Last September at ASIS, famed broadcast journalist Ted Koppel spoke to the security professionals in attendance about the cybersecurity – or lack thereof – of the national power grid. Attendees learned about his research into the vulnerabilities of SCADA systems and their control of the three major power grids in the United States; however, as pretty much all of the utility security specialists in the audience knew, the utility industry itself has promoted its own best practices to help address the issue. The problem for many is the reality of trying to implement them across the vast and disparate infrastructure resources that make up the nation’s electric grid.
As part of an effort to better protect the U.S. electrical grid from both physical and cyber-attacks, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan requires utilities to comply with a set of standards and requirements that cover the security of a variety of critical assets.
There have been numerous, highly-publicized incidents over the past decade that highlight the potential threats posed by terrorists and nation-states to electric grid operators. In 2013, snipers using high-powered rifles knocked out 17 transformers in an attack against Pacific Gas and Electric’s (PG&E) Metcalf substation in California. Just two years later, a cyber-attack in the Ukraine that leveraged customized malware and denial-of-service attacks impacted nearly a quarter of the country’s power grid.
While many of the NERC CIP guidelines would constitute good security practices in most organizations, there seem to be immense implementation challenges to utilities. According to Jim Guinn, II, Global Leader for Accenture's Energy, Mining, Chemicals & Utilities Cybersecurity Practice, utilities today find themselves in what is an ever-changing threat landscape – with new NERC CIP standards that are being continually developed to adapt to the risks.
“As soon as one company becomes compliant based on their interpretation of the requirements, there is already a new set that is being formulated and released, so it is really a never-ending process,” Guinn says.
Given the dynamic threat environment, trying to simultaneously comply with regulations and mitigate against these evolving risks is placing a heavy burden on the shoulders of grid operators – which is why Accenture recently released a whitepaper designed to provide guidance to utilities on how to build a sustainable NERC CIP compliance program.
Guinn says one of the biggest issues currently facing utilities is the convergence of physical and logical security and being able to change user access rights in a timely manner. “When you start to implement solutions that would restrict a user’s access from a logical asset, you also have to restrict their access to physical assets as well,” he says. “The challenge ultimately becomes the convergence of these and the time that the requirements dictate you have to meet the compliance aspects of physical and cyber access for individuals who no longer need it.
“As an example, in North America, if someone no longer needs access – whether they are terminated, resign or there is a job classification change, all of which happen daily – we have a (time) window to restrict all access to assets that are deemed critical,” Guinn continues. “That becomes the challenge that a lot of the integrated utilities are facing which is how to deal with these ever-changing requirements and these tighter and tighter timelines for compliance as operational technology, information technology and physical access converge together.”
With the increased regulatory burden that has been placed on utilities with NERC CIP, there is a risk that they may become so focused on compliance that they lose sight of what is actually needed to improve security. Unfortunately, Guinn says some grid operators may have already reached that point.
“There’s not a security executive or a grid and market operations executive who I have met over the course of my career that is not concerned with security,” he says. “The ultimate problem is the landscape continually changes and so the cost of continually implementing higher and higher security controls while managing and maintaining the implementation of the resiliency for things like NERC CIP, you run out of time and you run of money because there is not endless pools of cash to eliminate all possible threats that appear to be minor today but could be exploited tomorrow.”
Regardless of where a utility might be on the CIP maturity curve – from those just doing the bare minimum to meet the standards to those that have developed a sustainable program that delivers ROI beyond maintaining compliance, Accenture recommends grip operators take several steps to achieve optimal protection including:
- Understand the current posture. This consists of grip operators diagnosing their current NERC posture through an analysis of their processes and controls and subsequently developing an in-depth understanding of the audit trail before creating an end-to-end process to demonstrate compliance.
- Establish a sustainability strategy and governance framework. This should include determining which employees’ roles and responsibilities include assessing the impacts of new standards on an ongoing basis.
- Establish an actionable plan. This plan will build the foundation of a sustainable NERC CIP program that will leverage automated and repeatable processes for demonstrating compliance.
- Begin industrializing key NERC CIP processes. Utilities are urged to initially target high-value areas, which have been shown to pose the greatest need for manual efforts.
“Just like there are resiliency programs and operational effectiveness programs, we are saying you should really have a continuous program for compliance as well as resiliency for security around NERC CIP specifically,” Guinn says.
While it’s nearly impossible to determine when and where an attack against the grid will occur, Guinn does believe that it is only a matter of time before some electric utility in North America is impacted by an attack of some kind.
“Over the course of my career, having done investigations and being the leader of various forensic activities, I have looked under the covers to see what a threat actor did and why they did it, and I’m always amazed at the level of criminal thinking that some of these people exercise to get to their end-result,” Guinn says. “I also have to stop and think, ‘what could they ultimately do and how bad could it get?’ Do I ultimately believe the entire North American grid could go down? No, I don’t. Do I believe there could be regional or pockets of the grid that could be attacked? Yes, we’ve seen it.
The thinking is, as we evolve these sorts of resiliency programs around governance like NERC CIP – until such time as the capability of those threat actors equals their intent – then we’re generally going to be ok,” Guinn concludes. “Once they reach that inflection point, we are going to see some significant challenges.”
