{"id":3421,"date":"2022-05-24T13:41:04","date_gmt":"2022-05-24T13:41:04","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=3421"},"modified":"2022-09-12T10:07:35","modified_gmt":"2022-09-12T10:07:35","slug":"are-the-2021-ferc-mandates-sufficient-or-a-risk-to-the-bulk-power-system","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2022\/compliance\/are-the-2021-ferc-mandates-sufficient-or-a-risk-to-the-bulk-power-system\/","title":{"rendered":"Are the 2021 FERC Mandates Sufficient or a Risk to the Bulk Power System?"},"content":{"rendered":"

There is little debate as to if the 2021 FERC mandates moved mandatory cybersecurity posture in a good direction. But during the compliance screenings, many companies inspected were using more than the mandate requires. That begs the question – should some of these frequently seen practices become a future mandate? Can the energy sector, a critical national infrastructure component, afford weak links? And how often should we be re-visiting these mandates in light of increased threat actor activity?<\/p>\n

So, what are the cyber threats facing the energy sector, and what are the best practices power companies can employ to keep them off the grid?<\/p>\n

The global power supply is under cyberattack<\/strong><\/h2>\n

\u201c<\/strong>Threats to industrial cyber security are becoming more common, complex, and creative,\u201d states Trond Solberg<\/a>, Managing Director, Cyber Security DNV. \u201cIn 2020, a staggering 90 percent of\u00a0companies in the\u00a0manufacturing, energy and utilities, healthcare, and transportation sectors\u00a0suffered an attack on\u00a0the computing systems\u00a0managing their\u00a0operations.\u201d<\/p>\n

Said<\/a> Rep. Stephen F. Lynch, Chairman of the Subcommittee on National Security, in a hearing<\/a> to examine the cybersecurity of the U.S. electrical grid, \u201cThe electrical grid is… a priority target for state and non-state cyber adversaries.\u00a0 A successful attack on the electric grid could have devastating consequences for U.S. national security and economic interests.\u201d Remember Colonial Pipeline?<\/a> Now, the US braces for cyberattacks targeting the grid as Russia makes its threat presence known<\/a>, both with warning shots and blatant attacks already being launched<\/a> in Ukraine. Problems are proliferating across the pond as well.\u00a0 According to one industry report<\/a>, the energy sector was the highest-risk group in the UK for cyberattacks in 2021.<\/p>\n

So what do C-levels think about all this? New research<\/a> published by DNV noted that \u201cenergy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years.\u201d It went on to state that \u201c84% expect physical damage to assets and 57% anticipate the loss of life.\u201d Fewer than a third are confident they\u2019d know \u201cexactly what to do\u201d to address a specific cyber concern, but only 44% of C-suites interviewed see a need for urgent improvements. The report put matters succinctly when it stated \u201cdefensive action appears to lag.\u201d<\/p>\n

NERC 2021 updated cybersecurity standards<\/strong><\/h2>\n

However the private sector may be responding, we do see a concerted effort being made on the part of energy regulatory commissions \u2013 which should be the biggest warning of all. And, with all the progress<\/a> that\u2019s been made to date, there\u2019s even more needed.<\/p>\n

Last year, the North American Electric Reliability Corporation (NERC) updated its industry-wide cybersecurity standards. However, there\u2019s still more to do. Says the Energy & Climate council<\/a>, \u201cThe report indicated that there are numerous practices that are not required that would improve security\u2014highlighting that the existing standards do not comprehensively protect bulk power operators from cyber threats.\u201d<\/p>\n

The bulk power system or bulk electric system (BES) is a \u201clarge, interconnected electrical system including generation and transmission facilities\u201d and falls under the jurisdiction of the Federal Energy Regulatory Commission (FERC), which is in turn under NERC. Why are they under federal auspices? Because they\u2019re the big guys. Bulk power systems don\u2019t deal with local energy distribution. Instead, they deal with keeping the lights on for other critical infrastructure (and private sector) organizations that are central to making a city- or a state-run.<\/p>\n

Since NERC\u2019s 2021 cybersecurity updates didn\u2019t extend to fully protect them, FERC\u2019s audit report<\/a> recommended electrical grid operators build out policies to address those gaps.<\/p>\n

Cybersecurity challenges and what to watch in 2022<\/strong><\/h2>\n

The need for additional security for bulk power systems becomes self-evident when you consider the challenges the sector is (and is projected to be) up against. Let\u2019s start with the basics. The US electric sector faces some unique (and some not-so-unique) cybersecurity challenges:<\/a><\/p>\n

    \n
  1. \u201cRansomware Attacks and Incident Response<\/li>\n
  2. Identity and Access Management Inefficiencies<\/li>\n
  3. Incomplete Integration of Systems<\/li>\n
  4. FERC, NERC, and State and Federal Compliance Requirements<\/li>\n
  5. Supply Chain Risks\u201d<\/li>\n<\/ol>\n

    Additionally, they\u2019re also at the mercy of recent cybercrime trends set to hit this year, as predicted by Dark Reading<\/a>. Here are three.<\/p>\n