Every utility faces cyber risk, and as utilities manage more suppliers and assets, the boundaries for each utility’s mitigation focus also expand.
In March, the Government Accountability Office reported that the grid, particularly distribution systems, are increasingly at risk from cyberattacks. This heightened risk stems from increased remote accessibility to utility industrial control systems (ICS) and when those systems are connected to utility business networks. An emerging concern is the risk of coordinated, simultaneous attacks on multiple utilities, such as the SolarWinds event.
This issue has the attention of the North American Electric Reliability Corporation, which enforces mandatory reliability standards for electric utilities. Jim Robb, NERC president and CEO, remarked to members of the American Public Power Association’s board of directors in February: “Recent cyber activity has raised our awareness of the need to rethink the bright-line criteria we use to describe high/medium/low impact assets with a focus on external access. We are seeking input from all parties, including APPA, to develop a model that provides for rigorous and difficult-to-defeat access controls from third parties to protect against coordinated attacks or supply chain compromises, while being sensitive to the additional complexity such controls may create.”
These remarks reflect a February decision by the NERC board to reconsider one of its critical infrastructure protection (CIP) reliability standards, CIP-002-6, which defines whether facilities pose a low, medium, or high impact potential if compromised by a cyberattack, and therefore, what compliance actions they are required to follow.
A specific focus of NERC’s review is the requirements for transmission owner control centers, or TOCCs. There has been much debate — reflected in changes to the standard — about whether TOCCs should be classified as having low or medium risk. The concern comes from entities who might have an ownership stake, but not operations control, of transmission assets. The designation as medium risk would bring higher costs — in the form of needing more staff and hiring consultants and third-party services to manage the added compliance activities — without necessarily aligning with a higher risk profile.
Who’s who in review
In May, the NERC Standards Committee approved a slate of industry nominations to form the team that will look at the TOCC piece. The review group includes several public power representatives, including Russ Noble from Cowlitz Public Utility District in Washington and Robert Croes from the city of Homestead in Florida, plus industry consultants Brian Evans-Mongeon from Utility Services and Terry Volkmann. The group will look at thresholds for medium and low impact in CIP-002-6 and whether there is a need for further revision. The team might conduct technical field tests that include load flow studies to investigate the thresholds. The expectation is that the team’s findings might lead to registration changes for TOCCs that perform some transmission operations functions.
A separate team is taking a broader review and analysis of the degrees of risk presented by various bulk electric system facilities that meet the low-impact criteria and report on whether those criteria should be modified. The group consists of NERC staff, FERC staff and industry representatives. The team includes public power representatives from the Florida Municipal Power Agency and Chelan Public Utility District in Washington. The aim was to assemble a team of cybersecurity and compliance experts that represent a cross section of the industry to fairly represent the potential threat and risk posed by a coordinated cyberattack on low-impact BES cyber systems.
It is likely that NERC will submit recommendations for any modifications before the end of the year. In June, NERC sent registered entities a letter about these likely changes, in some cases rescinding the low-impact status. Utilities facing changes have until October 2023 to get into compliance. Utilities on the edge of moving to a different risk category are likely to see the biggest changes from these decisions, but any changes will be pertinent for all utilities, regardless of size or registration status.
The policy outcomes that arise from this regulatory attention will need to balance the government interest in protecting the nation against a coordinated cyberattack and industry concerns about regulatory burden and resources. Interconnectivity of systems and the need for adequate security is a growing concern for all utilities, and those who don’t see changes in their compliance levels are likely to learn and deploy some new best practices that will emerge from the review.