As the spread of distributed energy resources creates more opportunities for online attacks against the electric grid, industry experts are calling for fresh thinking to address emerging cybersecurity threats.

“A lot of people are very concerned, including me, but the sky isn’t falling; I’m confident [we’ll] figure it out,” Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center, said in a panel at NERC’s Reliability Leadership Summit this week. “But … when you extend what this threat means across distributed resources, it … not only increases the attack vector, but … it holds us accountable. And we really have to think about how we build protection into the design of these systems going forward.”

The past two months have provided myriad examples of how “the risk is converging,” Cancel said, pointing to the unrest at the U.S. Capitol on Jan. 6 and the breach of SolarWinds’ Orion products that allowed hackers to gain access to multiple government computer networks, including the Department of Energy and FERC. (See FERC Pushes Cybersecurity Incentives.)

Vendors Emerge as Major Risk

Earlier this month, the FBI, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence and the National Security Agency issued a joint statement saying the SolarWinds breach was “likely Russian in origin.” Panelists warned that the attack exposed some flawed assumptions in current security thinking that will need to be addressed to prevent future attacks.

“As a collective, [we] need to manage how we deal with vendors,” said Michael Russell, manager for the energy, finance and telecommunications sectors at the Canadian Centre for Cyber Security. “SolarWinds was an American vendor. You’re never going to catch an American vendor [if] country-of-origin testing [is] your only determination if something’s good or bad. We really need to … take in other factors, such as the sensitivity of the equipment, the technical characteristics and the life cycle that the equipment was developed under.”

The growing presence on the grid of internet-connected assets made by vendors with uncertain supply chain provenance is a potentially serious problem, warned Tom Galloway, president and CEO of the North American Transmission Forum. He gave an example of a class of inverters that were found to have a common flaw, but only after their misoperation — the kind of weakness that could present a “common mode of failure” exploitable by adversaries.

“You can imagine someone with a malicious intent figuring out a way to affect multiple devices like that simultaneously … and with the proliferation of new equipment on the system, I really think that we have to get our game on with supply chain,” Galloway said.

Security Benefits from Mutual Assistance

But the supply chain issues and other cybersecurity challenges are unlikely to be solved by the imposition of new requirements from FERC or other governmental bodies, Russell said, calling the impulse to control cyber threats through regulation “a bit of a race to the bottom.” Instead, regulators must find ways of encouraging utilities to build cybersecurity into their existing risk management processes so that they can internalize the risk and build their own solutions.

Michele Guido of Southern Co. agreed with the other panelists that the scope of the threats from online actors is still not fully known, and that industry-wide conversations are urgently needed in order to identify and prioritize the most pressing issues and plan for how to tackle them.

“I think … we had an absolutely incredible year in 2020. The power stayed on [and] we worked together, no matter what the situation,” Guido said. “But what are those things that we’re not thinking about? … What do the threat indicators look like, what are the warnings … and then how do we better partner with [the] public sector … and be proactive, not reactive to every event?”

Marilyn Brown, interim chair of the school of public policy at the Georgia Institute of Technology, confessed to feeling “nervous” about the rapidly shifting world of cybersecurity. On the other hand, she pointed out that the industry currently has a bit of unexpected breathing space and urged those present to take the opportunity.

“I may be naive, but it seems to me that with the pandemic and the slowdown in electricity consumption, we’ve had the luxury of a bit of tranquility, in terms of not having to meet the load that’s growing exponentially,” said Brown. “So … we are in a space right now where we can really get our policies in line. … But be ready, because in a year or so, it’s going to be a different day with the uptick of electricity demand and of course the electrification of everything that’s going on.”