By Rich Heidorn Jr.
NASHVILLE, Tenn. — Regulators from Connecticut and New Jersey last week urged their colleagues to join them in developing cybersecurity rules for electric distribution companies.
“Get in motion. Get started,” Arthur House, chairman of the Connecticut Public Utilities Regulatory Authority, told the National Association of Regulatory Utility Commissioners summer conference. “We have to attack it. It’s too important not to.”
In April, the state released a Cybersecurity Action Plan, which calls for a voluntary oversight program in which utilities would meet annually with state officials to report on their cyber defense programs, experiences over the prior year dealing with cyber threats and corrective measures they planned.
PURA said it will consider adding reviews by “objective, third-party assessors.” The New Jersey Board of Public Utilities issued more prescriptive rules in March requiring senior officers of distribution companies to certify their cyber protection plans, BPU President Richard Mroz said. The rules apply to natural gas, water and wastewater utilities, in addition to electric distribution companies.
The BPU requires the companies to define responsibilities for cyber risk management activities and establish plans for identifying and mitigating risks to critical systems. It also requires companies to provide cybersecurity awareness training and to report cyber incidents and suspicious activity to the agency.
House said it’s understandable that state regulators are reluctant to take on the issue. “There’s just too much work in this job already. We already have too much work to do,” he said.
NERC’s mandatory reliability standards cover only the Bulk Electric System, generally defined as transmission lines operating at 100 kV and above. (See FERC Refines Bulk Electric System Definition.)
Nevertheless, some state regulators see cybersecurity as the exclusive job of the federal government, House said.
Air Gap?
House said he was dismayed to hear Exelon CEO Chris Crane say earlier in the NARUC conference that part of his company’s defense is an “air gap” between Internet-connected computers and the supervisory control and data acquisition (SCADA) system.
“I’ve never met a federal official who believes the air gap exists. We stopped hearing about it from private sector officials in utilities two years ago at least,” House said. “It certainly is an outdated reference to a rather discredited concept.”
On July 21, however, FERC issued a Notice of Inquiry seeking comment on the Critical Infrastructure Protection reliability standards for transmission control centers and whether the commission should require the separation of the Internet and industrial control systems (RM16-18). The notice also asked for input on application “whitelisting” practices to prevent unauthorized programs from running in control centers. (See FERC Orders NERC to Develop ‘Flexible’ Supply Chain Standard.)
House also disagreed with Crane’s description of the level of cooperation between government and industry. Crane, a member of the Electricity Subsector Coordinating Council, a liaison between the federal government and the power sector, said communication between the government and industry on cyber threats has improved greatly.
“It’s become much better in the last couple of years, having everybody around the table” — U.S. Cyber Command, the FBI and the departments of Defense, Energy and Homeland Security — “really working to communicate across the table much better. The silos are breaking down and the information is flowing.”
House disagreed.
“They’re not sitting at the same table. They’re not talking the same language,” he said. “We have goodwill [and] occasional cooperation. But we do not have an adequate defense system or adequate recovery” plans.
“There is a huge gap,” he continued. “I think we’ll have a partial compliance until we have an attack and then you’ll get mandatory standards” for EDCs.
Defense in Depth
FERC Commissioner Cheryl LaFleur said distribution companies and their regulators don’t need to wait for formal requirements. “There’s a lot that can be done at the distribution level without mandatory standards,” she said, noting that many distribution utilities are NERC registrants because of their transmission assets. “It’s not as if any of them are unaware of cyber challenges.”
LaFleur said the NERC standards approved by FERC rely on “defense in depth,” including perimeter security, virus screening and other measures. Every successful attack, she said, is the result of multiple failures.
Referring to the cyberattack on three EDCs in Ukraine, LaFleur said, “Many things could have stopped it.” (See How a ‘Phantom Mouse’ and Weaponized Excel Files Brought Down Ukraine’s Grid.)
On July 21, LaFleur dissented on a FERC order directing NERC to develop a reliability standard for supply chain management, saying the order failed to provide enough guidance and should have been delayed to allow more study (RM15-14-002).
Texas Public Utility Commissioner Ken Anderson said he worried the rule could create a “false sense of security.”
In 2011, he noted, Boeing and the Navy found that the ice detection system on a new P-8 Poseidon, a plane designed for long-range anti-submarine and anti-surface warfare and intelligence missions, was defective because it contained counterfeit components sold by a Chinese subcontractor.
“If the Pentagon — that actually has access to the intelligence — if they can’t catch the defective subcomponents going into a military weapons system … how the heck can a utility know what’s in that chain?” he asked.