Physical attacks on electric infrastructure have been the upswing over the past year, with recent attacks in North Carolina and Washington state and a foiled plot in Baltimore bringing more attention to the issue, experts said at the National Association of Regulatory Utility Commissioners’ (NARUC) Winter Policy Summit on Sunday.
“Over the last year, we’ve seen a marked increase in security incidents,” NERC Senior Vice President and Electricity Information Sharing & Analysis Center (E-ISAC) CEO Manny Cancel. “So the bad news is that there has been an increase — a fairly significant one compared to the baseline of the previous five years.”
While attacks are on the rise, only a small portion of physical attacks actually cause any damage to the broader power grid, Cancel said. But those that do can have major impacts, such as in North Carolina late last year. (See Duke: NC Outages from Attacks May Last Until Thursday.)
Physical attacks have been clustered close together geographically, sometimes with multiple assets in the same area targeted, and sometimes the same infrastructure has been hit more than once, said Cancel.
While a handful of suspects have been arrested, in most cases the industry is not aware of who is attacking its infrastructure, Cancel said. Some of the cases are clearly just petty theft with infrastructure being stripped of copper or other valuables.
FERC and NERC have set up mandatory Critical Infrastructure Protection (CIP) standards that deal with both cyber and physical attacks. Those standards helped to minimize the impact of the North Carolina attack in December, Cancel said, but NERC is also working on expanding those to better protect the grid.
Reliability standards today are focused on protecting against grid instability and preventing cascading outages, but going forward, Cancel said, it might make sense to update standards to minimize the loss of load from attacks and to better protect against coordinated efforts such as the foiled plot in Baltimore, where neo-Nazi extremists planned to attack multiple assets. (See Feds Charge Two in Alleged Conspiracy to Attack BGE Grid.)
While physical attacks on the grid have made more headlines recently, the E-ISAC and NERC spend just as much time on cybersecurity, which can prove riskier to the grid.
“Certainly, cyber has the capability to do more at scale,” Cancel said. “And certainly when you factor in the capabilities of nation-state adversaries, those are very complex adversaries that have really strong potential … to carry out attacks.”
The recent spate of attacks has the industry on the verge of a paradigm shift, said Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security.
“If you remember, prior to 9/11, the airport security … was effective for the cost that we paid,” he said. “After 9/11, there was a paradigm shift. And so you know, we paid a lot more [for] a lot more security and a lot bigger hassle associated with that security, but it was worth worth the cost.”
Historically, the main security worry for the industry was a random person wandering into a facility and getting hurt, which could be taken care of with fences, McClelland said. But now the industry needs to step up its game by analyzing risks around the grid and coming up with a cost-effective plan to make it more effective.
CIP standards are foundational practices to ensure a minimum level of security, while McClelland’s group at FERC is focused on best practices.
“We’re looking for those advanced adversaries that specifically target our energy infrastructure,” McClelland said. “Using this two-pronged approach, FERC can move very quickly, even against the most advanced aggressor.”
The commission works closely with other governmental agencies to determine who is trying to attack the grid, which can help it come up with best practices for defense. FERC staff can then bring some of that information down the industry, even granting state commissioners one day of security clearance so they can be briefed on any relevant threats.
“We will read in, so to speak, those state commissioners, and in that session, we’ll do a classified briefing,” he added. “But as importantly, perhaps more importantly, we do a working session where we talk specifically about how these adversaries can be stopped.”
As threats emerge in between those briefings, FERC will also issue advisories so that any new major issues are known by those under threat.
“If there are utilities that are particularly targeted, or the networks and systems that they operate have shown some vulnerabilities and showing some attention from adversaries, we will contact those utilities and we will work specifically with them to help them understand the threats and then work with them to also assess how vulnerable they are to the threats,” McClelland said.
Another way of informing the industry is through a regular tabletop exercise called “Cyber Yankee” that FERC holds with the industry in which they simulate grid attacks based on real threats, McClelland said.