Clear objectives. Proven methods. Intentional maintainability. Verifiable outcomes. These engineering principles guided the creation of the modern electric system that provides the backbone of unprecedented Western productivity and prosperity.
In the 1930s, engineers took 159,000 X-ray images of the welds in Hoover Dam’s penstocks to ensure their soundness. By the 1940s engineers created magnetic bearing watt-hour meters that did not require re-calibration for 20 years or more. Later, in the 1970s, engineers created vacuum chambers to ensure the dehumidification of cellulose insulation, thereby reducing rates of transformer failure.
Since the creation of the programmable logic controller in the late 1960s, and the popularity of the personal computer by the 1980s, electric systems throughout the world have experienced a convergence of software-centric information technology and industrial control that now prevails in generation facilities, control centers, switchyards, and substations.
Technicians connect their laptops to protective relays to change configuration during substation overhaul. Contractors calibrate temperature transmitters on a boiler using handheld calibrators, then download the results to their laptops. Engineers use workstation software to program controllers that will turn pumps on when coolant level reaches a low point. Remote operators click a button to open penstock gates, bringing an additional hydroelectric generator online. Predictive maintenance data from turbines travels over cellular connection to the vendor’s cloud where it is analyzed to provide early warning.
This convergence of software, networking, and industrial control presents a complicated nest of unseen, unknown, and unverified relationships – which means that in the name of convenience, expediency, and short-term economics, we have trusted away control of the grid.
The nature of trust
Trust simplifies our decisions and puts our minds at rest. We anchor in the past to predict the future; we look for brand names; we stay in the center of the herd. But unseen, unknown, and unverified trust carries immense destructive potential.
The unfortunate and harrowing truth is that the design and integration of these modern industrial and operational technologies on which the electric grids now rely have diverged dangerously from the core engineering principles on which the grids were originally built.
What websites has that technician’s laptop ever connected to? Was the industrial network switch shipped in tamper-evident packaging? Who has administrative access to the servers in the vendor’s cloud instance? What third party software is included in the control center energy management application? What firmware updates has the relay vendor recently released? Does the chosen communication protocol offer protection against intentional manipulation?
Our inability to consistently and confidently answer those questions indicates that our network- and software-centric approach to grid engineering has opened the door to cyberattacks capable of causing devastating physical consequences, initiated at a time of an enemy’s choosing. Stuxnet, Industroyer, and Triton are visible evidence that highly structured adversaries actively develop such capabilities today.
Enter Cyber-informed engineering
In this era of constant cyberattack, Consequence-Driven, Cyber-Informed Engineering (CCE) is a formalized methodology developed by Idaho National Laboratory (INL) at the request of the U.S. Department of Energy (DOE) and U.S. Department of Homeland Security (DHS) that offers a potential solution roadmap. CCE is effective because it examines the trust relationships in industrial environments, ultimately improving the way engineers, technicians, operators, facility managers, and senior leaders understand and mitigate cyber risks to their most critical systems and processes.
This four-phase methodology differs from other risk management paradigms in that it brings together information technology, cybersecurity, and industrial operations personnel to collaboratively identify and discuss how adversaries would place themselves within trust chains to achieve specific devastating effects.
- Consequence Prioritization – involves the identification and prioritization of high consequence events (HCEs) that must be avoided.
- System of Systems Analysis – discovers and documents devices, interfaces, communications, procedures, and third-party dependencies adversaries may navigate to achieve the HCE.
- Consequence-based Targeting – combines the results of previous phases with up-to-date threat intelligence to create detailed attack scenarios that culminate in the HCE.
- Mitigations and Protections – examines the results of the previous phases to recommend physical (non-cyber) fail-safes and early warning strategies for specific HCEs.
CCE represents the culmination of nearly 20 years of research and development INL has spent assessing the cybersecurity of America’s most critical systems. With the support of federal sponsors, INL performed a full CCE engagement at one of the nation’s largest integrated electric utilities, yielding insightful results. The laboratory is currently gearing up to conduct another engagement with a major western utility, publish a detailed methodology description for immediate use by other organizations, and launch a series of training courses for national security critical facilities.
It’s time to return to engineering basics. Let’s carefully question our trust in the grid, and then work to restore that trust.