Combating the “unprecedented” cybersecurity threats facing the North American power grid “requires constant monitoring and vigilance,” FERC Chair Willie Phillips reminded attendees at the commission’s annual Reliability Technical Conference Nov. 9.
“The average cost of a data breach in 2023 was $4.45 million, and the global cost of cybercrime was estimated at $8 trillion in 2022, $11 trillion in 2023 and is predicted to be more than $20 trillion in 2026,” Phillips said. “Quite simply, this is a national security issue. And these quickly evolving threats present a challenge when assessing whether security controls adequately respond to the latest cyber threats.”
The rapidly changing cyber and physical threat landscape comprised one of the three key issues addressed at the conference, along with the reliability risks posed by extreme weather and the power grid’s changing resource mix. Participants in one morning panel, including Electricity Information Sharing and Analysis Center CEO Manny Cancel, emphasized the “unprecedented” level of danger posed to the grid by both foreign states and organized criminals.
Cancel said the willingness of nation-state actors to target the North American grid “isn’t subject to debate,” referring to the U.S. intelligence community’s 2023 Annual Threat Assessment, which identified China, Russia, Iran and North Korea as conducting active cyber campaigns against the U.S. and its allies. China, Cancel said, is believed to have sponsored attacks against multiple U.S. critical infrastructure organizations and Asian electric utilities, while the E-ISAC has detected “Russian-linked scanning in [its] information technology and operational technology systems … searching for security gaps.”
While the sponsorship of hostile governments has enabled greater creativity from malicious actors, they also have benefited from a growing attack surface created by the addition to the grid of new, internet-connected generation types such as wind and solar facilities, along with distributed energy resources such as rooftop solar panels. These facilities have helped enable a faster transition to a lower-emission grid but constitute a potential vulnerability for adversaries to exploit.
“When you think about it from a pure numbers perspective, you’ll have a larger coal plant retiring that may be 300 [to] 800 MW, and obviously what’s coming online … is more. [Wind and solar facilities] tend to be smaller plants,” said SERC Reliability CEO Jason Blake. “In addition to that they’re [also] more digitized. They need additional tools to perform their functions.”
Despite these risks, Blake said he remains “comfortable and confident” in the ability of grid operators to adapt to the evolving threats because NERC’s Critical Infrastructure Protection (CIP) standards “provide a very strong base” for grid cybersecurity. However, Blake and his fellow panelists also acknowledged there still is work to be done, particularly in updating the CIP standards to allow the use of cutting-edge technology in grid operations. Maggy Powell, a principal security industry specialist for Amazon Web Services, said CIP standards “are very device-centric” and “were written without contemplating virtualization [and] before cloud [computing] was really a thing.”
Jonathan Tubb, director of industrial cybersecurity for Siemens Energy of North America, added that in his experience utilities are looking for “lighter weight and scalable solutions” to address the cyber needs of large-scale distributed generation. But even if these solutions are available, he said, operators may feel unable to make use of them because of compliance concerns. He urged NERC and FERC to push for changes to the CIP standards that will allow the use of flexible distributed cyber defense software.
Robb Highlights IBR, Gas Issues
In the morning’s other panel, which focused on the grid’s changing resource mix, NERC CEO Jim Robb acknowledged the “paradoxical” fact that “although the [grid] is performing exceptionally well,” with misoperation rates and human errors down and transmission availability rising, “all of our reliability assessments show an expansion of risk, both geographically and [in] severity.” He attributed the growing risk “largely … to grid transformation,” particularly the spread of inverter-based resources like wind and solar plants.
While Robb said these new generation sources are “incredibly exciting technologies,” he warned that they come “with real issues.” In addition to their potential cyber vulnerability, the behavior of IBRs is not as well understood as that of older generation types, which has prevented their full integration into system models and simulations.
Robb also acknowledged the recent release of FERC and NERC’s report on Winter Storm Elliott, which he called “very sobering.” (See FERC-NERC Elliott Report Calls Winter Outages ‘Unacceptable’.) He reflected that while the “heroic” actions of gas and electric utilities kept the natural gas system from collapsing under the strain of the storm, if temperatures in the Northeast had not warmed up when they did, the grid could have “been in a real world of hurt.”
The difficulties of gas and electric coordination during Elliott pointed out another area where work is needed, Robb said. He reiterated his support for the formation of a gas reliability organization that could create mandatory standards similar to the ERO and called for NERC and other industry stakeholders to continue working with the gas industry to improve their collaboration efforts.