There is little debate as to if the 2021 FERC mandates moved mandatory cybersecurity posture in a good direction. But during the compliance screenings, many companies inspected were using more than the mandate requires. That begs the question – should some of these frequently seen practices become a future mandate? Can the energy sector, a critical national infrastructure component, afford weak links? And how often should we be re-visiting these mandates in light of increased threat actor activity?
So, what are the cyber threats facing the energy sector, and what are the best practices power companies can employ to keep them off the grid?
The global power supply is under cyberattack
“Threats to industrial cyber security are becoming more common, complex, and creative,” states Trond Solberg, Managing Director, Cyber Security DNV. “In 2020, a staggering 90 percent of companies in the manufacturing, energy and utilities, healthcare, and transportation sectors suffered an attack on the computing systems managing their operations.”
Said Rep. Stephen F. Lynch, Chairman of the Subcommittee on National Security, in a hearing to examine the cybersecurity of the U.S. electrical grid, “The electrical grid is… a priority target for state and non-state cyber adversaries. A successful attack on the electric grid could have devastating consequences for U.S. national security and economic interests.” Remember Colonial Pipeline? Now, the US braces for cyberattacks targeting the grid as Russia makes its threat presence known, both with warning shots and blatant attacks already being launched in Ukraine. Problems are proliferating across the pond as well. According to one industry report, the energy sector was the highest-risk group in the UK for cyberattacks in 2021.
So what do C-levels think about all this? New research published by DNV noted that “energy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years.” It went on to state that “84% expect physical damage to assets and 57% anticipate the loss of life.” Fewer than a third are confident they’d know “exactly what to do” to address a specific cyber concern, but only 44% of C-suites interviewed see a need for urgent improvements. The report put matters succinctly when it stated “defensive action appears to lag.”
NERC 2021 updated cybersecurity standards
However the private sector may be responding, we do see a concerted effort being made on the part of energy regulatory commissions – which should be the biggest warning of all. And, with all the progress that’s been made to date, there’s even more needed.
Last year, the North American Electric Reliability Corporation (NERC) updated its industry-wide cybersecurity standards. However, there’s still more to do. Says the Energy & Climate council, “The report indicated that there are numerous practices that are not required that would improve security—highlighting that the existing standards do not comprehensively protect bulk power operators from cyber threats.”
The bulk power system or bulk electric system (BES) is a “large, interconnected electrical system including generation and transmission facilities” and falls under the jurisdiction of the Federal Energy Regulatory Commission (FERC), which is in turn under NERC. Why are they under federal auspices? Because they’re the big guys. Bulk power systems don’t deal with local energy distribution. Instead, they deal with keeping the lights on for other critical infrastructure (and private sector) organizations that are central to making a city- or a state-run.
Since NERC’s 2021 cybersecurity updates didn’t extend to fully protect them, FERC’s audit report recommended electrical grid operators build out policies to address those gaps.
Cybersecurity challenges and what to watch in 2022
The need for additional security for bulk power systems becomes self-evident when you consider the challenges the sector is (and is projected to be) up against. Let’s start with the basics. The US electric sector faces some unique (and some not-so-unique) cybersecurity challenges:
- “Ransomware Attacks and Incident Response
- Identity and Access Management Inefficiencies
- Incomplete Integration of Systems
- FERC, NERC, and State and Federal Compliance Requirements
- Supply Chain Risks”
Additionally, they’re also at the mercy of recent cybercrime trends set to hit this year, as predicted by Dark Reading. Here are three.
- More attacks. It’s not if, but when, these days, so companies should be ready. Make a plan and practice your playbooks.
- More Industrial IoT. CNI sectors are being hit hard. Watch your Shadow IT, protect your IoT, and look both ways before combining IT with legacy (and unpatched) OT.
- More discussions in boardrooms. All eyes turn to cybersecurity now that remote work, SaaS services, and a growing IoT have pulled data safety to the forefront. “Boards and investors will be asking how companies are handling cybersecurity risks,” so have the experts on your side to communicate what your security strategy does for the company.
The power sector underpins nearly every other critical national infrastructure (CNI) sector – from nuclear, to healthcare, to transportation. Due to its import, the wide reach of bulk power systems, and the potential severity of a debilitating blow to the grid, it is the last utility whose cyber safety should be incompletely mandated.
However, there’s good news. In January of this year, FERC voted unanimously to move forward with a proposal to develop new internal network security monitoring standards for the Bulk Electric System (BES). Considering the rapid rate of change in today’s threat landscape, it is perhaps no surprise that cybersecurity standards developed one year ago do not completely cover the needs of today.
For that reason, regulatory commissions might want to revisit standards every six months, and organizations involved should have cybersecurity analysts, staff, and C-levels to advise on the best ways to not only comply with the mandates but stay safe when the mandates aren’t enough.
See how ITEGRITI can help you secure your enterprise to the level of federal regulations and beyond.