By Rich Heidorn Jr.

ATLANTA — NERC last week gave the GridSecCon 2019 conference a preview of results from its supply chain data request, which sought to fill a gap in its knowledge of low-impact bulk electric system cyber systems.

The request on the “the nature and number” of low-impact systems was a recommendation of the staff supply chain report approved by NERC’s Board of Trustees in May. (See “Supply Chain Report Recommends Expanding Standards,” NERC Standards News Briefs: May 8-9, 2019.)

Because utilities are not required to inventory such equipment, “we just don’t have a good feeling for what the magnitude of [low-impact assets are] compared to what we have for mediums and highs,” said Howard Gugel, NERC’s vice president for engineering and standards.

Gugel said NERC will provide the Member Representatives Committee a report at its Nov. 5 meeting with an anonymized summary of the results.

“[There was] a lot of really interesting information in it. There were some things that somewhat surprised me,” Gugel said.

One finding: Two-thirds of the assets had external connectivity. “Whether it was a high, medium or low [asset]; whether it was entities that had a … blend of all of those [types] or strictly just had lows, it was pretty much a 2:1 ratio,” Gugel said.

He also said NERC is having discussions with utilities and industry trade groups, including the North American Transmission Forum, on developing a certification system for suppliers. The participants are examining existing programs “to see whether or not some combination of the existing certifications could be adequate in this space or whether or not some sort of a new certification needs to be developed, and who would be managing that,” Gugel said.

During a panel discussion on supply chain risks, Ginger Wright, manager of the energy-cyber portfolio at Idaho National Laboratory (INL), discussed how the lab decides what technologies deserve analysis and testing. One consideration: “consequence or impact.”

“If misuse of a certain device could result in a catastrophic impact on the grid, that’s an important device. But we also had to think about the ubiquity of a given device,” she said. “If a device is used either everywhere, or a great deal regionally, then … even though it does not have in itself a catastrophic impact, because of the ubiquity of its use, it might be a very good idea to take a look at that.”

Another consideration is the lifespan of the device. “Everyone here knows that [operational technology] devices live a very long time — much longer than the three to five years for most IT devices. And so, the longer something would be present on the grid, the longer the risk would persist,” she added.

Dave Whitehead, COO of Schweitzer Engineering Laboratories, said his company has responded to counterfeit threats by doing security ratings of devices and developing a database of vendors. At its Pullman, Wash., factory, the company uses microscopes to identify fakes, which under magnification are revealed to have missing bond wires or other defects.

Bryan Owen, cybersecurity manager for OSIsoft, which makes application software for real-time data management, offered what he called “one crazy comment” as the 45-minute discussion ended.

“I think we should also open our minds to [the idea that] trustworthy systems can be built out of untrustworthy components. Just think back to the day when hard drives were so bad and then out came the RAID [Redundant Array of Inexpensive Disks]. Even though that wasn’t a cyber fix, it was a reliability fix. … There is research suggesting that this is possible, so I would open ourselves to taking advantage of all possible solutions.”

Wright mentioned that INL will hold a Cyber Resilient Supply Chain Technologies Workshop at the Hyatt Regency hotel in San Francisco on May 21, 2020. The deadline for submission of papers is Jan. 13. The lab will be releasing additional details on the event shortly.

In a separate panel, Laura Schepis, senior director of national security for the Edison Electric Institute, identified what she calls “the supply web” as among her biggest concerns. “We need everybody’s great minds on that,” she said.