Annual Commissioner-led Reliability Technical Conference
The Internet (virtual)
I was humbled at a second opportunity to testify to the commision with fellow panelists:
- Robert Kolasky, CISA
- Puesh Kumar, Department of Energy
- Manny Cancel, E-ISAC / NERC
- Matthew Halvorsen, FBI
- Mark Fabro, Lofty Perch
- Tony Hall, LG&E/KU
- Ranjan Banerji, AWS
The group spoke to and answered Commissioner questions as part of the panel: The electric grid faces constant and evolving cyber threats that have the potential to result in devastating consequences for our economy as well as the health and safety of citizens. Since the CIP Reliability Standards have become mandatory and enforceable in 2009, there has been a tremendous amount of work aimed at protecting the most critical assets. However, given the continued evolution of threat actors and the changing threat landscape, this panel will discuss what additional changes may be needed to meet these evolving threats.
Low-impact Bulk Electric System Cyber System (BCS) make up the majority of the BCS and have a significantly lower level of mandatory protection as compared to medium or high-impact BCS. Recent cybersecurity events have highlighted that low-impact BCS are potential targets for cyberattacks.
- Discuss whether the cybersecurity requirements that are applicable to low-impact BCS provide a reasonable level of defense based upon the potential effects of a cyberattack targeting single or multiple locations (i.e., a coordinated cyberattack)? If not, what types of additional cybersecurity controls can be applied to the low-impact BCS and discuss the additional benefits/protections provided?
- Currently, the Reliability Standards implement a tiered approach to categorizing BCS, identifying them as high, medium, or low risk to Bulk-Power System reliability if compromised. These categories are primarily based on bright line (kV and MW/MVA) thresholds. In light of recent cyberattacks like Solar Winds, is this still an appropriate approach? Would a modified or wholly new categorization approach to these rating categories better address the cybersecurity risks to the Bulk-Power System?
- In light of the increasing cyberattacks against critical infrastructure such as the recent outage of the Colonial Pipeline, explain how the convergence of information technology and industrial control system technologies within the same networked environment has changed the approach in securing the Bulk-Power System.
- Specifically, ransomware has been in the forefront of the news. Explain how a ransomware attack could impact reliable operations of the Bulk-Power System and how does this differ from other types of cyberattacks that should be defended against?
- What additional or improved cybersecurity controls could users, owners and operators of the Bulk-Power System deploy to mitigate the risk of a ransomware attack? How would the deployed controls and their corresponding costs differ based on the high, medium, and low impact ratings of the CIP Reliability Standards?
- What concerns exist with legacy systems as they interact with non-legacy technologies, and what are the security concerns related to the various levels of security controls specific to the high, medium, and low impact ratings?
- Recent concerns raised over the potential national security risks posed by equipment and services provided by entities like Huawei Technologies Company (Huawei), ZTE Corporation (ZTE) and Kaspersky Lab (Kaspersky) highlight vulnerabilities to the electric industry’s supply chain. One of the challenges with the supply chain – across manufacturers, vendors, and system integrators – is that there are no consistent protocols that oversee or guarantee that the hardware or software they provide to utility companies is secure and free from hidden threats. Discuss how the Commission and NERC can improve supply chain integrity and security.
- What additional efforts should the Commission consider to improve supply chain security to safeguard U.S. critical infrastructure (under Commission jurisdiction) from persistent and sophisticated threats? How can industry, NERC and the Commission assess if the reliability and security risks are adequately mitigated? Are the current Supply Chain Reliability – Standards adequate to address these evolving risks? How can existing measures be improved? Is information sharing among supply chain partners about threats adequate to protect against these risks? What additional support is needed to identify and mitigate known and unknown threats?
- Explain how approaches to ensure supply chain security for high, medium, and low impact assets differ. Are these different approaches adequate to ensure reliability and security?
- Describe the impacts to industry when specific vendors are deemed restricted and what approach is appropriate to manage risks stemming from them. For example, what impact was experienced when vendors such as Huawei, ZTE, and Kaspersky were identified by the U.S. government as supply chain risks?