There are many reasons that prevent the electric grid from being cyber secure. Moreover, some of these issues can directly facilitate cyber attacks on the electric grid. They include:
Supply chain issues that resulted in Presidential Executive Order 13920
NERC CIP standards that ignore the reliable and safe operation of the grid
Technology issues such as lack of secure and authenticated process sensors
Lack of control system cyber security training for the engineers
Lack of control system cyber forensics below the IP layer
Culture and silos preventing engineering and security from working together
Sensitive grid information is openly available
That last point deserves some discussion. I have written extensively about all of the above except for the issue of sensitive information being readily available.
I received an interesting response to my blog – https://www.controlglobal.com/blogs/unfettered/are-we-seeing-the-beginning-of-an-awareness-of-physics-issues-in-power-grid-security-and-reliability/. The blog demonstrated silos continue to exist between the engineering and cyber security communities and that these silos can directly affect the cyber integrity of the electric grid. In this case, the researcher was on the engineering side, responsible for a key grid monitoring system. The grid monitoring system uses a type of phasor measurement unit (PMU) known as a Frequency Disturbance Recorder (FDR), the FNET (Frequency Monitoring Network)/GridEye to measure the power system frequency, voltage, and angle very accurately. GridEye daily detects and records all the fluctuations in grid frequencies not only in the United States but also in many other countries. These measurements can then be used to study various power system phenomena. This enables operators to have the situational awareness to catch early signs of abnormal trends so they can act more quickly to restore stability to the power system. The Mobile Universal Grid Analyzer enables utility operators to monitor the grid in the field using smart phones and tablets. However, this information is sent in the clear which gives adversaries snapshots of electrical health to help keep their attack plans current.
My colleague, Mike Swearingen posted a blog May 25, 2020 on Linked-in: “Grid Cyber Security Information in Plain Sight the Enemy Knows Our True Situation”. Information such as demand peaks, generation capacity, protection equipment, transmission grid congestion, protection equipment misoperations, large scale electric disturbance events and generation and transmission plans provide an opportunity to create a plan of attack for bad actors. The first reaction to the possibility of obtaining this kind of information would be that the information is probably not readily or easily accessible, however, this information unfortunately is easy to obtain. This information can be found in NERC’s State of Reliability Reports, Long Term Reliability Assessment and DOE’s OE-417 reports. While utilities’ names are not divulged in the NERC reports it can be cross-referenced with other information such as the DOE, RTO and ISO reports to pinpoint potential areas of weakness in the electric grid. The DOE OE-417 reports provide information on large scale outages and the reported cause of those outages which can be cross- referenced with RTO and ISO system improvement studies to determine if potential upgrades have occurred to correct the issues and if not corrected when the upgrades are planned to be completed. Information such as demand peaks, generation capacity and transmission grid congestion can be found in reports such as the DOE Annual U.S. Transmission Data Review, DOE National Electric Transmission Congestion Study and RTO’s and ISO’s Transmission Expansion Reports. The information in these reports provides transmission historical and future loading data, generation current and future capacity, and areas of transmission congestion susceptible to overloading. Some of these reports provide the locations of transmission congestion, transmission construction and future generation facilities. This information does not provide the whole picture needed to compromise the electric grid but it does include the key building blocks. This information can be combined with other information that can provide corroborating information to exploit the grid for maximum impact. Additional information such as HVDC Tie Station locations can be found in a simple Internet search. These locations can be used to find aerial views of the stations themselves on apps such as Google Earth™.
The NERC Lessons Learned reports are also publicly available. These case histories provide details of incidents as well as recommendations for lessons learned. Unfortunately, the Lessons Learned infrequently categorize an incident as being cyber-related. Consequently, the utilities don’t consider these incidents as being important for cyber security. However, many of these incidents are obviously cyber incidents whether malicious or unintentional. Adversaries can design their attacks accordingly realizing that the utilities may not be looking as they were not identified as being cyber. Ironically, the NERC CIPS do address making “critical” information publicly available. The NERC CIP process has penalized utilities for making certain information publicly available.
Finally, there is significant grid information available from grid and power plant conferences, grid and power plant periodicals, and vendor websites that can be used to target the grid.
What is being done to eliminate the silos between engineering and cyber security communities? This gap also is impacting NERC as the Reliability organization that understands grid operations does not address cyber security while the NERC CIP Committee addresses cyber security but generally does not have operational experts.
Critical grid information is publicly available. When is the risk of disclosure to bad actors outweighed by the safety and security benefits of information sharing? Where would one draw the line to determine what should be publicly available?
Joe Weiss