology (OT) network security community and it is no longer about preventing system impacts but about maintaining OT network integrity, he added.
The U.S. DOE has been authorized by the EO to establish criteria for recognizing particular equipment and vendors as “pre-qualified,” which could allow some equipment to continue being sourced from China. The EO also calls for the development of procurement policies that prioritize the security of U.S. power grids, as opposed to current rules that give preference to the lowest-cost bids.
“There are vulnerabilities in our power systems,” notes Mark Feasel, President, Smart Grid – North America, Schneider Electric.
The cyberinfrastructure of the power grid puts at risk network and security infrastructure. Coupling grid assets with software has served as a boon for utilities to reduce carbon emissions through distributed power generation, like wind and solar, but also by improving the efficiency of existing “brownfield assets.”
A study by Siemens and the Ponemon Institute of utility professionals responsible for securing OT assets states that 64 percent of respondents found sophisticated attacks a top challenge, with a distinct increase in the frequency of attacks. Attacks now target energy infrastructure with growing severity.
“Securing bulk power must be followed up by tackling the gaps and vulnerabilities associated with processes, technology and policies associated with local distribution if we are to ultimately create a more secure and resilient electric grid,” Weiss wrote in another blog post in May.
Weighing the risks of the Trump order, several C-level executives in the IIoT World Founder’s circle community were of the opinion that the EO is a step in the right direction, though it comes with certain limitations.
Retrofitting the existing grid with approved products might take a lot longer than eight years, according to Bryan Skene, CTO & VP Product Development at Tempered Networks. He suggested a more phased approach that addresses existing infrastructure as well as future buildout, as mixing vulnerable infrastructure with new protected infrastructure does not equal a secure system.
The EO ignores larger problems in the electric cyber environments, lack of visibility in networks and any nationally enforceable standards, according to Edgard Capdevielle, CEO at Nozomi Networks. The order is also not immediately actionable, and it does not address all the legacy infrastructure that has been and will be around for a very long time, he added.
Commenting on the ramifications of the EO, Joe Sanders, CEO at Runsafe Security, said that since the national security risks are so high, these actions are appropriate, while adding that replacing these systems will take time and money. “Unfortunately, our supply chains are compromised. I believe post-COVID, we will see accelerated diversification.”
“I’m just pointing out that saying ‘from here on out we will buy from suppliers who we trust’ shouldn’t result in politicians declaring victory for a very, very long time,” Skene said. “If we are serious about fixing security, this will take solid cooperation over a long time. The determination of friend vs. foe should be supported by a lot of non-political data, so that we are not flip-flopping faster than we can buy and build solutions,” he cautioned.
The Effective Plan Going Forward
Critical equipment suppliers are thereby incentivized to invest in developing and maintaining strong cybersecurity practices or risk exclusion from the U.S. market, according to Moody’s. The order applies to future procurement activities, as well as equipment that is already in use, and allows the government to provide guidance to asset owners on identifying, isolating, monitoring and replacing critical equipment where necessary.
EEI (Edison Electric Institute), an association that represents U.S. investor-owned electric companies, pegged capital expenditure by utilities at about US$136 billion in 2019. “We have long maintained that grid security is a shared responsibility, and addressing dynamic threats to the grid requires vigilance and coordination that leverages both government and industry resources,” said EEI President Tom Kuhn in his statement following the President’s order.
“EEI’s members, through the CEO-led Electricity Subsector Coordinating Council, work closely with the Department of Energy (DOE) to address underlying threats to supply chain security,” Kuhn said. “This EO reflects this ongoing collaboration with the federal government and provides new ways to mitigate threats to electric-sector critical infrastructure,” he added.
As some components of the grid are complex machines and computer systems that may have components sourced from enemies and assembled in a friendly country, there may not be a completely friendly supply chain option, Skene pointed out. Until a comprehensive migration plan appears, it is hard to make statements about feasibility or effectiveness, he added.
Effect on Network Security and Cybersecurity
The BPS grid powers countless systems, appliances and devices, which should not be vulnerable to a cyberattack that could propagate from a local network to the bulk-power system. A hacker could target a local power utility or end-user system, putting pressure on systems and organizations to develop and execute long-term strategies to endure cyber resilience.
Researchers from cybersecurity company Proofpoint had in June discovered a new, additional malware family named FlowCloud that was being delivered to U.S. utility providers, and gave attackers complete control over a compromised system.
“It [the EO] makes it easier to quash attack vectors like backdoors and trojans that could be implanted in foreign-sourced infrastructure equipment,” wrote Capdevielle in a blog post. While this order can be a step in the right direction, owners and operators of our electric grid must continue to do their part to strengthen the security and resiliency of key infrastructure, he added.
One form of security risk mitigation is to apply RunSafe protections on the software for existing systems, according to Sanders. Another form of security risk mitigation is to use RunSafe protection on new systems because adversaries will attempt to exploit them nonetheless.
As the need to prioritize cost, resilience and sustainability increase, microgrids can be also built and tailored to the needs of businesses and municipalities. “There’s an entire array of technology questions that are extremely difficult to answer unless you live and breathe in this space every day,” says Schneider’s Feasel. “The greatest benefit of the energy-as-a-service business model is that it transfers all of these risks to someone else.”
While the presidential move is a necessary step, owners and operators of the electric grid must continue to do their part to strengthen the security and resiliency of key infrastructure. Thoughtful implementation will play a critical role in realizing the objective of a safe power grid without sacrificing progress.
Working to identify, remove and replace nonconforming equipment will not be an easy task, Capdevielle warns.
However, cybersecurity expert Weiss is more optimistic. “If the Executive Order does nothing more than provide a coherent approach to identifying and assessing the scope and scale of adversary presence in the U.S. energy sector, it will have achieved a key national security objective that has eluded us for more than a decade,” he said.
More resources on energy here.
This article was written by Lucian Fogoros, Co-founder, IIoT World.