By Holden Mann

ATLANTA — Electric utilities have been largely proactive in their application of cyber risk protection programs across supply chains, according to NERC’s supply chain data request. However, much work remains to be done to ensure consistent adherence to supply chain standards, NERC said.

The organization presented the survey results at the meeting of the Member Representatives Committee on Tuesday. The goal of the survey was to fill in some holes in the understanding of low-impact bulk electric system cyber systems and how they differ from medium- and high-impact assets. Information on low-impact systems has previously been lacking because utilities are not required to inventory such assets.

“A lot of the low-impact cyber asset locations are with entities that have mediums and highs, so they’ve already got a [critical infrastructure protection] cyber compliance program in place,” said Howard Gugel, NERC’s vice president for engineering and standards. “They’re also subject to CIP-013 [procurement standards, and] they said they were going to voluntarily apply that, because they’re not going to have separate procurement systems for the lows, mediums and highs.”

Among the survey’s findings was that two-thirds of low-impact assets allowed external connectivity by third parties. Gugel described the consistency of this statistic as surprising given the diversity of operators participating in the survey.

“The amazing thing about this was, any way we split the numbers — if we looked at folks that only had low-impact BES cyber assets, if we looked at just the mediums and highs, or if we looked at entities that had the mediums and highs, and also lows — that same percentage was there for all of them,” he said.

But the findings became more varied as the team dug further into the details, breaking the overall cyber assets down by location: transmission stations and substations, generation resources, system restoration, etc. For operators with portfolios that included high-, medium- and low-impact assets — a category that included about 93% of the low-impact assets surveyed — the latter tend to be weighted toward the transmission side. For those that only own low-impact systems, most of their assets tend to be in generation.

Both types of operators are more likely to allow third-party electronic access to generation resources than transmission, but the divide is far starker with low-only asset owners. More than half of their generating resources in both the low and medium load (defined as less than 500 MW and 501 to 1,000 MW respectively) allowed external connectivity; by contrast, the split was more even for owners of low-, medium- and high-impact assets.

“It might cause us to have some more conversations with some of those entities; say, ‘What kind of controls do you have over this, and how are you looking at that access?” Gugel said.

Currently operators that have only low-impact cyber assets are not required to adhere to the portions of the NERC CIP reliability standards that apply to medium- and high-impact systems, partly because of the perception that such assets do not pose enough of a threat to include them. Gugel suggested that this attitude could need to be revisited: Although these assets may not be dangerous on an individual basis, collectively they have the potential to cause considerable headaches.

“I’m a transmission planner at heart and tend to look at blows to the system and impacts to transmission lines and such,” Gugel said. “From a cyber perspective, it’s a completely different beast — the ability to impact a bunch of blows from a remote threat actor is more than what I would consider for an N-1 from a transmission planning perspective, and it may rise to a risk that we should start considering.”