WASHINGTON — Cybersecurity threats in the supply chain have evolved since FERC directed NERC to develop standards covering them in 2016, but there was no consensus on whether the rules need to be updated at a technical conference Wednesday.
FERC and the Department of Energy jointly hosted the event at the commission’s headquarters, just days after a physical attack on two Duke Energy (NYSE:DUK) substations in North Carolina. (See Duke: NC Outages from Attacks May Last Until Thursday.)
“As we saw last weekend in North Carolina, this isn’t really necessarily an academic exercise, it’s a real exercise,” FERC Chairman Richard Glick said. “There are people out there, whether they be people here in the United States or people around the world, obviously governments and so on, that are out there trying to do damage to the grid.”
Glick expressed support for new critical infrastructure protection (CIP) standards, saying the supply chain threat has evolved and become more serious over time. FERC approved NERC’s supply chain standard in 2018, with updates in 2021. (See FERC OKs Updated Supply Chain Standards.)
Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), said cyber threats are compounding supply chain challenges “from COVID and where the global economy is right now.”
Counterintelligence officials have seen an increase in the number of attacks coming from the supply chain, said Jeanette McMillian, assistant director for the Supply Chain and Cyber Directorate of the National Counterintelligence and Security Center. Her office, which falls under the Director of National Intelligence, oversees providing outreach to private sector entities that are at risk from foreign intelligence operations.
The threats can hide in the “noise of the supply chain,” whether it is operating normally like in the SolarWinds attack in 2020, or in the chaos of cyberattacks, said McMillian.
Thousands of federal and private systems were breached when they updated SolarWinds’ Orion network management software after it was hit by a Trojan horse-style attack by suspected Russian hackers, according to the Government Accountability Office.
While new standards generally involve responding to past incidents, McMillian said her office can be more proactive by sharing information on the latest threats through DOE and other agencies that work with critical infrastructure.
The federal government has increased information sharing in recent years as barriers have been lowered, said NERC Senior Vice President Manny Cancel, the CEO of the Electricity Information Sharing and Analysis Center. But mandatory CIP standards have also helped ensure that the industry has a good baseline of security.
“The CIP standards help a great deal in terms of protecting us,” Cancel said. “When you go back to the SolarWinds compromise … there really was no compromise in the electricity sector. I think a lot of that had to do with some of the protections we put in place with the NERC CIP standards.”
One area that needs to be looked at is how the standards should be applied to different classes of assets, he added. They have different levels of protection for high, medium and low risk assets.
Glick questioned whether those three categories should be scrapped, noting that a cyberattack could originate at a lower risk site and spread to infrastructure that has a much bigger impact on the grid.
“You have to assume at this point that something is going to go wrong,” said CESER Deputy Director Mara Winn. “Whether it is a natural disaster, whether it is a direct attack, something will go wrong. And making sure you spend the time in advance to really analyze that resiliency planning [is important] so that you can prioritize.”
The interconnectivity between lower risk systems and higher risk ones needs to be analyzed to ensure that it does not lead to major, cascading problems, she added.
Some value exists in classifying assets by their risk profiles, but because of the hyperconnectivity in cyberspace the spread of risks from lower profile systems is inevitable, said Marty Edwards, deputy chief technical officer for cybersecurity firm Tenable.
“I think what we need to take a look at is having a certain baseline standard of care that applies across the board and then look at [whether] you have to embellish it in some of the higher criticality implementations,” he said.
While cybersecurity issues in the supply chain and elsewhere are constantly evolving, several power industry witnesses argued FERC and NERC should not be overly prescriptive in any future standards.
“We know that the standard development process is not a rapid, overnight process,” said Jeffrey Sweet, director of security assessments for American Electric Power (NASDAQ:AEP). “It takes time, and so we have to have that flexibility to be able to respond to the threats that we’re seeing every day. And I believe the standards give us that flexibility.”
Industry responsiveness to those standards could be improved through other ways, such as the cybersecurity incentive policy proposed by FERC in September, he said. (See FERC Reluctantly Proposes Cybersecurity Incentives.)
“Are the standards sufficient? Yes, they are,” said Edison Electric Institute Senior Vice President of Security and Preparedness Scott Aaronson. “They create a very solid foundation on which we can ensure there is a minimum baseline level of security.”
But the industry needs to go above and beyond the standards to protect high risk assets, Aaronson said. That includes ensuring resilience of the power system so it can quickly bounce back from any attacks that do succeed, he said.
“I think that absolutely we need to consider updating the reliability standards we talked about earlier as they relate to the supply chain,” said Glick. “Clearly, things have changed, and we need to act more quickly. I know that the NERC standards process doesn’t necessarily lead to acting quickly, but it’s important that we start considering that now.”
In an afternoon session, Dick Brooks, co-founder and lead software engineer for Reliable Energy Analytics, cautioned against new standards, saying the industry already faces a “tsunami” from the Office of Management and Budget’s memorandum M-22-18 on federal agencies’ software supply chain risk management and the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires entities in energy and other critical infrastructures to notify CISA of cyber incidents and ransomware payments within 72 hours.
“It would be a good time to consider … what’s coming out of that before we initiate any new standards development.” Brooks said. “Because we wouldn’t want to take the risk of going down one path and finding out that this new law is really sending us in a different direction.”