Since October is Cybersecurity month, and as cybersecurity rules are coming to critical infrastructure including the grid, we thought we’d touch on an always popular topic: How vulnerable is the country’s electrical grid? What happens when it is even temporarily compromised — and what safeguards might be put in place to prevent a collapse? These are critical questions for government and industry to focus on, and various agencies are already working together to head off any potential cyber security weaknesses before they escalate into a national crisis. However, since the grid touches so many areas of modern life — power, transportation, communications, aviation, healthcare, and finance, just to name a few — many sectors could be adversely, even disastrously, impacted with an attack on the grid.
Complicating matters is that US grid has many moving parts. Many have called it the largest machine in the world, comprising eleven thousand power plants, three thousand utilities, and more than two million miles of power lines. In practice, however, the network covering the lower 48 states is comprised of three major interconnections, the Eastern, Western and Texas interconnections, functioning predominantly independently of one another with limited exchanges of power between them.
The very makeup of the electricity sector presents a challenge. The industry that produces and transmits electricity in this country is very large and fragmented. There are thousands of power generation plants and electric power transmission lines (collectively known as the Bulk Electric System, or BES) across the US. Some are federally owned, some are owned by local public utilities, and others are investor-owned.
And as anyone knows, the more moving parts, the more possible problems. Recent government mandates from the Biden administration, working with CISA (Cybersecurity and Infrastructure Security Agency), promise that critical information regarding the stability of structures like the grid will be more comprehensive than ever before. New federal reporting rules are in continuous development, designed to gain important insights into the vulnerabilities in the grid before they become a far-reaching problem.
CISA, for example, is trying to get out in front of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Under that law, passed earlier this year, the agency is developing regulations that will require critical infrastructure entities to report cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours.
The White House ordered CISA last year to work with the National Institute of Standards and Technology to develop these goals in the wake of ransomware attacks on Colonial Pipeline and IT firm Kaseya. These rules — some of which are not yet in their final form — include requirements for major industry players to notify the federal government within a set number of hours when they suffer a cybersecurity incident and develop detailed plans for responding to a disruptive hack.
To help in that effort, the agency is taking the development of landmark cyber incident reporting regulations on an 11 city roadshow, ending next month in Kansas City, MO as it seeks feedback on several key questions about the forthcoming rules.
Maintaining resilience of the power grid is crucial to a nation’s energy security and sustainability. Normally, you only hear about it when you have large-scale failures such as the power outages that hit Texas in 2021. Power outages have become more and more frequent, and they incur enormous social and economic costs. It is estimated that power outages in the United States cost businesses $150 billion per year.
Experts have been warning about the grid and other vulnerable infrastructure for some time and recent events on the international scene have only increased the warnings from both public and private sources. In addition, due to the growing usage of information and communication technologies (ICT), power grids are being increasingly exposed to cyber attacks.
Concern about such an event has been mounting within the U.S. government for years. According to a report by Bloomberg, DARPA began laying the groundwork for its drills in mid-2015, part of a five-year, $118 million project called Rapid Attack Detection, Isolation and Characterization Systems—or RADICS—after chilling congressional testimony the previous year from then-National Security Agency Director Mike Rogers. Rogers told lawmakers that hackers had been breaking into U.S. power utilities to probe for weaknesses and that Russia had been caught planting malware in the same kind of industrial computers used by power utilities. “All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” he said.
The CYRIN Newsletter previously reported on the Colonial Pipeline attack, which is part of a larger trend of hackers attempting to compromise critical infrastructure that would put people and countries at grave risk.
So, the question is who is in charge of protecting the grid? While the Department of Energy (DOE), NERC / E-ISAC, and the Electricity Subsector Coordinating Council (ESCC) all have advisory, coordinating, and regulatory roles in the commercial utility sector, many people, particularly at the Federal Government level, fear that no one agency is watching the store and reporting is not always as up to date as some would like.
Today, oversight of the grid is the responsibility of a patchwork of federal and state authorities. The 2005 Energy Policy Act designated the Department of Energy’s Federal Energy Regulatory Commission (FERC) as the primary authority over power generation and transmission across the United States.
The North American Electric Reliability Corporation (NERC) is a not-for-profit corporation. It acts as the self-regulatory organization “whose mission is to assure the reliability of the bulk power system (BPS) in North America.” The Federal Energy Regulatory Commission (FERC) is an independent federal agency that regulates the interstate transmission of electricity, natural gas, and oil. However, jurisdiction of local-level retail power distribution, which actually delivers that power to end users, remains in the hands of state and municipal governments.
This is where the recent reporting rules and CISA’s role in the process has been elevated. And like any change to existing procedures, the proposed goals are facing some pushback. According to some reports, some members of the Information Technology Industry Council, as well as other industry groups, were unhappy that the proposed performance goals don’t fully align with NIST’s widely-embraced cybersecurity framework, itself a set of voluntary cyber guidelines that is in the midst of its own update, potentially leading to further conflict. However, CISA, which has always publicly stated that they see this as a cooperative effort, has won praise from industry officials for their receptiveness to industry feedback, with many groups saying the agency has already made improvements from an earlier set of goals.
The grid is just one part of larger puzzle to protect critical infrastructure. Many think the Solar Winds and Colonial Pipeline attack were the tipping points that have caused many to ask — are we adequately protected and who is responsible for that protection. At CYRIN we work with all parties to the issue — whether government, industry or colleges and universities. This gives us insight into some of the problems and some of the solutions that include having properly trained students as they enter the workforce, as well as training cyber defenders for the military, government, and private sectors they need to safeguard.
To meet the test, CYRIN is continuously evolving to stay abreast of the cyber “arms” race. We constantly add new exercises and courses and our collaboration with partners like the Rochester Institute of Technology (RIT) help us add new tools to meet the existing challenges and new threats as they emerge.
But don’t take our word for it. Please take a look at our entire course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!