NERC Balks at Expansion of Cyber Rules

EPSA Panel Discusses Foreign, Domestic Threats

<em>RTO Insider</em> Editor Rich Heidorn Jr. (left) moderates a panel on cyber and physical security with (from left) FBI Special Agent John J. Rovinski Jr.; Manny Cancel, CEO of E-ISAC; Mara Winn, deputy director for preparedness, policy and risk analysis for the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER); and former New Jersey regulator Richard S. Mroz, an adviser to Protect Our Power

RTO Insider Editor Rich Heidorn Jr. (left) moderates a panel on cyber and physical security with (from left) FBI Special Agent John J. Rovinski Jr.; Manny Cancel, CEO of E-ISAC; Mara Winn, deputy director for preparedness, policy and risk analysis for the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER); and former New Jersey regulator Richard S. Mroz, an adviser to Protect Our Power | © RTO Insider LLC

Mar 27, 2023

NERC will not support expanding physical security standards to all major BPS assets when it files comments with FERC next month, a senior official told EPSA.

WASHINGTON — NERC will not support expanding physical security standards to all bulk power system transmission assets when it files comments with FERC next month, a senior official told the Electric Power Supply Association (EPSA) last week.

FERC’s existing physical security reliability standard (CIP-014-3) requires transmission owners to perform periodic assessments to identify transmission stations and substations whose loss or damage could cause cascading outages.

In December, FERC ordered NERC to report on the effectiveness of the existing standards and determine whether a minimum level of protections should be required for all BPS transmission stations, substations and primary control centers (RD23-2). The commission acted following the Dec. 3 gunfire attack on two Duke Energy (NYSE:DUK) substations in North Carolina, which left 45,000 customers without power for as long as four days. NERC’s response is due in mid-April. (See FERC Orders NERC Review on Physical Security.)

“The easy answer will be apply everything [to] every station … Just protect them,” NERC Senior Vice President Manny Cancel said during a panel discussion at EPSA’s Competitive Power Summit March 21. “That really is not very prudent. It doesn’t make any sense at the end of the day to drive up costs without really buying down risk. So [NERC will propose] a much more risk-based approach [with a] discussion about the sort of no-regrets moves to make. And it’s not just physical protection, right? It could be everything from designing the grid differently. It could be the introduction of renewables and battery storage. It could be a bunch of those.”

Advance Planning Crucial

Cancel’s fellow panelists agreed on the need to balance costs against risks. They said the most cost-effective protections are those planned in advance.

“Bolting it on [afterward] is not the way that we want to do security,” said Mara Winn, deputy director for preparedness, policy and risk analysis for the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). “‘Secure by design’ is something that we take very seriously.”

That includes vetting of suppliers. “It is a lot better to know that you’ve done your due diligence, that you … are buying from suppliers that you can trust,” she said.

“You can’t bolt down every system, so you have to pick and choose,” said John J. Rovinski Jr., supervisory special agent in the FBI’s Cyber Division. “Just obstructing the view of things and knowing your architecture is key. … It doesn’t have to be a [large] investment. CISA [the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency] just put out a product on their website last month, specifically talking about hardening power substations, and listed out a number of different things that are not very expensive to do. Just maintaining a fence. Having signage. Making sure there’s no vegetation near those fences offers you better sight lines for your closed-circuit TVs. It’s not very expensive to hire someone to come and trim your bushes back.”

“It can’t be gold-plated. It’s got to be prudent,” said former New Jersey regulator Richard S. Mroz, an adviser to Protect Our Power, an organization that supports efforts to strengthen the grid. “But it is prudent to make these investments … whether it’s in cybersecurity or physical security, because the alternative — the cost of not doing it — is worse.”

‘Copycats’

Cancel is also CEO of the Electricity Information Sharing and Analysis Center (E-ISAC), which saw a spike in physical security incidents in the presidential election year of 2020 and in the mid-term election year of 2022. Most incidents involved petty thefts or vandalism, and only 3% of such incidents resulted in impacts to the grid, he said.

Although small groups of neo-Nazi and white supremacist sympathizers have been accused in planned attacks on grid assets, there is no evidence of central planning of such attacks, Cancel and Rovinski said. (See Feds Charge Two in Alleged Conspiracy to Attack BGE Grid.)

In most incidents, Cancel said, “we don’t know a lot about attribution, because, as you know, there hasn’t been many apprehensions.”

But, he added, “When you look at all these extremist groups, or groups that are driven by a particular ideology, it is a consistent arrow in their quiver: That is attacking critical infrastructure, whether it’s electricity or some other critical infrastructure sector. That’s part of their plan.”

As a result, Cancel said, the E-ISAC’s seventh GridEx exercise on Nov. 14-15 will “have a big focus on physical security.”

“The grid itself is a natural target,” said Rovinski, “just because it’s visible, a kind of community service that is locally available — you don’t have to travel far.

“The increase in attacks increases the chatter among the groups who look at the news coverage, because media coverage, obviously, invites copycats,” he added. “They’ve seen power being taken down for 60,000 people. [They think] ‘Oh, that creates an attack that gets our message out, that puts us to the forefront.’”

Transatlantic Cooperation

The panelists also agreed that the U.S. has improved cooperation with its European allies in response to fears that Russia might launch cyberattacks to dissuade them from coming to the aid of Ukraine.

“As far back as probably October of 2021, before the invasion actually occurred, we were getting briefings from our government partners both at CISA and at DOE,” said Cancel.

“We had gotten the sector together to say, look … this threat is real, here are the potential things that could happen [and] made everybody revisit what happened with Ukraine in 2015 and 2016, where Russia actually did disrupt electricity infrastructure there.”

CISA and DOE warned of the need to monitor for malicious software called Pipedream with the ability to disrupt critical infrastructure.

“We came together in unity,” Winn said of the U.S. and its allies. “I think that’s a fantastic outcome of a challenging situation.”

Now, she said, the question is, “What do we need to do to sustain efforts to make sure that we don’t lose all of that engagement? To make sure that … the partnership on analyzing and understanding threats continue.”

Cancel said officials also are focused on the threat from China, which he said has “very sophisticated capabilities that are similar — and in some cases may exceed — [Russia].

“We continue to see attempts to survey networks here in the United States. And what the Chinese are very good at doing is looking for vulnerabilities; looking for holes in networks, so they can get in and introduce malware or just, you know, poke around and see what they can steal. It’s very focused on espionage surveillance.”

CIP Conference Coverage NERC & Committees Reliability Transmission