The electric and nuclear industries have required “incident” disclosures for more than 20 years. The other infrastructures either have no incident disclosure requirements or only recently started, such as TSA for pipelines and EPA for water. Given the significant number of documented control system cyber incidents in the other sectors, the electric industry control system cyber security disclosure concerns discussed below apply to all other sectors.
Disclosure considerations
There is a significant gap between the electric industry’s reported control system cyber incidents and the cyber incidents that have actually occurred. The low number of reported grid cyber-related incidents can be attributed to how the electric industry defines a cyber incident. Similar definition concerns apply to other sectors. The exclusion of so many actual control system cyber incidents can have a rippling effect on training, tabletop exercises, the selection of mitigation systems, and most importantly the reliability of the electric grid itself. A look at official definitions of cyber incidents, and the reporting procedures in place for such incidents, shows this gap is real. Additionally, in 2019 FERC tightened the cyber incident disclosure requirements which limit cyber incident sharing even further. Specifically, FERC Chairman Glick stated “that we must ensure that we are not inadvertently providing information useful to someone seeking to attack critical electric infrastructure. Under the current approach, it is possible that identifying an offending party in a Notice of Penalty (NOP) process might also reveal weaknesses in the entity’s process for protecting critical infrastructure, inadvertently exposing the bulk power system. Consequently, the FERC White Paper proposes that generally NOPs will identify the offending party but omit sensitive information that could expose their systems to exploitation.”
Cyber incident definitions
The U.S. Government Accounting Office (GAO) in GAO-21-477 defines a cyber incident as “an event that jeopardizes the cybersecurity of an information system or the information the system processes, stores, or transmits; or an event that violates security policies, procedures, or acceptable use policies, whether resulting from malicious activity or not. Cyber incidents, including cyberattacks, can damage information technology assets, create losses related to business disruption and theft, release sensitive information, and expose entities to liability from customers, suppliers, employees, and shareholders.”
The North American Electric Reliability Corporation (NERC) defines a cyber incident in Cyber Security – Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 as “A malicious act or suspicious event that: • For a high or medium impact BES Cyber System, compromises, or attempts to compromise the, (1) an Electronic Security Perimeter, (2) a Physical Security Perimeter, or (3) an Electronic Access Control or Monitoring System; or • Disrupts, or attempts to disrupt, the operation of a BES Cyber System. ESP or EACMs that may be defined by an entity for low impact BES Cyber Systems are not part of the definition. An attempt to disrupt the operation of a BES Cyber System is meant to include, among other things, a compromise of a single BES Cyber Asset within a BES Cyber System. For example, the malware discovered on a BES Cyber Asset is an attempt to disrupt the operation of that BES Cyber System.”
The NERC CIP exclusion of field devices communications makes the definition less complete when one process sensor in a power plant too small to be considered a NERC critical asset can impact the entire Eastern Interconnect (https://www.controlglobal.com/blogs/unfettered/process-sensor-issues-continue-to-be-ignored-and-are-placing-the-country-at-extreme-risk). Additionally, the 2008 Florida outage demonstrated that serial communications can impact the bulk electric grid, yet serial communications are out-of-scope for NERC CIPs.
The U.S. Department of Energy (DOE)’s Electric Emergency Incident and Disturbance Report (Form OE-417) collects information from the utilities on electric incidents and emergencies. Electric utilities that operate as Control Area Operators and/or Reliability Authorities as well as other electric utilities, as appropriate, are required to file OE-417 forms. The form is a mandatory filing whenever an electrical incident or disturbance is sufficiently large enough to cross reporting thresholds. As such, the OE-417 reports do not distinguish between transmission or distribution assets. Reporting coverage for the Form OE-417 includes all 50 States, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and the U.S. Trust Territories. DOE uses the utilities’ information to fulfill its overall national security and other energy emergency management responsibilities, as well as for analytical purposes.
IT malware incidents such as ransomware that do not affect grid reliability would not fit in the electric incidents and emergencies category for inclusion in the OE-417 reports.
Electric industry cyber incident results
From my database, there have been more than 500 control system cyber-related outages in the US grid with 5 of those incidents affecting more than 96,000 customers. These 5 large outages, which lasted from hours to days, were identified by DOE and NERC, but they were not identified as being cyber-related.
OE-417s started documenting events in 2000. The reporting form was updated and recertified by the Office of Management and Budget in May 2018. The updated version of Form OE-417 incorporates additional questions from the North American Electric Reliability Corporation (NERC) EOP-004 Event Reporting Standard. For NERC reporting entities registered in the United States, NERC has decided that OE-417 meets the submittal requirements for NERC. In response to Chairman Glick, the public version of the OE-417 reports does not provide any specific information that an adversary can use to target the electric grid.
One of the changes in May 2018 was the incorporation of the category: “Complete loss of monitoring or control capability at its staffed Bulk Electric System control center for 30 continuous minutes or more*. Loss of monitoring or control is a cyber incident and can have significant impacts on the reliability of the electric grid. The first incidents in this category were identified in June 2018 and as of February 2022, there have been 150 incidents in this category. These numbers may be conservative as a number of these incidents occurred in multiple utility control centers. None of these 150 incidents were identified in the “Event Type” category as being cyber. According to the OE-417 results, most of these incidents did not result in electric outages. However, at least 11 incidents led to demand losses of at least 80 MW and one case led to 130,000 customers losing power. Our adversaries could be using the approach of compromising monitoring or control to practice for more impactful attacks at a time of their choosing.
OE-417 includes two Event Type categories for cyber – “Cyber event that could potentially impact electric power system adequacy or reliability” and “Cyber event that causes interruptions of electrical system operations”. There have been 39 incidents that fall into these two categories. The first case identified was in 2003. The first case I was aware of occurred in June 2001 when the Chinese cyber attacked CA ISO. However, the Chinese were not successful in reaching the SCADA system, so the incident didn’t reach the threshold of affecting grid reliability and consequently was not listed. Some of the OE-417 cyber incidents involved multiple utilities. In some cases, the utilities were hundreds of miles apart. As an example, one of the cases involved utilities in Texas, Kentucky, Arizona, New Mexico, Oregon, and Washington. Another case included utilities in New Jersey, Pennsylvania, Texas, California, Illinois, and Colorado. One can only wonder what type of cyber incident could affect such far-flung and apparently unrelated utilities.
Compare the OE-417 reports to what NERC has been publicly stating there have been very few (less than 10) cyber incidents over the past 10 years. As mentioned, my database identifies more than 500 control system cyber incidents in the electric industry, many from publicly available sources. To be fair, my database also includes international incidents, though they are a small fraction of my results. The NERC definition that explicitly excludes certain facilities from the cyber incident definition, as well as electric distribution, can help explain why the electric industry, through NERC, is not identifying and addressing these cyber threats. Another example of NERC not identifying incidents as being cyber-related is their Lessons-Learned reports. There have been more than 90 NERC Lessons Learned cases that are cyber-related. However, less than 5 have been identified as being a cyber incident. Compare that to the pipeline industry that reported 220 cyber incidents to TSA within two months of the new TSA Pipeline cyber security requirements or OE-417 listing of 39 cyber incidents.
Other sectors
There is no direct link to cyberattacks. However, the food industry has experienced a strange trend of food processing plant fires (https://timcast.com/news/strange-trend-of-food-processing-plants-fires-manifests-across-the-us/). At least 16 such disasters have taken place at food processing facilities nationwide over the past 2 years. While most of the incidents have shown no foul play after investigation, the Grand Island, Neb. Fire Department concluded that the September 2021 fire at the JBS beef processing facility was caused by a heater in the rendering area of the plant that was near the roof of the building. There was no indication whether the heater had a remote connection. Recall the JBS ransomware attack occurred end of May 2021. Finally, April 2022, the CISA and the FBI have issued warnings to the food and agriculture sector about possible ransomware attacks (https://www.ic3.gov/Media/News/2022/220420-2.pdf). I want to reiterate my concerns are not ransomware but cyberattacks causing physical damage.
Recommendations
- The utility industry needs to address all control system cyber incidents that could affect the reliability of the grid whether from malicious activity or not. From the NERC Lessons Learned, OE-417, and my unclassified data, hundreds of control system cyber incidents are not being identified or disclosed.
- There is a need to provide selected unclassified information on control system cyber incidents to allow the industry to better understand the threat. This can be done without divulging information that our adversaries could use to compromise the grid. Restricting information flow and restricting the assets that are in scope for disclosure is not helping secure the grid as our adversaries could be practicing for more impactful attacks at a time of their choosing.
- Extend incident disclosure requirements to other sectors.
Joe Weiss