NERC cybersecurity incident reporting is obscuring the truth
The electric industry is recognized as the most critical of critical infrastructures. Consequently, one would expect that incident reporting would be important and trusted. Unfortunately, this is not occurring as can be seen by the discrepancies between the DOE OE-417 reporting and the North American Electric Reliability Corporation (NERC) submittal to the Federal Energy Regulatory Commission (FERC).
The utilities are required to alert the DOE within one to six hours after experiencing a cyber event, depending on whether the event interrupts the electric systems or has the potential to impact power system adequacy and reliability. According to the OE-417 report, the term “cyber event” is very broad, and the document contains multiple definitions. As Dragos stated in a 2022 report, cyber events could relate to any event that causes instability, unrelated to equipment, which may range from a malware infection to change of attenuation to human error.” NERC’s definition of a “cyber incident” has enabled them to obscure the truth about how prevalent control system cyber incidents are in the electric industry.
This is not the first time that NERC has mislead Congress, the utilities, and the public on grid cyber security. The President of NERC was threatened with contempt of Congress after lying to Congress a second time on the status of the Aurora vulnerability. NERC Lessons Learned have been carefully written to avoid the term “cyber” despite many of the Lessons Learned cases being cyber-related.
DOE 2022 OE-417 results
The electric industry has requirements for reporting electric disturbance events to DOE for the Electric Emergency Incident and Disturbance Report (Form OE-417). Form OE-417 has been used to collect information furnished by the utilities on electric incidents and emergencies since 2000. The OE-417 reports are not explicitly for cyber incidents and so have to be analyzed further to address those incidents that are cyber-related. There’s some ambiguity in the data collected this way. Many actual control system cyber incidents were not identified as being cyber incidents. Other control system cyber incidents that either did not cause a reliability impact or did not meet the reporting threshold also were not included in the OE-417 data. Reporting incidents with no immediate impact is important due to latent threat capabilities and risk of future impacts. By sharing of “sanitized” incidents, utilities’ OT, IT and engineers could become more aware of risk and be better enabled to take appropriate prevention measures.
According to the OE-417 data for 2022, there were 10 cyberattacks and 35 incidents of complete loss of monitoring or control capability at staffed Bulk Electric System control centers for 30 continuous minutes or more. (These were control system cyber incidents though they weren’t identified in the OE-417 as such. Moreover, those incidents that didn’t meet the reporting threshold were not included meaning the 35 identified incidents are a very conservative number. Utilities not reporting complete of loss of view and control are not meeting the intent of the OE-417 reporting.) These 2022 incidents now make a total of more than 40 successful cyberattacks identified in the OE-417 reports since 2000 and more than 160 complete loss of monitoring or control cases (this category was only established in 2018). The 2022 cyberattacks lasted in some cases more than 4 days. In one case, a cyberattack affected a utility’s multi-state grid operations. In another case, 80,000 customers were impacted by a cyberattack. There were 15 loss-of- view incidents that lasted more than 1 hour with 2 loss-of-view incidents resulting in 80 MW to almost 250 MW impacts. In one case, not only was there complete loss of monitoring or control capability at its staffed Bulk Electric System control center, there also was complete loss of Interpersonal Communication and Alternative Interpersonal Communication capability. There now have been seven US cyber-related outages that affected at least 80,000 customers.
NERC report
March 20, 2023, NERC filed Docket No. RM18-2-000 “Annual Report of The North American Electric Reliability Corporation on Cyber Security Incidents Between the Dates of January 1, 2022 and December 31, 2022” to FERC. NERC CIP-008-06 defines a cyber incident as:
Cyber Security Incident: A malicious act or suspicious event that For a high or medium impact BES (Bulk Electric System) Cyber System, compromises, or attempts to compromise (1) an Electronic Security Perimeter, (2) a Physical Security Perimeter, or (3) an Electronic Access Control or Monitoring System; or Disrupts or attempts to disrupt the operation of a BES Cyber System.
Reportable Cyber Security Incident: A Cyber Security Incident that has compromised or disrupted: A BES Cyber System that performs one or more reliability tasks of a functional entity; An Electronic Security Perimeter of a high or medium impact BES Cyber System; or An Electronic Access Control or Monitoring System of a high or medium impact BES Cyber System.
Note that “low impact” cyber systems and distribution systems are not included.
NERC report inconsistencies
It is evident the DOE and NERC CIP reporting requirements are quite different. According to the NERC submittal, Responsible Entities submitted eight CIP-008-6 reports to the E-ISAC. There were no issues identified on the OT Energy Management Systems/Supervisory Control and Data Acquisition (“EMS/SCADA”) network. How is that possible when the OE-417’s identified 35 complete loss of monitoring or control capability at staffed Bulk Electric System control centers for 30 continuous minutes or more? The NERC report stated none of the reported Cyber Security Incidents or attempts to compromise successfully compromised a BES Cyber Systems or affected reliable operations. This is inconsistent with OE-417 results. NERC stated that a physical security attack was successful in sending a remote command to open a security gate. How is that not considered a cyberattack? Finally, NERC stated there was no evidence that any of the reported incidents were coordinated. Yet, the OE-417 data included a cyberattack that affected a utility’s multi-state grid operations.
Ongoing concerns
Former FERC staff have stated repeatedly, off the record and privately, that the utilities and NERC as a common practice simply re-define what constitutes a cyber incident to escape reporting, regulation, liability and even possible credit rating issues. This means the federal electric reliability system of regulation is seriously broken at a time when threats and risks from adversarial nations are increasing steadily.
The Chief of Staff of a former Congressman also stated in a private meeting that the utility industry “doesn’t want to be regulated, aware, responsible or engaged (in cyber hardening.)” Congress should mandate in these increasingly risky geopolitical times that FERC have much stronger direct regulatory, oversight and penalty authority over the utility industry and that NERC should be re-constituted to be more accountable to national and economic security. This may not be politically palatable, but it is the least our government should do to harden the most critical of all critical infrastructures, especially given the rush to “electrify everything” and the fact that the Secretary of Energy recently stated publicly that adversarial nations already have the capability to take down the US electric grid. These issues were touched on in the March 23, 2023 Senate Energy and Natural Resources Committee hearings on cyber security of the electric grid. However, the inadequacy of grid cyber incident reporting such as the gap between NERC and DOE was not directly addressed other than to say that incident sharing was important which assumed the information sharing would be accurate and complete. There was a question at the Senate hearing on “whether there are sleeper cells in our grid”. Robert Lee and Puesch Kumar said they didn’t know. However, in 2014, it was publicly noted by DHS that the Russians had installed BlackEnergy 2 malware in the US grids. Additionally, in 2018, an electronic access point connected to the Internet from a low-impact facility for remotely accessing and operating an electric substation capacitor bank was compromised by unauthorized Internet users for seven months prior to discovery. The IP address and credentials were posted on a Russian-based media site. NERC did not explicitly identify this incident as a cyberattack as this was a low impact facility so this incident did not meet the requirement as a reportable cyber security incident.
Conclusion and Recommendation
NERC’s reporting system obscures the truth about cyber incidents. By sharing of “sanitized” incidents, utilities’ OT, IT and engineers could become more aware of risk and be better enabled to take appropriate prevention measures. Consequently, at the very least, FERC should mandate NERC to disclose what is disclosed in the OE-417s.
Leaders relevant to this article: