With an ever-increasing number of adversaries in cyberspace targeting the North American power grid, speakers at a webinar hosted by the Texas Reliability Entity on Feb. 27 emphasized that rigorous planning and testing are essential to maintaining electric reliability.
“We need to remain at high alert and have a decisive plan that can respond to these types of threats,” said Texas RE CIP cyber and physical security analyst Jason Georgoulis at the regional entity’s regular Talk with Texas RE event. He cited the Pipedream and Volt Typhoon malware campaigns, which are linked to Russia and China, respectively. (See CISA Highlights China Threat in 2024 Priorities Report.) “Proper training, testing and learning from the gaps in these tests can help meet the purpose of the standard, which is to mitigate the risks to the reliable operation” of the power grid.
The focus of the webinar was NERC’s reliability standard, CIP-008-6 (Cybersecurity — incident reporting and response planning), which outlines the requirements for utilities to implement in their cybersecurity incident response plans (CSIRP). Georgoulis reminded listeners the standard is meant to ensure “quick and decisive action is taken in the event of a cybersecurity incident” and that having a comprehensive response plan can help entities “mitigate any risks that may arise” from a security compromise.
Georgoulis said a CSIRP must spell out the process by which entities will identify attempts to compromise their systems, classify what kind of threat is occurring, and respond to incidents appropriately. He noted a potential roadblock to compliance with CIP-008-6 in the fact that NERC did not define “attempts to compromise” in the standard. This means entities must create their own criteria to determine if such attempts have occurred.
To satisfy this requirement, Georgoulis suggested sample criteria, such as “suspicious or excessive failed login attempts [or] reports of an unsuccessful social engineering attempt.” Attendees also provided examples of criteria their entities use, including security event logs and unexplained spikes in CPU activity.
Once an entity has concluded an incident is underway, it must determine whether the incident needs to be reported to the Electricity Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency. In this case, Georgoulis noted NERC does specify the incidents that must be reported are those that compromise or disrupt:
-
- a cyber system that performs one or more reliability tasks of a functional entity;
- an electronic security perimeter of a high- or medium-impact grid cyber system; or
- an electronic access control or monitoring system of a high-impact grid cyber system.
Another key requirement of the standard, Georgoulis noted, is to clearly define the roles and responsibilities of the cybersecurity incident response team. He explained that “having an established cybersecurity incident response team with the corresponding roles and titles listed in the plan can minimize any kind of confusion on who needs to do that during a scheduled test or in the event of an actual cybersecurity incident.”
Finally, Georgoulis reminded entities that simply having a response plan is not enough to satisfy the standard. Entities must test the plan “at least once every 15 calendar months” either through a tabletop or operational exercise based on an actual reportable cybersecurity incident.
In response to a question from the audience, Georgoulis confirmed that GridEx, the biennial security exercise hosted by NERC and the E-ISAC, might count as an “operational exercise” to satisfy the requirements of the standard, depending on the details of the scenario. He clarified that the GridEx scenario would have to be based on an actual incident and would have to include an applicable system.