Contrary to what many might believe, energy sustainability and security are not competing imperatives but complementary. The future of energy is decentralized, digitalized, and collaborative – and runs on smart grids that are reactive and flexible. Intelligent and digitized energy assets offer many benefits, but they are vulnerable to new forms of attack. In response, FERC is seeking to address mounting concerns that the current standards do not address potential vulnerabilities of internal networks to cyber threats.
Today energy leaders face the vital challenge of balancing energy transition and security. Contrary to what many might believe, sustainability and security are not competing imperatives but complementary. Sustainability and security must be core characteristics of the future energy system, and FERC realizes that. The world can only achieve energy transition with solutions that address both simultaneously. While sustainability remains top of mind for leaders, the real emphasis is strengthening the security of energy systems.
Energy security is a top priority
The energy security challenges we face today are not those of the past. New approaches are needed to deal with digitally connected energy assets and systems, extended supply chains, and emerging technologies at scale.
The future of energy is decentralized, digitalized, and collaborative – and runs on smart grids that are reactive and flexible. Over the coming decades, customers will increasingly adopt intelligent energy devices, from smart lighting and thermostats to smart meters and rooftop solar photovoltaics. These distributed energy resources (DER) offer more choices and control over energy consumption, encourage clean energy practices to combat climate change, and provide resilience.
Intelligent and digitized energy assets offer many benefits, but they are vulnerable to new forms of attack. The energy sector accounts for 16% of all detected cyber-attacks. The energy industry is the third most targeted industry by cybercriminals. Emergency response, incident reporting, and system design improvements are needed in response to this elevated threat level.
Cybersecurity considerations for the US energy sector
The Department of Energy (DOE) has drafted a report highlighting cybersecurity considerations for the energy sector with the introduction of DER. These trends can be summarized in the following points:
Cyber-attacks against the grid supply
If a cyberattack could affect thousands or more DER or the overarching systems controlling DER, it would create availability and reliability concerns. Potential attack vectors for DER and the US energy grid are ransomware, supply-chain compromise, botnets, and DER worms.
Exploitation of Operational Technology (OT)
Another trend is attackers exploiting and targeting OT systems. The examples of Ukraine and TRITON in the recent past are fine demonstrations of the impact of such attacks. Traditional attack vectors, such as poor data security and access controls, are relevant to new grid technologies. In addition, DER present new threat opportunities and will challenge traditional cybersecurity postures through their administration by many different parties.
Implied trust and attacker innovation
Today, an implied trust relationship is typical for electric power control systems communications. For industrial systems to talk to one another, they must trust each other to provide accurate information and commands. Attackers who have inserted themselves into this trust relationship can poison these systems, causing them to act counter to reliability and resilience requirements.
There are better models than implied trust relationships for DER systems. The sheer scale of DER deployment, the wide range of communications options, and the level of access required by various stakeholders underline that implied trust is not a resilient option for DER.
FERC looks at moving energy security closer to zero trust
The latter – implied trust – is a big concern for FERC. Under the existing NERC CIP reliability standards, network security is focused on defending the security perimeter. Hence, FERC is seeking to address mounting concerns that the current standards do not address potential vulnerabilities of internal networks to cyber threats.
For this reason, FERC has proposed new security requirements for high- and medium-impact bulk electric system (BES) facilities. The proposal would require these facilities to “maintain visibility over communications between networked devices.” More specifically, FERC has directed NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for the CIP-networked environments.
INSM provides constant visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of abnormal network activity, indicating a potential attack and increasing the chances for quick mitigation and recovery.
INSM addresses situations where vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk. For example, the SolarWinds attack in 2020 demonstrated how an attacker could bypass network perimeter-based security controls to identify and thwart attacks. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations.
FERC said incorporating INSM requirements into the CIP Reliability Standards would help utilities maintain visibility over network communications. Utilities can detect an attacker’s presence and movements and act before the attacker can fully compromise the network. INSM also improves vulnerability assessments and recovery from an attack.
The new or modified CIP reliability standards will be forward-looking and objective-based and address three security objectives that pertain to INSM.
- Develop baselines of network traffic inside the CIP-networked environment.
- Monitor and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment.
- Identify anomalous activity to a high level of confidence by logging network traffic, maintaining logs and other data collected regarding network traffic, and implementing measures to minimize the likelihood of an attacker removing the evidence of their tactics, techniques, and procedures (TTPs) from compromised devices.
FERC explained that NERC might, in the future, extend INSM to medium and low-impact bulk electric cyber systems with no broadband access. Hence, FERC tasked NERC to study the risks posed by the lack of INSM and the feasibility of implementing INSM at these facilities. FERC directed NERC to submit the new standards for approval within 15 months and submit its report on medium and low-impact bulk electric system cyber systems with no broadband access within 12 months.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.
Contact Us: https://itegriti.com/contact/
ITEGRITI Services: https://itegriti.com