The security of the U.S. electric power grid against cyber threats is a growing concern among lawmakers, regulators, industry, and the public at-large. Cyber warfare poses a serious threat to the grid’s physical infrastructure, and without effective preventative measures, the grid may be compromised by cyber attack. The best way to combat cyber threats remains unknown. But even without clear regulatory direction, owners and operators of critical electric infrastructure must develop appropriate and effective compliance programs to address the risk of cyber attack to their physical assets.
This is the first of two articles addressing threats to the physical power grid posed by cyber attack. In this article, we outline the nature of the current threat, the existing regulatory framework intended to combat the threat, and the uncertain future of additional regulatory solutions. In part two, we will identify proactive measures that industry can take today, notwithstanding the unknowns, to mitigate the risk of cyber attack.
The Nature of the Current Threat
Cybersecurity threats are often thought of in terms of theft of personal data, such as an individual’s Social Security number or online banking password. But in addition to the compromise of data and individual privacy, cyber attacks can threaten the physical critical infrastructure that makes up the electric power grid, such as generators, transformers, substations, and transmission lines. If the physical infrastructure is compromised, grid reliability will suffer, potentially resulting in major system failures and sweeping blackouts that would threaten our modern way of life.
The potential threat to the transmission system from man-made electromagnetic pulses, or EMPs, such as might result from a nuclear weapon detonation, is well-known. But in March 2007, the Department of Homeland Security (DHS) also demonstrated the vulnerability of the physical grid to more unconventional man-made cyber threats. As part of a demonstration, the DHS hacked into a generator control station from a remote access point and caused the generator to self-destruct. Known as Project Aurora, the DHS experiment highlighted a debate among regulators and industry stakeholders regarding the grid’s vulnerability to cyber attack and how best to combat cyber threats to critical infrastructure.
More recently, the Stuxnet worm, described as the most sophisticated cyber weapon ever deployed, effectively disabled Iran’s nuclear arms development program in 2010 (if only temporarily). Stuxnet attacked supervisory control and data acquisition (SCADA) systems that control and operate Iranian nuclear facilities. Iran has also discovered the Stars virus, which may be part of an ongoing cyber attack aimed at physically destroying Iranian systems and nuclear arms development capabilities. These and other cyber weapons are difficult to control once deployed. So there is a real risk that threats like Stuxnet, which has now spread worldwide, and Stars could fall into the wrong hands and be used to target the SCADA systems that control and operate the U.S. power grid.
The growing interest in and deployment of smart grid technologies intensifies the debate surrounding cyber threats to the physical grid. Smart grid initiatives hold the promise of a more efficient and cost-effective grid through information sharing efforts at all levels of the power industry, from generators and transmission planners to distribution utilities and retail consumers. However, the price paid for the increased communication ushered in by a smarter grid is the proliferation of access points for cyber terrorists to infiltrate and compromise the grid.
The growing number and sophistication of cyber threats to physical infrastructure are a concern of worldwide proportion; they are constantly evolving and span industries and the globe. At this critical juncture the sheer breadth of known cybersecurity threats augments the problem; those in positions of authority struggle to decide who, what, and how to regulate in this largely unchartered world of cyber warfare. But it is widely apparent that maintaining the status quo is not a viable option.
The Current Regulatory Framework
Regulators have sought to establish oversight initiatives to protect against cyber threats to the power grid. Chief among them is the North American Electric Reliability Corp. (NERC). Acting under authority conferred by the Federal Energy Regulatory Commission (FERC), NERC is charged with developing and enforcing reliability standards applicable to users, owners, and operators of the bulk electric system.
NERC’s Critical Infrastructure Protection (CIP) Reliability Standards provide the framework for electric utilities, generators, and transmission companies to identify and protect critical cyber assets (CCAs), the hardware and software required to operate the critical electric infrastructure of the power grid. The CIP Standards currently in effect ("version 3") provide flexibility to industry participants to define their CCAs and, thus, the scope of their compliance obligations. Perhaps not surprisingly, the number of CCAs identified under CIP version 3 provide minimal coverage of critical infrastructure and result in potentially substantial gaps in reliability oversight for those assets most exposed to cyber threats.
In response to the low rate of voluntary participation with CIP version 3, NERC developed "version 4." CIP version 4 replaces the subjective assessments previously undertaken by industry participants with a detailed, prescriptive approach for identifying CCAs. As a result, CIP version 4 broadens the scope of the CIP Standards to encompass more of the grid’s physical infrastructure. Preliminarily approved by FERC in September 2011, CIP version 4 would not become mandatory and enforceable until at least late 2013. But the signposts are clear: CIP version 4 is coming, and more infrastructure will be brought under the CIP regulatory framework.
In order to tackle smart grid implementation and protection issues, including cybersecurity concerns, the National Institute of Standards and Technology (NIST) developed smart grid interoperability standards that promote communication and collaboration across hardware and software systems used in grid operations. Proposed for FERC approval in October 2010, NIST’s initial interoperability standards lacked sufficient industry consensus for FERC adoption. Regulators were concerned that too few cybersecurity experts were involved in the standards development process and that the cybersecurity impacts related to the proposed standards were not fully understood.
Soon after FERC rejected the initial interoperability standards, NIST, through its Smart Grid Interoperability Panel (SGIP), approved six standards as part of a larger effort to catalog voluntary, consensus-driven guidelines to promote smart grid technologies. It remains to be seen whether sufficient industry consensus exists to make voluntary adherence to the SGIP Catalog of Standards an effective tool in promoting a grid that is both smart and resilient to cyber attack.
On the legislative front, Congress has recognized the need to act, and several legislative proposals, including one from the White House, would further tackle cyber threats to the physical grid. The proposed reforms would confer varying degrees of oversight authority on different regulatory entities, identify different industry participants and infrastructure to be covered by the proposed regulations, and outline different compliance obligations industry participants must satisfy. For example, the proposals:
- Use varying terminology to identify regulated physical assets, but all would cover infrastructure that, if destroyed or disrupted, would have a serious impact on national security, the economy, or public health and safety.
- Require owners and operators of covered infrastructure to comply with new regulations and standards adopted by DHS and sector-specific agencies such as FERC.
- Require various certifications and reporting by, and audits of, covered entities.
- Subject noncompliance to varying degrees of penalty, from public remonstrations to the imposition of monetary fines.
It remains uncertain whether any of these initiatives will be adopted, what level of enforceability they will have, which agencies will take the lead in implementation, whether regulations will be adopted through regulatory fiat or a bottom-up approach, and the scope and effective date for any implementing regulations.
Expectations for the Future
While the current regulatory framework is in a state of flux, the growing cyber threat remains. Few contend that safeguards currently in place sufficiently protect against the number and sophistication of cyber threats, especially those targeted against physical grid infrastructure.
Efforts are under way to develop greater grid security for tomorrow. As noted above, over the next few years, industry participants can expect implementation of "version 4" of NERC’s CIP Standards, which will include expanded compliance requirements, capturing many industry participants not previously subject to the CIP Standards. And NERC is already developing CIP "version 5," which will likely replace the "all or nothing" approach to compliance adopted in prior versions with a risk-based, tiered approach that imposes greater compliance obligations on those facilities and assets deemed more critical to grid reliability.
Another batch of NIST interoperability standards can be expected, but they will need to address the cybersecurity issues posed by the 2010 standards rejected by FERC. To forge a consensus that will pass FERC muster, NIST and its stakeholders must consider smart grid technologies in tandem with cybersecurity concerns. The path forward may best be trodden by NIST’s SGIP process, which continues to develop voluntary, consensus-driven standards for entry in its Catalog of Standards. But it remains to be seen whether industry-developed guidelines, in the absence of any regulatory oversight and enforcement, will prove an effective tactic against cyber attacks.
Lawmakers continue to struggle to reach consensus on how best to tackle cyber threats to the physical power grid. The multitude of legislative proposals leave unclear who will be affected, what compliance efforts will be required, and how regulations will be enforced and by which agencies. A traditional top-down approach to enforcement likely would lack the flexibility needed to allow industry participants to identify the best cybersecurity protections for their systems. Increased input from industry will help create adaptive regulations that can address the evolving nature of cyber threats to the power grid.
The variety of proposals, the lack of consensus, election year politics, the priority given to budget and economic issues, and legislative inertia all render uncertain the fate of any cybersecurity legislation. Perhaps the most troubling uncertainty surrounding future regulation is the unknown timeline for passage and implementation of new cybersecurity laws. Regardless of the level of consensus, undue delay in implementation will risk the effectiveness of any regulation against the ever-changing cyber threats posed to the power grid.
Cyber threats to the U.S. power grid present a substantial challenge for lawmakers, regulators, and industry. How to attain comprehensive cybersecurity remains uncertain; however, the need for action is clear. Preventative measures must be developed to safeguard against cyber attacks on the physical grid and mitigative procedures are needed to quickly resolve reliability and operational concerns triggered by a successful attack.
In the absence of consensus among lawmakers and regulators, industry participants may face conflicting compliance obligations enforced by different government agencies. As new laws are passed and regulations adopted, questions of interpretation and application must be resolved. In the meantime, cyber threats to critical electric infrastructure remain unabated.
In part two, we will identify measures that industry participants—electric utilities, generation and transmission companies, and industrials with on-site generation—can take today to help protect their physical infrastructure and ensure a more secure cyber future.