www.utilitydive.com
Open in
urlscan Pro
2606:4700::6812:6bb
Public Scan
Submitted URL: https://link.utilitydive.com/click/31869302.1689/aHR0cHM6Ly93d3cudXRpbGl0eWRpdmUuY29tL3RyZW5kbGluZS9jeWJlcnNlY3VyaXR5Lzc2Lz91...
Effective URL: https://www.utilitydive.com/trendline/cybersecurity/76/?utm_source=CSD&utm_medium=Library&utm_campaign=OperantNetworks&utm_t...
Submission: On June 26 via manual from MX — Scanned from DE
Effective URL: https://www.utilitydive.com/trendline/cybersecurity/76/?utm_source=CSD&utm_medium=Library&utm_campaign=OperantNetworks&utm_t...
Submission: On June 26 via manual from MX — Scanned from DE
Form analysis 3 forms found in the DOM
Name: signup-inter-form — POST /signup/
<form id="signup-inter-form" class="form-basic" name="signup-inter-form" action="/signup/" method="POST">
<input type="hidden" name="signup_box_location" value="interstitial">
<input type="hidden" name="signup_initial_url_path" value="">
<h1> Don’t miss tomorrow’s electric utility industry news </h1>
<p class="interstitial-text"> Let Utility Dive’s free newsletter keep you informed, straight from your inbox. </p>
<p class="form-error__message" id="interstitial-error"></p>
<div id="form-interstitial">
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_5126f9_email">
<div id="newsletter-list-section">
<ul id="id_5126f9_site_newsletters" class="list-no-bullets">
<li><label for="id_5126f9_site_newsletters_0"><input type="checkbox" name="site_newsletters" value="2" class="list-no-bullets" id="id_5126f9_site_newsletters_0"> Daily Dive <span class="secondary-label">M-F</span>
<a class="xsmall signup-view-sample" href="/user_media/thumbnails/newsletter_lists/utility_2018.png" target="_blank">view sample</a>
<p class="newsletter-description small">Topics covered: smart grid tech, clean energy, regulation, generation, and much more.</p>
</label>
</li>
<li><label for="id_5126f9_site_newsletters_1"><input type="checkbox" name="site_newsletters" value="41" class="list-no-bullets" id="id_5126f9_site_newsletters_1"> Storage Weekly <span class="secondary-label">Every Tuesday</span>
<a class="xsmall signup-view-sample" href="/user_media/thumbnails/newsletter_lists/utility_storage_2018.png" target="_blank">view sample</a>
<p class="newsletter-description small">Topics covered: utility-scale storage, distributed storage, storage technologies, policy and regulations, and more.</p>
</label>
</li>
<li><label for="id_5126f9_site_newsletters_2"><input type="checkbox" name="site_newsletters" value="13" class="list-no-bullets" id="id_5126f9_site_newsletters_2"> Load Management Weekly <span class="secondary-label">Every Wednesday</span>
<a class="xsmall signup-view-sample" href="/user_media/thumbnails/newsletter_lists/utility_dr_2018.png" target="_blank">view sample</a>
<p class="newsletter-description small">Topics covered: load mgmt, dynamic pricing, energy efficiency, and much more.</p>
<p class="newsletter-partner">In partnership with</p><img class="newsletter-partner" src="thumbnails/newsletter_lists/PLMA_logo.png">
</label>
</li>
<li><label for="id_5126f9_site_newsletters_3"><input type="checkbox" name="site_newsletters" value="25" class="list-no-bullets" id="id_5126f9_site_newsletters_3"> Renewable Energy Weekly <span class="secondary-label">Every Thursday</span>
<a class="xsmall signup-view-sample" href="/user_media/thumbnails/newsletter_lists/utility_solar_2018.png" target="_blank">view sample</a>
<p class="newsletter-description small">Topics covered: solar tech, business models, regulation and policy, distributed solar, utility solar.</p>
<p class="newsletter-partner">In partnership with</p><img class="newsletter-partner" src="thumbnails/newsletter_lists/sepa_logo.jpg">
</label>
</li>
</ul>
</div>
<div id="interstitial-consent-container">
<input name="user_consent" value="1" id="id_user_consent" type="checkbox">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</div>
</div>
<input id="signup-inter-submit" class="email_submit submit button" type="submit" data-role="none" value="Subscribe today">
</form>GET /search/
<form action="/search/" method="GET" data-ajax="false">
<label for="search-mobile">
<span class="screen-reader-text">Search</span>
<input id="search-mobile" type="search" name="q" placeholder="Search" data-role="none">
</label>
<button type="submit" value="" data-role="none" class="analytics t-search-navigation-mobile">
<img src="/static/img/menu_icons/search.svg?320116291121" width="15" height="15" alt="search">
</button>
</form>Name: signup — POST /signup/
<form class="form js-form-email-validate" name="signup" action="/signup/" method="POST">
<label for="id_e111b8_email" class="email-input js-email-input">
<span class="screen-reader-text">Email:</span>
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_e111b8_email">
</label>
<input type="hidden" name="signup_box_location" value="integrated_menu">
<input type="hidden" name="signup_initial_url_path" value="/trendline/cybersecurity/76/">
<input type="hidden" name="js_enabled" value="1" id="id_e111b8_js_enabled">
<ul class="signup-list list-no-bullets">
<li>
<label><span class="screen-reader-text">Select Newsletter:</span></label>
<input id="newsletter-integrated_menu-checkbox-2" type="checkbox" name="site_newsletters" value="2" class="checkbox">
<label for="newsletter-integrated_menu-checkbox-2">
<span class="newsletter-title">Daily Dive</span>
<span class="secondary-label">M-F</span>
</label>
</li>
<li>
<label><span class="screen-reader-text">Select Newsletter:</span></label>
<input id="newsletter-integrated_menu-checkbox-41" type="checkbox" name="site_newsletters" value="41" class="checkbox">
<label for="newsletter-integrated_menu-checkbox-41">
<span class="newsletter-title">Storage Weekly</span>
<span class="secondary-label">Every Tuesday</span>
</label>
</li>
<li>
<label><span class="screen-reader-text">Select Newsletter:</span></label>
<input id="newsletter-integrated_menu-checkbox-13" type="checkbox" name="site_newsletters" value="13" class="checkbox">
<label for="newsletter-integrated_menu-checkbox-13">
<span class="newsletter-title">Load Management Weekly</span>
<span class="secondary-label">Every Wednesday</span>
</label>
</li>
<li>
<label><span class="screen-reader-text">Select Newsletter:</span></label>
<input id="newsletter-integrated_menu-checkbox-25" type="checkbox" name="site_newsletters" value="25" class="checkbox">
<label for="newsletter-integrated_menu-checkbox-25">
<span class="newsletter-title">Renewable Energy Weekly</span>
<span class="secondary-label">Every Thursday</span>
</label>
</li>
<li>
<label><span class="screen-reader-text">Select user consent:</span></label>
<input type="checkbox" name="user_consent" id="id_user_consent-integrated_menu" value="1" class="checkbox">
<label for="id_user_consent-integrated_menu">
<span class="signup-user-consent_box">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</span>
</label>
</li>
</ul>
<button class="button button--medium signup-button" type="submit" value="Sign up">Sign up</button>
<label class="error email_error" style="display:none;">A valid email address is required.</label>
<label class="error newsletter-error" style="display:none;">Please select at least one newsletter.</label>
</form>Text Content
Skip to main content DON’T MISS TOMORROW’S ELECTRIC UTILITY INDUSTRY NEWS Let Utility Dive’s free newsletter keep you informed, straight from your inbox. * Daily Dive M-F view sample Topics covered: smart grid tech, clean energy, regulation, generation, and much more. * Storage Weekly Every Tuesday view sample Topics covered: utility-scale storage, distributed storage, storage technologies, policy and regulations, and more. * Load Management Weekly Every Wednesday view sample Topics covered: load mgmt, dynamic pricing, energy efficiency, and much more. In partnership with * Renewable Energy Weekly Every Thursday view sample Topics covered: solar tech, business models, regulation and policy, distributed solar, utility solar. In partnership with By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at anytime. * * * * * Reading Now New power system cybersecurity architectures can be ‘vaults’ against insider attacks, analysts say By: Herman K. Trabish * Reading Now FERC approves incentive framework for voluntary cybersecurity investments By: Ethan Howland * Reading Now New CIP 003-9 is coming – are you ready? By: Operant Networks * Reading Now New White House cyber strategy could drive utility costs higher, warns security expert By: Robert Walton * Reading Now Hackers are ‘increasingly bold,’ NERC warns, as Dragos report identifies new grid threats By: Robert Walton * Reading Now As CISA chief notes lack of Russian cyberattacks against US, experts focus on enhancing nuclear reactor security By: Robert Walton * Reading Now NRC issues first update of 2010 regulatory guide to strengthen cybersecurity at nuclear plants By: Stephen Singer * Reading Now Substation attacks may lead to new energy security rules in 2023, experts say By: Robert Walton * Reading Now Putin-focused and other hacks of charging stations drive new cybersecurity steps for an EV boom By: Herman K. Trabish * Reading Now NERC warns of cybersecurity, reliability risks as it outlines strategy for adding tens of gigawatts of DER By: Robert Walton * Reading Now Department of Energy rethinks cyber resilience in strategy to secure the grid By: David Jones Trendline CYBERSECURITY OF THE GRID Getty NOTE FROM THE EDITOR Cyber threats to the U.S. power sector continue to grow, and the rise of distributed energy resources creates a larger attack surface. The White House, federal agencies and the North American Electric Reliability Corp. have taken a number of recent actions to address those threats and drive new actions by electric utilities and others. For their part, power companies are examining their security culture, among other measures, while analysts have stressed the importance of implementing new cybersecurity architectures. The following trendline examines various threats, responses and challenges in the ever-expanding “cat-and-mouse game” of cybersecurity. Larry Pearl Senior Editor * Reading Now New power system cybersecurity architectures can be ‘vaults’ against insider attacks, analysts say By: Herman K. Trabish * Reading Now FERC approves incentive framework for voluntary cybersecurity investments By: Ethan Howland * Sponsored New CIP 003-9 is coming – are you ready? Sponsored content by Operant Networks * Reading Now New White House cyber strategy could drive utility costs higher, warns security expert By: Robert Walton * Reading Now Hackers are ‘increasingly bold,’ NERC warns, as Dragos report identifies new grid threats By: Robert Walton * Reading Now As CISA chief notes lack of Russian cyberattacks against US, experts focus on enhancing nuclear reactor security By: Robert Walton * Reading Now NRC issues first update of 2010 regulatory guide to strengthen cybersecurity at nuclear plants By: Stephen Singer * Reading Now Substation attacks may lead to new energy security rules in 2023, experts say By: Robert Walton * Reading Now Putin-focused and other hacks of charging stations drive new cybersecurity steps for an EV boom By: Herman K. Trabish * Reading Now NERC warns of cybersecurity, reliability risks as it outlines strategy for adding tens of gigawatts of DER By: Robert Walton * Reading Now Department of Energy rethinks cyber resilience in strategy to secure the grid By: David Jones NEW POWER SYSTEM CYBERSECURITY ARCHITECTURES CAN BE ‘VAULTS’ AGAINST INSIDER ATTACKS, ANALYSTS SAY Layered, automated, deep defenses for growing distribution system vulnerabilities will be tested by an NREL-private partnership. By: Herman K. Trabish • Published Feb. 17, 2023 New utility cybersecurity strategies are needed to counter sophisticated intrusions now threatening the operations of an increasingly distributed power system’s widening attack surface, security analysts agree. There are cyber vulnerabilities in “every piece of hardware and software” being added to the power system, the September 2022 Cybersecurity and Infrastructure Security Agency, or CISA, Strategic Plan 2023-25 for U.S. cybersecurity reported. Yet 2022 saw U.S. utilities propose $29.22 billion for hardware and software-dependent modernizations, the North Carolina Clean Energy Technology Center reported Feb. 1. New hardware and software can allow malicious actors to have insider access through utilities’ firewalled internet technology to vital operations technology, cyber analysts said. “No amount of traditional security will block the insider threat to critical infrastructure,” said Erfan Ibrahim, CEO and founder of independent cybersecurity consultant The Bit Bazaar. “The mindset of trusted versus untrusted users must be replaced with a new zero trust paradigm with multiple levels of authentication and monitoring,” he added. Growing “distribution system entry points” make “keeping hackers away from operations infrastructure almost unworkable,” agreed CEO Duncan Greatwood of cybersecurity provider Xage. But distributed resources can provide “resilience” if a distributed cybersecurity architecture “mirrors” the structure of the distribution system where they are growing to “contain and isolate intrusions before they spread to operations,” he said. New multi-level cybersecurity designs can provide both rapid automated distributed protections for distributed resources and layers of protections for core assets, cybersecurity providers said. But the new strategies remain at the concept stage and many utilities remain unwilling to take on the costs and complexities of cybersecurity modernization, analysts said. THE THREAT Critical infrastructure is already vulnerable to insider attacks. The 2021 Colonial Pipeline shutdown started with a leaked password, according to public reports. A 2019-2020 attack known as SUNBURST and directed against U.S. online corporate and government networks went through SolarWinds and other software vendors, CISA acknowledged. And Russia’s 2015 shutdown of Ukraine’s power system was through authenticated credentials, likely using emails, CISA also reported. In 2021, there were ransomware attacks on 14 of the 16 U.S. “critical infrastructure” sectors, including the energy sector, the FBI reported. And new vulnerabilities allowed attacks that also caused data losses, disrupted network traffic, and even denial-of-service shutdowns, according to technological and research firm Gartner. Attacks on utility OT can come through distributed solar, wind and storage installations, employee internet accounts, smart home devices, or electric vehicles, Gartner, other analysts, and the May 2021 Biden executive order requiring improved power system cybersecurity agreed. Existing Critical Infrastructure Protection, or CIP, Reliability Standards established by the North American Electric Reliability Corporation, or NERC, are inadequate, a January 2022 Notice of Proposed Rulemaking from the Federal Energy Regulatory Commission said. They focus only on defending the “security perimeter of networks,” the commission said. “Vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk,” the rulemaking said. The RM22-3-000 proceeding will provide direction on how to update CIP standards to better protect utilities, federal regulators added. The most recent Biden administration and FERC initiatives focused on the power sector, though utilities and system operators declined to reveal information about vulnerabilities or actual attacks. There were an “all-time high” 20,175 new OT vulnerabilities in U.S. networks identified by cybersecurity analysts in 2021, according to a 2022 assessment by cybersecurity provider Skybox Security. And faster and more frequent exploitation of new vulnerabilities in 2021 showed “cyber-criminals are now moving to capitalize on new weaknesses,” it added. A December 2021 CISA Emergency Directive recognized exploitation of a vulnerability in the Apache Log4j tool that records and scans almost all communications between online systems, the Wall Street Journal reported at the time. Downloaded millions of times, it could allow attackers to send and execute malicious code and is unlikely to be “fully ‘fixed’ for years,” cybersecurity specialist Wei Chieh Lim blogged in May 2022. The Log4j vulnerability “was so trivial it was first exploited by Minecraft gamers,” showing utilities could be unaware of “hundreds, if not thousands, of vulnerabilities,” said CEO Tony Turner of cybersecurity provider Opswright. A software bill of materials, or SBOM — an inventory of all system components — could be a solution to vulnerabilities like Log4j, cyber analysts said. SBOMs were mandated by the May 2021 Biden executive order. And SBOM best practices and minimum requirements were added in a July 2021 National Telecommunications and Information Administration report. But SBOMs “are only one element” in the needed cybersecurity rethinking, consultant and provider Ibrahim said. Internet technology began with firewalls and outward-facing defenses, but new distributed power systems make penetrations into the outer layers of networks almost inevitable, Ibrahim and other cybersecurity analysts said. Only a multi-faceted cybersecurity architecture throughout a utility’s operations can protect both OT’s new distributed attack surface and its vital operational core, many agreed. Homeland Security. (2016). “Defense-In-Depth Strategies” [jpeg]. Retrieved from Homeland Security. CONCEPTUAL SOLUTIONS The most common utility cybersecurity approach is compliance with NERC CIP standards, and possibly with narrower International Society of Automation, or ISA, 62443 standards, Opswright’s Turner said. But the NERC CIP standards are being reformed and ISA standards “are narrowly focused on vulnerabilities in automation and control systems,” Turner said. A new Department of Energy “cyber-informed engineering,” initiative may offer better cybersecurity for critical infrastructure, Turner said. It proposes to “engineer out” risk “from the earliest possible phase of design” of the OT system’s cyber-defense, which is “the most optimal time to introduce both low cost and effective cybersecurity,” DOE’s paper said. Utilities need to “close the gap” between IT and OT systems, said Skybox’s Senior Technical Director David Anteliz. But the “complexity of multi-vendor technologies” and “disjointed architectures across IT and OT” increase security risk, as do increased accesses by third parties for which “less than half” of utilities have policies, a Skybox November 2021 survey found. “I can guarantee you there are people doing things in the background at utilities now,” Anteliz said. “Skybox’s answer is automation of defense-in-depth and layered architecture, which provides ongoing monitoring, visibility, understanding and response to what needs to be secured and where,” he added. Segmentation in the design can isolate utility control rooms and make them “vaults,” Skybox’s 2022 vulnerability trends paper said. And automated aggregation of data and system information from “every corner of the network” can inform automated reactions and provide “ongoing oversight” that allows utilities to move “from reaction to prevention,” it added. Other cybersecurity analysts have designed detailed zero trust and defense-in-depth conceptual architectures that can be applied to the U.S. power sector. The first of “four functional levels of security” is basic “network hygiene,” by establishing user access rules and priority lists, use cases, and necessary transactions, the Bit Bazaar’s Ibrahim said. Properly applied interactions can be limited “to those who need to transact,” he said. The second level is a “signature-based intrusion detection system,” or IDS, which automates the established priority lists to limit accesses to “authenticated users and a valid use case,” he said. The third level is a “context-based” IDS, which expands on the access limitations by “blocking or flagging” inadequately authenticated transactions, Ibrahim said. Those IDS function “in stealth mode,” unseen even by insiders, but every network session is monitored, and any “departure from normal transactions and rules” terminates the session, he said. Utility security incident and event management systems detect and analyze all transactions, and respond to and report those questioned or terminated, Ibrahim said. The fourth level, “endpoint security,” is overseen by automated “hypervisor” software and has three layers of protection, Ibrahim said. An intrusion may “corrupt” target applications, but the “endpoint hardware” will be protected by the hypervisor and a “last gasp message” may allow a network edge mesh or network core defenses to avoid a “cascading” OT network failure, he added. Mesh “is a collaborative ecosystem of tools and controls” to protect a power system’s expanding perimeter of distributed resources and vulnerable third-party devices, according to Gartner. Its “distributed security tools” offer “enhanced capabilities for detection” and “more efficient responses” to intrusions, Gartner added. Mesh cannot eliminate insiders with “legitimate credentials,” which is why utility hardware- and software-dependent system modernizations “should have multi-layer defenses and every line of new code checked,” Ibrahim said. But “if a system is compromised at its edge, like at the level of smart meters or EV chargers, mesh can respond to avoid the compromise spreading,” he said. These conceptual architectures “can increase situational awareness and control,” but most utilities are still focused on complying with NERC CIP standards to avoid fines, Opswright’s Turner said. Many utilities argue that designed cyber-defense “complexities can slow and confuse system monitoring and responses,” and that the increased security does not justify the cost, he added. It is, however, “not clear there is a better choice,” because firewalling the coming power system’s potentially millions of distributed devices “is not practical,” he said. A hierarchical zero trust architecture with a firewalled core, a monitored middle layer of gateways protecting operations and a mesh at the network’s edge is the emerging consensus solution to comprehensive OT system security, Turner, Ibrahim and others agreed. But attacks are proliferating despite federal directives and mandates and proposed provider concepts, showing more work is needed, cyber-experts and power system stakeholders agreed. (2021). “NREL’s Cyber Range.” Retrieved from NREL. A UTILITY-SPONSORED CYBERSECURITY SANDBOX Work continues in the public and private sectors to develop zero-trust tools and technologies that will enable the conceptual architectures to better defend OT for the electric power and other sectors. The Clean Energy Cybersecurity Accelerator, or CECA, program from DOE’s National Renewable Energy Laboratory, launched in December, is a “sandbox” for innovative cybersecurity pilot projects. It will deploy and test strategies for addressing new power system vulnerabilities introduced by clean energy technologies, the CECA website said. “U.S. critical infrastructure is increasingly targeted by adversaries,” NREL Director, Cybersecurity Research Program, Jonathan White told a January 17 CECA planning webinar. Funded by the program’s utility sponsors, which include Duke Energy, Xcel Energy and Berkshire Hathaway, or BHE, solutions will be assessed using NREL’s Advanced Research on Integrated Energy Systems, “Cyber Range,” NREL scientists told the webinar. The Cyber Range is NREL’s proprietary, up-to-20 MW renewables-powered system integrated with distributed resources like electric vehicles and batteries and built for testing innovative technologies, according to NREL. First CECA demonstrations will test Xage, Blue Ridge Networks and Sierra Nevada Corp. cyber defense approaches. BHE wants to leverage NREL’s “rigorous testing,” to find “technical solutions” and effective “fast-track technologies” to improve cyber defenses, BHE Spokesperson Jessi Strawn said. CECA will allow utilities and solution providers to “stress-test disruptive security technologies,” and give “defenders” an opportunity to “get ahead of threat actors,” added a statement from BHE Director of Security and Resilience Jeffrey Baumgartner. Duke Energy is “regularly approached by vendors who have innovative technologies” and CECA is a way to “test them in a non-live environment,” said Duke spokesperson Caroline Portillo. The opportunity is especially valuable because the tests will be “at scale in a sandbox environment,” and will be followed by technical performance assessments by participating sponsor utilities, she added. Results of initial tests for authenticating and authorizing distributed energy resources integrated into OT environments “will be critical” as Duke and other utilities add those resources, Portillo said. “The point of the NREL program is to build a neutral ground for solution providers and utilities to collaborate on OT cybersecurity innovations,” said Xage CEO Greatwood. “Tech companies have been frustrated by the stately pace of change in the utility business,” he added. But if “end user utilities engage” in CECA, “tech companies will gain [an] understanding of their needs” and utilities can “obtain technical validation” of solutions, he added. “Xage already has utility customers,” but this is a chance for it to demonstrate how an automated, widely-present mesh defense like Xage Fabric works “in a zero trust cybersecurity architecture for OT environments,” Greatwood said. A system “is only as secure as its weakest link” and “the weakest link in power systems with millions of distributed resources is not very secure because it offers a lot of entry points for attackers,” he said. “Mesh architecture mirrors the distributed physical architecture” and “can recognize and isolate, or at least control,” intruders without proper authorization and authentication, Greatwood added. The power system environment “is evolving” toward “growing network, infrastructure and architectural complexity,” and “vulnerabilities will persist,” Gartner observed in January 2022. But those vulnerabilities must be addressed because limiting “access to critical systems can be the greatest impediment to cyber breaches,” Ibrahim said. Building the best protections “may take time, money and a change in management processes, but those are small costs compared to the billions that can be lost from a successful intrusion,” he added. Article top image credit: Techa Tungateja via Getty Images FERC APPROVES INCENTIVE FRAMEWORK FOR VOLUNTARY CYBERSECURITY INVESTMENTS In the final rule, the federal agency dropped a proposed 2% return on equity from the incentives utilities can get for certain cyber investments. By: Ethan Howland • Published April 24, 2023 Utilities will be able to receive financial incentives for making certain cybersecurity investments and taking part in threat information sharing programs under a decision released April 21 by the Federal Energy Regulatory Commission. The rule, approved, 3-1, was required by the Infrastructure Investment and Jobs Act. It largely tracks a proposal issued in September, but the commission dropped a proposed 2% return on equity adder that was supported by investor-owned utilities. “We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems,” FERC Acting Chairman Willie Phillips said in a statement. Eligible cybersecurity investments include a list of pre-qualified investments that FERC expects to periodically update. The initial pre-qualified list has two measures: expenditures associated with participating in the Department of Energy’s Cybersecurity Risk Information Sharing Program and expenditures related to internal network security monitoring within a utility’s cyber systems. FERC will also consider incentives for investments case-by-case, allowing utilities to request incentives for tailored solutions, the agency said. Utilities can also seek incentives for early compliance with new cybersecurity reliability standards. Under the rule, utilities may defer expenses and include the unamortized portion in their rate bases, according to FERC. Approved incentives, with certain exceptions, will remain in effect for up to five years from the date expenses were incurred, provided that the investments remain voluntary, the agency said. FERC will only grant the incentives to cyber investments that materially improve cybersecurity and are not required by the North American Electric Reliability Corp.’s Critical Infrastructure Protection reliability standards or by law. FERC Commissioner James Danly dissented, saying the rules are too narrow as they don’t apply to utilities that sell power at market-based rates. There were about 2,500 market-based rate sellers in 2019, according to Danly. Danly also objected to the requirement that utilities show their investments or participation in an information sharing program “materially improve” their cybersecurity. In other cybersecurity actions, FERC March 16 approved a new cybersecurity standard extending supply chain risk management requirements to “low-impact” bulk electric system cyber systems. A coordinated attack on multiple low-impact assets with remote electronic access connectivity could have an interconnection-wide effect on the bulk power system, according to a 2019 supply chain risk assessment by the North American Electric Reliability Corp., FERC said in its decision. “The vast majority of [bulk electric system] assets today are considered low-impact and that number is only expected to grow,” FERC Acting Chairman Willie Phillips said in a statement. “To not protect these [bulk electric system] assets against one of the most frequent attack scenarios — supply chain — would be a big mistake.” The standard requires owners, operators and users of the bulk power system to include the topic of “vendor electronic remote access security controls” in their cybersecurity policies. The standard also requires that they can disable vendor electronic remote access and can detect malicious communications through a vendor’s remote access. As part of its cybersecurity standards, NERC requires “responsible entities” to characterize their assets, such as control centers, power plants and transmission facilities, as being of high-, medium- and low-impact. The standard takes effect April 1, 2026. The three-year delay in the start date reflects “consideration that there are a large number of low impact [bulk electric system] cyber systems and that responsible entities need time to procure and install equipment that may be subject to delays given high demand,” FERC said. FERC and NERC have been tackling supply chain risks since 2016, Phillips said during the agency’s monthly meeting March 16. “This order is the latest product of our joint cybersecurity efforts with NERC and stakeholders in support of the reliable operation of the bulk power system,” he said. “We must continue to focus on cybersecurity, physical security, extreme weather events, and the rapidly changing resource mix.” Article top image credit: Digital Vision. via Getty Images Sponsored NEW CIP 003-9 IS COMING – ARE YOU READY? Sponsored content By Operant Networks It’s traditional to start any security-related article with scary news of the latest cyber breach such as the Colonial Pipeline ransomware attack of 2021. Most of us know that network security is both critical and getting more and more complicated. Like diet and exercise, we get that it’s important, but that doesn’t always translate into action. The North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) standards are designed to protect the bulk electric system in North America from cyber and physical security threats. The larger a generation plant is, the more disruptive an attack on it could be to the stability of the grid, and therefore the more stringent the standards are that apply to it. The electric power industry is accustomed to big plants (>1,500 MW) having mountains of paperwork and intensive audits to go through. However, as the number of smaller sites such as solar and wind installations proliferate, their potential to disrupt the grid is increasing. The minimum threshold for NERC-CIP standards to apply is 75 MW (low impact sites in CIP-speak), but it seems possible that this will drop down to around 20 MW, significantly increasing the number of sites that would need to comply. NERC-CIP regulations get criticized for being too broad and shallow, or being outdated, but they are consistently audited and enforced making things happen that should have been happening anyway. One example is supply-chain risk. For sites >1,500 MW (medium and high impact sites in CIP-parlance), CIP-013 requires responsible entities to develop extensive plans to mitigate cyber security risks in their supply chain processes. Examples of supply chain attacks include the SolarWinds attack in 2020, and the Microsoft server attack that happened in 2021, both examples of third-party tools that victim organizations had no control over. CIP-013[1] is onerous and does not apply to smaller sites; however, on March 16th, 2023, the Federal Energy Regulatory Commission (FERC) approved a new, lighter requirement that will[2]. CIP-003-9 takes effect in 3 years’ time, on April 1, 2026, and is aimed at low impact sites. 3 years is a relatively short timeline to move an industry. Like CIP-013, it focuses on third parties and their potential cybersecurity impact on power generation sites through computer networks. It sets out to ensure that third party access is controlled and monitored. So why does this matter? One of the joys of modern networks is that if you plug an ethernet cable into a port, there’s a high chance that it will work. This is because TCP/IP, the family of protocols that underpin most computer networks, was designed to connect everything to everything. Any kind of security is an add-on that sits on top. The most common ways of restricting access in a modern computer network are through segmentation and firewalls. This is great at the beginning, when everything is shiny and new, but over time entropy sets in and things tend to decompose, as the network configuration and firewall rules change. A single ethernet cable added innocently can break segmentation in a second and be quickly forgotten. Similarly, outside parties can be granted access through a firewall into a network for very good reasons at the time, but frequently that access is never revoked, even after the vendor is no longer used. Examples of vendor access in our space can be the tuning of wind turbines by the manufacturer, or access to solar inverters for firmware upgrades. Each of these provide a potential way into a network; frequently the access is so broad that vendors theoretically could damage things far beyond the equipment that was intended, including the ability to rewrite firewall rules if they chose to. Third party access can often bypass even robust network security, providing an unintended backdoor. Most industrial networks have many, many machines connected to them, and keeping track of them is almost impossible. CIP-003-9 aims to tighten up who is accessing your network, make sure you can turn off access appropriately particularly for remote users, and implement methods for detection when malicious intrusions are occurring. In many ways, the electric utility industry is ahead of other critical infrastructure segments in forcing issues like this to be dealt with. It is frequently said that compliance is not necessarily the same as security, but these standards do at least provide a minimum baseline. Two approaches that are relevant in implementing access management security are Zero Trust networking and Identity and Access Management (IAM). Zero Trust has been written about extensively[3][4]; at its core it is a set of principles that make every machine its own individual network segment, and not to trust any interaction until it has been authenticated every single time. IAM is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. Operant Networks views this as a Multi-Party Trust (MPT) problem. For us, every machine and every user are Zero Trust and subject to trust policy rules that are applied at the packet level so that every datagram that flows across a network is encrypted and only allowed to pass if it’s been authenticated. Such fine-grain control is deny-by-default, and user access is allowed only to the piece of equipment and data type intended. For typical SCADA-based equipment used in industrial networks, this can be down to the register level, with read-only and read/write access under complete control. Cyber security in the energy context is less about focusing on attacks, and more about how to keep assets safe and productive, generating revenues. CIP-003-9 is a forcing-function, but should we really wait 3 years to do the right thing to keep our businesses running? -------------------------------------------------------------------------------- [1] https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-003-9.pdf [2] https://industrialcyber.co/nerc-cip/ferc-approves-reliability-standard-cip-003-9-covering-supply-chain-risk-management-of-low-impact-bes-cyber-systems/ [3] https://en.wikipedia.org/wiki/Zero_trust_security_model [4] https://dive.pub/3RbkMvD and https://www.utilitydive.com/spons/cybersecurity-the-case-for-zero-trust-in-modern-energy-networks-part-2/645894/ Article top image credit: SasinParaksa via Getty Images NEW WHITE HOUSE CYBER STRATEGY COULD DRIVE UTILITY COSTS HIGHER, WARNS SECURITY EXPERT By: Robert Walton • Published March 6, 2023 The electric utility sector should “build in cybersecurity proactively” as a “new generation of interconnected hardware and software systems” is developed to manage the nation’s clean energy resources, the White House said in a national cybersecurity strategy released March 2. It calls for “expanding the use of minimum cybersecurity requirements in critical sectors,” which utilities already incorporate, and shifting liability from end users to software and services developers “to promote secure development practices.” The changes will likely mean higher costs for the electric utility sector, according to Ethan Schmertzler, CEO of operational technology security firm Dispel. “Utilities and the communities that they serve are going to have to work together with the government to determine a funding path forward,” he said in an email. The U.S. is making a “generational investment in new energy infrastructure,” and the White House’s new cybersecurity strategy calls for securing it through the 2022 Congressionally-directed National Cyber-Informed Engineering Strategy “rather than developing a patchwork of security controls after these connected devices are widely deployed.” The U.S. Department of Energy unveiled the engineering security strategy last year to incorporate more cyber resilience during the manufacturing, development and deployment of computer systems used by energy providers. The agency and its national laboratories are “leading the government’s effort to secure the clean energy grid of the future and generating security best practices that extend to other critical infrastructure sectors,” according to the White House cybersecurity strategy. “DOE will also continue to promote cybersecurity for electric distribution and distributed energy resources in partnership with industry, States, Federal regulators, Congress, and other agencies.” Experts say the impact of the new strategy may be muted — at least initially — for electric utilities. But could ultimately lead to higher costs. The electric power sector already meets minimum security standards through the North American Electric Reliability Corp.’s Critical Infrastructure Protection rules and “has nothing to fear from new cyber regulation as a result of the new strategy,” security consultant Tom Alrich said. “Other critical infrastructure industries like water or petroleum refining that don’t currently have to comply with cyber regulations, might face them at some point. However, that’s likely to be years in the future,” Alrich said, given that Congressional action will be required. “The energy sector can be expected to see increased scrutiny and revised best practices surrounding cybersecurity guidelines,” said Antoine Snow, senior public sector solution engineering manager for AvePoint, a platform that optimizes software as a service operations. “This will be pivotal in ensuring critical energy infrastructure is protected from the increasing amount of cyber threats and further reducing risk,” he said. “Stricter standards would be beneficial” for the electric sector, Dispel’s Schmertzler said. He advocates for security guidelines set by the National Institute of Standards and Technology to be made “more compulsory and less of a recommendation.” The national cybersecurity strategy “clearly indicates a greater role for the government in being the front-line in cybersecurity — rather than individuals and businesses,” Schmertzler said. Though he added that with more regulation, the federal government may need to work with utilities on how increased security is funded. Utility companies “must turn their focus toward developing a comprehensive defense and prevention strategy,” said Dana Simberkoff, AvePoint chief risk, privacy and information security officer. The White House’s cybersecurity strategy “brings to light just how essential it is for utility and power companies to continue safeguarding [their systems] ... [and] makes clear it’s no longer enough to have legacy and outdated response policies in place.” The White House said it plans to work with Congress and the private sector “to develop legislation establishing liability for software products and services” that would prevent “manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios.” To incentivize secure software development practices, the strategy calls for encouraging “coordinated vulnerability disclosure across all technology types and sectors,” promoting development of software bills of materials, or SBOMs, and developing “a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.” The utility sector has been working with the federal government to utilize SBOMs in procurements. Alrich said software development processes should be secure but warned against pursuing greater developer liability as an easy fix. “The liability for almost any cyber breach can be traced to thousands of clueless individuals in all walks of life,” he wrote March 3 on his blog. “If you wanted to assign liability properly, you’d have to trace down all these individuals and spend a year or two figuring out exactly how much of the bill each of those parties is responsible for. Then, you’d have to get each of them to pay their fair share.” Article top image credit: timnewman via Getty Images HACKERS ARE ‘INCREASINGLY BOLD,’ NERC WARNS, AS DRAGOS REPORT IDENTIFIES NEW GRID THREATS By: Robert Walton • Published Feb. 24, 2023 A growing number of hackers are developing capabilities to disrupt energy infrastructure in North America, according to a new report from Dragos. The industrial cybersecurity firm said it is now tracking 20 “activity groups” that target a wide range of industrial sectors around the world, but noted the cyber defenses of the electric sector are among the best. A group known as “Bentonite” emerged in 2022 with a focus on the oil and gas sector. Also new is “Chernovite,” which Dragos said has developed a modular industrial control system, or ICS, attack framework called “Pipedream” which could initially target the electric sector, among others. Grid officials do not expect the threat to abate. “Increasingly bold adversaries regularly employ new tactics, techniques, and procedures; they are also exploiting new and legacy vulnerabilities,” the North American Electric Reliability Corp. said Feb. 21 in its annual report. When it comes to cybersecurity, last year extended a trend seen in 2021, NERC said. “The threat landscape continued to demonstrate adversaries’ potential capability to disrupt critical infrastructure in North America,” the reliability organization said. “As a result of sector interdependencies, grid evolution, and an expanding supply chain, the threat surface as well as the potential magnitude of impacts has increased.” In the electric sector, the increasingly-distributed nature of grid resources means more potential targets, say experts. But Dragos said utilities are largely well-defended and positioned to respond, among industries targeted by hackers. “Electric utilities showed the best preparedness, followed by oil and gas,” the Dragos report said. “Manufacturing represented the worst results among verticals.” Attackers continue to hone their capabilities, however. The Bentonite group Dragos began tracking last year “has been active and focuses on targeting oil and gas [companies],” said Ben Miller, vice president of services. Miller hosted a discussion Feb. 23 of the Dragos report. “They’re doing initial access, reconnaissance, and they have demonstrated command and control capabilities within these custom properties and oil and gas facilities,” Miller said. So far, however, the group has “not necessarily demonstrated the ability to gain access into the OT or ICS environments.” A group of threat actors dubbed “Erythrite” have been targeting U.S. and Canadian companies since 2020 and last year “compromised the IT environments of two large electrical utilities,” according to Dragos. Dragos also began tracking a group known as Chernovite in 2022, with particular focus on its modular ICS attack framework called “Pipedream.” Initial targets could include the electric sector, oil and gas, and manufacturing, Dragos said. Chernovite “possesses a greater breadth of ICS-specific knowledge than previously discovered threat groups,” according to the report, The Pipedream malware “includes capabilities to disrupt, degrade, and potentially destroy physical processes in industrial environments” and is the “first cross-industry and repeatable disruptive ICS attack framework known to date.” Defending against an increasingly-sophisticated threat means developing a response plan that is specific to the OT environment, said Miller. “That can be very broad and can be actually quite intimidating,” Miller said. “Our recommendation is to start off with a scenario — whether it is Chernovite and Pipedream or whether it is a ransomware case — and develop that scenario and a clear response plan, before moving on to the next one.” Entities that have done this with more the than a single scenario are “ahead of the pack,” he said. NERC’s annual report also highlighted the need for grid security to extend beyond cyber concerns. “Throughout North America as the year drew to a close, the need for continued vigilance was thrown into sharp focus with attacks on substations in North Carolina and in the Pacific Northwest,” NERC said. Multiple substations in Washington were damaged on Dec. 25, leading to more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And a North Carolina firearms attack earlier in the month knocked power out to about 45,000 Duke Energy customers. “The industry should expect further regulatory inquiries and potential actions from the federal government in response,” according to Jason Christopher, director of cyber risk at Dragos. But with 55,000 substations around the country, “there are obvious risk-based limitations on addressing physical threats that need to be managed.” Article top image credit: Wikimedia Commons AS CISA CHIEF NOTES LACK OF RUSSIAN CYBERATTACKS AGAINST US, EXPERTS FOCUS ON ENHANCING NUCLEAR REACTOR SECURITY By: Robert Walton • Published March 23, 2023 The United States was prepared for “potential blowback” related to its response to Russia’s invasion of Ukraine, and was on the lookout for an onslaught of related cyberattacks even before the war began, but those attacks did not materialize, U.S. Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales said March 22. Credit for deterrence and defense goes to both industry and government, Wales said during a discussion of nuclear-related cybersecurity issues hosted by Foreign Policy Magazine. But it also reflects “decisions by the Russian government on what they’re willing to do right now,” he said. The future of nuclear cyber defense is evolving quickly, experts agreed. Smaller, advanced nuclear reactors can be designed with resiliency to digital attacks in mind, and an offensive strategy to disrupt would-be hackers will become vital, they said. Protecting critical infrastructure from hackers will require a “balance” of offensive and defensive capabilities, Wales said. “Offensive operators” can gain access to adversary networks and “identify specific tools that they’re using, getting those into the hands of the defenders,” Wales said. “We need to make sure that this is a partnership because neither side will be completely successful without the other.” CISA launched a “Shields Up” campaign in January 2022, as it became apparent Russia was preparing to invade Ukraine, Wales said. “Recognizing that an invasion was likely, we were getting industry ready for potential attacks here at home. We have not seen that.” “We have not seen successful attacks on the United States from Russia, from the Russian government,” Wales continued. “And I think that is a credit to the work of both government and industry partnering together to make sure that those are much harder to achieve.” The Russian government may not be behind the attacks, but cyberattacks are on the rise according to Alina Polyakova, president and CEO of the Center for European Policy Analysis. “Cyberattacks have increased by 300% since 2020, against Ukraine and NATO states,” Polyakova said during the March 22 discussion. She advocates for a change in how the responsibility for cybersecurity is viewed. So far, “governments have been putting the responsibility on private industry,” Polyakova said. “We really need to move beyond that framework. And the way we do this, we have to get on the offensive. We have to think about disruption.” There is also the potential for the next generation of nuclear resources to be built with cybersecurity and safety in mind from the ground up, in addition to better defending of existing plants, said experts. “It’s important that we start to do what I would call sort of stress checks, failsafe reviews, so that if a nuclear facility is compromised, in a cyber sense, we understand what the physical implications could be,” said Page Stoutland, a consultant to the Nuclear Threat Initiative. Smaller, advanced nuclear generation resources can also be designed with safety in mind, Stoutland said. “There are many different designs being considered,” Stoutland said. “Many of these systems are more inherently safe .... so I guess overall, I’m optimistic but the specific answer would depend on the particular system we’re considering.” Article top image credit: TU IS via Getty Images NRC ISSUES FIRST UPDATE OF 2010 REGULATORY GUIDE TO STRENGTHEN CYBERSECURITY AT NUCLEAR PLANTS The revision incorporates references to industry guidance on identifying and protecting critical digital assets. It also clarifies guidance on comprehensive protections for cybersecurity. By: Stephen Singer • Published Feb. 13, 2023 The U.S. Nuclear Regulatory Commission has updated a 13-year-old guide to protect nuclear plants from cyber attacks, requiring plans that detail operations and protections against vulnerabilities. Notice about the updated guide, known as Revision 1, was published in the Feb. 13 Federal Register. The Regulatory Guide posted on the NRC’s website describes “design-basis threats” to be used to build safeguard systems to protect against acts of radiological sabotage and prevent the theft of radiological material. Revision 1, according to the Federal Register notice, incorporates references to industry guidance on identifying and protecting critical digital assets. It also clarifies guidance on defense-in-depth, or comprehensive protections, for cybersecurity. And it includes updated text based on the latest security guidance from the National Institute of Standards and Technology and International Atomic Energy Agency. The NRC in 2010 issued cybersecurity regulations that cover structures, systems and components important to radiological health and safety at NRC-licensed nuclear power plants. Digital assets at nuclear power plants that had been covered by cybersecurity regulations of the Federal Energy Regulatory Commission were transferred to the jurisdiction of the NRC. Nuclear plants have since updated cybersecurity plans to incorporate balance of plant systems, which are the supporting components and auxiliary systems, apart from the generating unit, that help deliver energy. In 2015, the NRC published guidance on cybersecurity event notifications. It set requirements clarifying the types of cyberattacks that require NRC notification, the timeliness of notifications, and other details. The 160-page revised guidance clarifies issues identified in cybersecurity inspections, technologies and information from a security frequently asked questions process and from international and domestic cybersecurity attacks. The guidance requires nuclear plants to describe in cybersecurity plans how they have “achieved high assurance” that digital systems are protected from cyberattacks. A plan must demonstrate a safety-related and emergency-preparedness function, including offsite communications. Plant operators must show how cybersecurity plans protect the integrity and confidentiality of data and software, physical security program and protective strategies and how they would protect, detect, respond to and recover from cyberattacks. Cybersecurity plans must provide details of a nuclear plant’s defenses against cyberattacks: how a plant’s cybersecurity program works; how a cybersecurity program is incorporated into its physical security program; how a cybersecurity awareness and training program provides training; and how a nuclear plant evaluates and manages cybersecurity risks. The NRC says a nuclear plant licensee can establish cybersecurity training by defining and documenting roles, responsibilities and authorities and making sure they are understood. The regulations describe who is responsible for oversight and communications in administering the cybersecurity plan. Article top image credit: “TVA nuclear plant” by Tennessee Valley Authority is licensed under CC BY 2.0 SUBSTATION ATTACKS MAY LEAD TO NEW ENERGY SECURITY RULES IN 2023, EXPERTS SAY 2022 ended with a series of physical substation attacks, but the cyber threat remains acute as well. By: Robert Walton • Published Jan. 17, 2023 Amid a growing cyber threat to the U.S. electric grid, 2022 ended with a spate of physical attacks that could portend new security rules for some energy infrastructure, say experts. “The physical substation attacks toward the end of last year raised the alarm bell,” Jason Christopher, director of cyber risk at Dragos, said in an email. Multiple substations in Washington were damaged on Dec. 25, leading to more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And a North Carolina firearms attack earlier in the month knocked power out to about 45,000 Duke Energy customers. “Unfortunately, with 55,000 substations nationally, there are obvious risk-based limitations on addressing physical threats that need to be managed,” Christopher said. “The industry should expect further regulatory inquiries and potential actions from the federal government in response.” The North American Electric Reliability Corp. oversees a set of critical infrastructure protection standards, known as CIP, governing rules for Bulk Electric System power equipment. “I am hearing rumors that [the Federal Energy Regulatory Commission] may require NERC and the industry to revisit CIP-014, which is the physical security standard for critical BES transmission substations,” Kevin Perry, former director of critical infrastructure protection at Southwest Power Pool, said in an email. FERC could consider stricter rules for more substations that operate between 200 kV and 499 kV, said Perry. But he added, “I don’t see FERC mandating costly physical security protections for those substations that engineering studies determine do not have a significant reliability impact if damaged or destroyed.” Cost is a major barrier to improving physical security, experts agreed, particularly because grid equipment is often in remote areas and the electric system is designed with redundancies in place. Loss of a single substation, for instance, should not cause an outage. “What are you gonna do wrap everything in Kevlar? That would be a very poor use of regulation, in my opinion,” said Thomas Pace, CEO and co-founder of NetRise. While physical attacks may have grabbed headlines, the cyber threat is growing and hackers in Russia, China, Iran and North Korea all have sophisticated hacking abilities, say experts. And the rise of distributed energy resources creates a larger attack surface. The Federal Energy Regulatory Commission is considering developing new cybersecurity rules for DERs on the bulk electric system, and the U.S. Department of Energy is funding “next-generation” cybersecurity research, development and demonstration projects. Pace formerly worked with DOE, where he focused on industrial control systems security and said he expects more focus on software security in the coming year. That could include the potential for a software bill of materials, or SBOM, to be required for some vendors of some energy or grid-related services. The requirements would likely be “very prescriptive,” he said. Modern software is constructed of many components, making vulnerabilities difficult to track, say experts. The federal government and the electric power sector are collaborating on an initiative to more readily disclose what components go into grid software. “I predict that the biggest cyber threat to the power industry in 2023 won’t be direct hacks like those depicted in the movies, but supply chain attacks, especially those that come through software,” said independent security consultant Tom Alrich. “These are currently the least understood of cyberattacks, and aren’t directly covered by the NERC CIP standards.” Electric utilities “should be prepared for the increasing sophistication of supply chain compromise threats,” Roya Gordon, a security expert at Nozomi Networks, said in an email. NERC has scheduled a meeting in February and its Compliance Committee and Technology & Security Committee are both scheduled to make presentations. “They will likely be considering the role of technology and security in the ability for electric utilities to be compliant,” Gordon said. “Let’s be on the lookout for further NERC guidance after their February meetings.” “I suspect we will see some enhancements to NERC [requirements] in regards to supply chain cybersecurity, but mostly I think they will be clarifications vs. additions,” said Ron Brash, vice president of technical research and integrations at aDolus Technology. Brash also pointed to the importance of software security. “Asset management systems will begin to incorporate SBOMs to provide high-granularity visibility into the software and firmware running on assets,” he said. And there is a threat that supply chain constraints combine with grid attacks to exacerbate the impacts of any disruption, said Ron Fabela, chief technology officer of cybersecurity firm SynSaber. “Supply chain globalization and just-in-time manufacturing [have] been an enduring challenge for the electric sector,” Fabela said in an email. “An increase in physical attacks to grid components would exacerbate the issue, further amplified by any cyber disruption of suppliers through ransomware attacks.” Cyber risks that impact operations will continue to gain attention from utility leaders, especially if the Securities and Exchange Commission finalizes new rules on cybersecurity risk and incident disclosure that would impact investor-owned utilities, said Christopher. “Those would force boards of directors to have specific expertise on cyber risk management, including understanding the impacts associated with cyber events,” he said. “This could have a ripple effect across our industry and could shed additional light on the effectiveness of OT security programs and any potential resource constraints.” Article top image credit: Adeline Kon/Utility Dive PUTIN-FOCUSED AND OTHER HACKS OF CHARGING STATIONS DRIVE NEW CYBERSECURITY STEPS FOR AN EV BOOM Emerging tools and strategies are focused on patching utility, charger and power system cyber vulnerabilities, analysts said. By: Herman K. Trabish • Published Nov. 8, 2022 The ongoing expansion of the U.S. electric vehicle ecosystem is creating new cybersecurity risks for the nation’s power system by offering hackers access through widely distributed and less well-protected charging stations, but solutions are emerging, charger software providers and researchers said. Recent hacks using Russian charging stations to ridicule Vladimir Putin and British chargers to play adults-only content show cyber threats are real, public and private sector analysts said. Accessing customer personal or financial data has been demonstrated, and an EV boom driven by proliferating transportation electrification policy goals could spread threats across the power system, they added. With a Biden Administration goal of 50% of new car sales to be zero emissions by 2035 and funding for a national EV charging network, U.S. transportation electrification“is accelerating at a breakneck speed,” said Joseph Vellone, North America head for international charger software provider ev.energy. Innovative utility-managed charging programs could allow “an attacker with malicious intent to destabilize the power system,” he said. “Permissive access to chargers was adequate for traditional power systems,” but “vehicle-grid integration” to manage charging “adds orders of magnitude of operational complexity,” added Duncan Greatwood, CEO of cybersecurity specialist Xage. Vulnerability is significant because “cybersecurity strategies were only introduced into the energy sector in the last 18 months,” he said. EVs, now about 1% of the 250 million U.S. light-duty vehicles, rose to 6.1% of new U.S. vehicle sales in Q3 2022 from 3.7% in Q3 2021, Clean Technica reported September 13. By 2030, they could be 52% of new car sales, according to a BloombergNEF estimate reported September 20. And vulnerabilities will increase with that rapid EV ecosystem expansion across the power system’s attack surface, cybersecurity specialists agreed. Those vulnerabilities threaten more serious impacts than ridiculing Putin or randomly showing adult content, power industry, private cybersecurity providers, and cybersecurity research leaders said. An October 25 Office of the National Cyber Director-led forum recognized that new answers for EV ecosystem cybersecurity are needed. But stopping Black Hat attackers with financial or worse motives who seem always a step ahead will be challenging, those leaders acknowledged. DETAILING THE THREATS The U.S.’s over 122,000 total public charging ports and its 455,000 new EV sales in 2022 led the individual country rankings in the BloombergNEF EV Dashboard released September 21. And “people are plugging in and charging without attacks,” said Sunil Chhaya, a senior technical executive for transportation at the Electric Power Research Institute. But “hackers are everywhere,” and the growth and visibility of the EV ecosystem will magnify the temptation to either make money or a political point,” Chhaya said. “The consequences of threats not addressed are real” because “charging infrastructure is a good entry point” for financial, EV ecosystem, or power system attacks, he added. The EV ecosystem is part of a growing “internet of energy” market that will support the energy transition but comes with the “side effect” of an increased attack surface, agreed Schneider Electric VP for Product Cybersecurity and Chief Product Security Officer Megan Samford. Homeland Security. (2016). “Defense-In-Depth Strategies” [jpeg]. Retrieved from Homeland Security. Most recent attacks focused on vulnerabilities between utility-owned power system assets and chargers to obtain customer personal and financial data or disrupt charging, Samford said. Few specifics on attacks are made public, but in addition to the Russia and U.K. events, a white hat attack on German Tesla charging stations was reported by Bloomberg News January 11. In addition, international researchers identified 13 vulnerabilities in 16 charging systems, TechRepublic reported March 23. Finally, out of more than 240 attacks on charger stations globally in 2021, 40.1% used charger access to get at charger company servers, according to Israeli EV cybersecurity specialists Upstream’s 2022 report. Without early detection, attacks such as these could lead to “cascading” power system outages, Samford said. Too often, cybersecurity is “an afterthought” in connecting public charging to the power system, according to a 2019 EPRI comprehensive cybersecurity plan. But planning should include principles of data confidentiality, including protections to access and acknowledgment of risks to safety, privacy, reliability, and finance. Charging stations provide increasingly complex interactions about when and how quickly vehicles are charged and discharged, said Xage’s Greatwood. “The easiest hack is not vertically into the well-protected power system core but horizontally to spread malware across less well-protected EV charging stations and station management systems,” he added. “The energy transition is making grid edge assets more important,” he said. “A successfully widespread attack could stop traffic” or “create a local outage that leads to a cascading power system disruption,” he agreed. Distribution system infrastructure like substations are difficult to attack and system voltage and frequency are carefully monitored, said Rolf Bienert, managing and technical director of leading power system standards advocate OpenADR Alliance. But as smart chargers and real-time pricing are used to address demand spikes, attackers might disrupt communications to create reliability failures, he said. The charging system’s ready public access through remote physical connections, its limited designed-in security, and its expansive attack surface makes it “by far the most vulnerable element” in the EV ecosystem, Roy Fridman, CEO of Israeli cybersecurity specialist C2A Security, summarized in a July 4 blog. Software “is the connective tissue between utilities and system operators” allowing management of EV charging “to balance loads,” said ev.energy’s Vellone. But EV charger software “could carry a Trojan horse planted by a rogue agent or nation like Russia or China,” he agreed. In a state with a heavy charging load like California, the attacker “could orchestrate a sudden huge power surge during a peak demand period that could easily be catastrophic,” Vellone said. Cascading circuit outages “could result in something like the August 2003 two-day blackout across the Northeast caused by a fallen tree branch,” he suggested. U.S. cybersecurity standards like federally-ordered Zero Trust and Defense in Depth strategies are inadequate for fully protecting financial and personal data or regulating charger firmware and software, Vellone and others said. “The gold standard is the 2018 European Union General Data Protection Regulation’s strict, comprehensive, and forward-looking guidelines,“ and U.S. federal legislation could use the 2018 California Consumer Privacy Act as a template, Vellone said. Cybersecurity efforts like the General Services Administration’s May 2021 Executive Order 14208 and President Biden’s October 11 Executive Order offer no guidance for the EV ecosystem, stakeholders agreed. And payment card industry security standards for gasoline pumps omit critical EV charger vulnerabilities that should be addressed by the North American Electric Reliability Corporation, they added. Utilities were quick to answer Utility Dive queries about their cybersecurity efforts but, for good reason, reluctant to detail incidents or the growing threat potential. Homeland Security. (2016). “Defense-In-Depth Strategies” [jpeg]. Retrieved from Homeland Security. THE UTILITY DILEMMA A conundrum limits utility and system operator public comments on cybersecurity. They want customers and shareholders to know they are aware of and working on solutions to threats, but they cannot detail experiences and preparations because it could reveal their enormous attack surfaces’ vulnerabilities, they unanimously agreed. “We would rather not provide details on particular threats,” said Consolidated Edison spokesperson Allan Drury. But ConEd’s experts and government and industry partners are helping develop “a robust defense-in-depth program to mitigate the threats,” he added. Federal cybersecurity guidance describes a defense-in-depth strategy for charging stations as multiple layers of automated authentication and operations monitoring from the utility to the charger, C2A’s Fridman and other security providers said. DTE Energy vehicle-grid integration programs include open access software platforms, but “we coordinate extensively with our industry partners on cybersecurity,” was all DTE Energy Spokesperson Angela Meriedeth could disclose. “For obvious reasons, San Diego Gas and Electric does not discuss specifics of our security efforts,” Krista Van Tassel, the utility’s spokesperson, echoed. But “critical systems” are “rigorously” tested for vulnerabilities, security practices and tools are “continually” reviewed, and the utility is working with industry partners on “risk mitigation strategies,” she added. Southern California Edison is similarly working with industry stakeholders to develop cybersecurity “standards and protocols” to “reduce cybersecurity risk to the grid as EVs continue to grow,” the utility’s spokesperson Brian Leventhal said. Washington state’s Avista Utilities does not now face a significant cyber threat because chargers and utility control systems are not interconnected, Rendall Farley, its manager of electric transportation, said. But future programs and a “next generation of high-powered chargers” may interconnect utility systems through managed charging to address demand peaks, which would require “mitigating any cyber threats,” he said. Strategies to mitigate such vertical attacks on utility control systems from public chargers and to securely update cybersecurity software and firmware are being developed, researchers and private sector experts agreed. Permission granted by Xage EMERGING STRATEGIES AND TOOLS Many utilities are planning to manage EV charging loads, which will increase vulnerabilities to cyberattacks, most stakeholders agreed. But funding and research are already addressing the challenge, many said. “The five-year $5 billion funding of a national interstate charging corridor in the Infrastructure Law “is a once in a generation opportunity,” said Idaho National Laboratory Senior Research Engineer Tim Pennington. It can lead to “important new cybersecurity standards” from federal agencies, he added. Charger hardware can have “independent certifications” for meeting cybersecurity standards, be programmed with “self-aware, built-in, security capabilities,” and be given routine “system checks,” Schneider Electric’s Samford said. But capabilities are still needed to “detect anomalous behavior across the network and system,” to identify “potentially malicious behavior,” and to “take action,” she added. INL is developing those capabilities within the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response, or CESER, programs, Pennington said. And its laboratory demonstrations have shown the new strategies and technologies can work, he added. There is “no official specific intelligence about an adversary or a threat,” INL Energy Threats Program Manager Jamie Richards, working under the CESER programs, specified. But laboratory demonstrations with high-powered chargers showed a new tool can detect and mitigate attacks, she added. One INL demonstration showed charger vulnerabilities like a piece of readable code, a default password, or an accessible public charger port make serious impacts possible, Richards said. In a second demonstration, INL’s safety instrumented system, or SIS, cybersecurity tool, “recognized adversary behaviors targeting those charger vulnerabilities with a 75% success rate,” she added. INL is now testing automated SIS interventions like interrupting charging to prevent escalating impacts, Richards said. The SIS tool’s cost-effectiveness “is hard to know at this stage” because “the return on investment for any security solution is not typically justified until the cost of what it can prevent becomes clear,” she added. A coming but not yet announced EPRI online tool will allow EV ecosystem participants “to assess their cybersecurity strengths and weaknesses and obtain mitigations based on related industries’ best practices,” EPRI’s Chhaya said. But best practices from other industries may not provide the cybersecurity needed for the EV ecosystem, Xage’s Greatwood said. “Banks can use manufacturer-installed security certificates in laptops and cellphones, but that level of authentication is not built into today’s EV charging systems,” he said. A Mesh Architecture defense strategy could provide a higher level of cybersecurity by storing user identity authentication information in multiple, programmed internet “nodes,” he said. “If two nodes of a 20-node Mesh are hacked, the other nodes will recognize the intrusion and deny further access to the hacker to maintain a distributed system’s integrity,” Greatwood added. “In traditional operational security, the system is as weak as its weakest link and one hack creates access to the entire system, he said. With a Mesh architecture, hacked nodes are “quickly identified and reset,” which means “more nodes in the Mesh makes the system’s security better,” he added. “No protection can be guaranteed, but the Mesh approach makes attacks more difficult and impacts more limited,” he said. “It is always a cat and mouse game,” EPRI’s Chhaya agreed. “The objective is to combine practices that generally perform securely except for isolated incidents and use them to minimize malicious intrusions and their impacts” because none of the participants in the EV ecosystem “want to end up causing an issue and being in a headline,” he said. Vellone, whose priority is achieving the 2030 clean transportation mandates, agreed. “Cybersecurity for hardware and software needs to come together at the same time to make this happen and perfect cannot be the enemy of good,” he said. “The commitment must be to continuous proactive improvement and securely updating everything over and over,” he added. Article top image credit: iStock via Getty Images NERC WARNS OF CYBERSECURITY, RELIABILITY RISKS AS IT OUTLINES STRATEGY FOR ADDING TENS OF GIGAWATTS OF DER By: Robert Walton • Published Nov. 3, 2022 The North American Electric Reliability Corp. on Nov. 1 published a Distributed Energy Resource Strategy identifying approaches, concepts and regulatory steps necessary for tens of thousands of new aggregated megawatts to be connected to the bulk power system through 2031. Key among the reliability organization’s concerns is cybersecurity and how aggregators of those resources will ensure they are not vulnerable to hackers. A new white paper on the security impacts of DERs is expected in the second half of 2023, NERC said. Distributed resources like rooftop solar systems are often internet-connected and “have little to no cyber security requirements imposed on them,” NERC noted. An aggregator could control thousands of individual devices, the strategy document said, potentially creating a vulnerability. The strategy document serves as a roadmap, identifying milestones ahead as NERC develops its approach to growing volumes of distributed resources connected to the bulk power system. DER levels are “rapidly growing across many areas of North America ... and are altering how the bulk power system is planned, designed and operated,” NERC said. NERC said it expects distributed solar capacity to grow by more than 30,000 MW between 2022 and 2031. Retrieved from North American Electric Reliability Corp. “This influx of DERs presents potential benefits as well as challenges for grid reliability, resilience and flexibility,” NERC noted. The reliability organization has been working with the electric sector to identify bulk power system reliability risks, and in support of that anticipates assessments from technical subgroups next year including: * A white paper investigating the impacts of battery energy storage on the distribution system and providing modeling guidance for multiple types of DERs is expected in the first quarter; * A set of modeling recommendations related to DER aggregators and management systems is expected to be complete in the third quarter; * A white paper examining “coordination strategies between transmission and distribution entities for growing DER levels,” is expected in the second quarter; * And a white paper looking at the security impacts of DERs and aggregators “documenting the technical details of failure modes and security vulnerabilities,” is expected to be published in the third quarter. The growth of distributed resources, along with the introduction of DER aggregation, will “present significant challenges for ensuring the security of the overall electricity ecosystem,” NERC said. The U.S. Department of Energy, in an October report, concluded an attack on distributed solar or battery storage resources would have “negligible impact” on grid reliability today — but also warned that the capacity of DERs on the electric system is expected to quadruple by 2025 and each of those systems could be hacked. “These entities are not presently subject to any of the NERC critical infrastructure protection standards or back-up control centers,” NERC said in its strategy document. “NERC is considering these possible risks in its actions related to DER aggregators.” The Federal Energy Regulatory Commission has solicited input regarding potential new cybersecurity rules for DERs on the bulk electric system. According to NERC, “the overall goal is for DERs to have adequate security controls and for the DER aggregator to be applicable to necessary operational standards when its aggregate impact affects the BES.” Article top image credit: Cindy Shebley via Getty Images DEPARTMENT OF ENERGY RETHINKS CYBER RESILIENCE IN STRATEGY TO SECURE THE GRID The agency wants to help the energy sector incorporate more cybersecurity safeguards during the design phase and better withstand attacks. By: David Jones • Published June 23, 2022 The Department of Energy is optimistic it can find success in its new framework for building resilient clean energy systems that are capable of withstanding malicious cyberattacks. The DOE on June 15 unveiled the National Cyber-Informed Engineering Strategy, a bipartisan plan to strengthen the energy sector’s ability to withstand a cyberattack. The plan looks to incorporate more cyber resilience during the manufacturing, development and deployment of computer systems used by energy providers, according to DOE officials. “The focus of the CIE strategy is to implement cybersecurity knowledge and strategies at the earliest possible phases of the energy system lifecycle,” said Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security and Emergency Response. The DOE effort comes at a critical time for the energy sector, which is a high-profile critical infrastructure target. The ransomware attack against Colonial Pipeline last year also added urgency to efforts to address the threats against critical infrastructure. That incident disrupted gasoline delivery to the southeastern and eastern U.S. for almost a week in May 2021, causing gasoline prices to spike and gas stations to temporarily shut down as panicked consumers scrambled to secure dwindling fuel supplies. “The Colonial Pipeline incident was a stark reminder of the imperative to harden the nation’s critical infrastructure against serious and growing threats like ransomware,” Kumar said via email. Russia’s invasion of Ukraine placed renewed pressure on the energy grid as the U.S. and NATO member countries announced sanctions on Russian gas and fuel providers. Allied countries had to shift toward alternative energy sources. The energy sector in several European Union countries was successfully targeted by cyberattackers following the Ukraine invasion. Threat actors targeted oil trading facilities in Amsterdam-Rotterdam-Antwerp and also took down thousands of wind turbines belonging to Germany’s Enercon. U.S. officials issued repeated warnings of threats to U.S. energy providers related to the Russian invasion and U.S. sanctions. But cyberthreats to the U.S. energy sector go back more than a decade. In March, the Justice Department unsealed indictments against four Russian government employees for hacking campaigns against global energy targets between 2012 and 2018. BUILT-IN SAFEGUARDS To protect against these heightened threats, the CIE strategy aims to incorporate cybersecurity safeguard into system electronics early that are designed to withstand a sophisticated attack, according to Manny Cancel, senior vice president of the North American Electric Reliability Corp. and president of the Electricity Information Sharing and Analysis Center. In addition, the plan is to instill better cyber resilience at the academic level so educators help develop workers with the skills required to become cyber aware. Ben Miller, vice president, professional services and R&D at Dragos, said it’s hard to assign a risk value to the electric grid. “What we do know is that technology is increasingly interconnected and the threat groups are increasing in number, but also [in] sophistication around critical infrastructure [systems] such as industrial control systems,” Miller said via email. A group of 18 organizations connected to the oil and gas industry pledged to take collective action on cyber resilience during the World Economic Forum in May. The group included some of the world’s top energy companies, including Aramco, Suncor and Occidental Petroleum. “Energy security is national security,” Megan Samford, vice president and chief product security officer for energy management at Schneider Electric, said via email. “Cyber Informed Engineering is all about designing security directly into the products and systems, focusing on those that are most critical.” Article top image credit: yangphoto via Getty Images ENSURING THE CYBERSECURITY OF THE GRID Cyber threats to the U.S. power sector continue to grow and the rise of distributed energy resources creates a larger attack surface. The White House, federal agencies and the North American Electric Reliability Corp. have taken a number of recent actions to address those threats and drive new actions by electric utilities and others. INCLUDED IN THIS TRENDLINE * New power system cybersecurity architectures can be ‘vaults’ against insider attacks * FERC approves incentive framework for voluntary cybersecurity investments * New White House cyber strategy could drive utility costs higher Our Trendlines go deep on the biggest trends. These special reports, produced by our team of award-winning journalists, help business leaders understand how their industries are changing. Davide Savenije Editor-in-Chief at Industry Dive. Search * Home * Topics * Generation * T&D * Grid Reliability * Electrification * Load Management * Renewables * Storage * DER * Regs * Corp News * Deep Dive * Opinion * Library * Events * Press Releases GET UTILITY DIVE IN YOUR INBOX The free newsletter covering the top industry headlines Email: * Select Newsletter: Daily Dive M-F * Select Newsletter: Storage Weekly Every Tuesday * Select Newsletter: Load Management Weekly Every Wednesday * Select Newsletter: Renewable Energy Weekly Every Thursday * Select user consent: By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at anytime. Sign up A valid email address is required. Please select at least one newsletter.