Over the years I’ve had hundreds of thought-provoking conversations with utility CISOs and other industry security professionals. Heck, I was a utility CISO myself at one time, so I know the territory. In these lively discussions—which can transform into good-natured debate—familiar topics are always in order. IT-OT convergence. Infrastructure threats. Vulnerability management. Threat hunting. Leading-edge technologies.
Almost inevitably, conversations steer toward the subject of physical security, which too seems to follow a familiar path. Cyber-physical coordination. Organizational siloes. Different methods. Different lexicons. Once in a while, I like to pose a slightly provocative question such as, “Do you, as the cybersecurity leader, really know what’s most critical to your utility’s operations and what’s at most risk of disruption, degradation or destruction?” “Not entirely, to be candid,” is a frequent response.
Addressing cyber-physical risks requires visibility
And therein lies a significant, but often unrecognized problem. Few would argue against the need for cyber-physical security partnership and tailored cybersecurity protections in operational technology environments. Such measures are, obviously, two among many needed steps to stay abreast of a continually shifting and steadily advancing threat landscape.
But at the heart of the issue is a real need for utility cybersecurity professionals to also have complete visibility into inherent physical risks within their organization’s infrastructure. This knowledge can lead to more effective and sustainable security measures, which can, while keeping the bad guys out, enhance grid reliability and resilience.
Key to knowing how to protect something is what to protect, and its importance. In the case of electric grid operations, there is a myriad array of equipment, devices and networks that together comprise the vast interconnected electric power grids we know today. From power generation, to transmission, to distribution, this magnificent machine is the critical engine upon which any nation’s economy and critical services are dependent. Without it, things would go downhill, and fast.
The good news is, the grid is a robust, well designed and reliable machine. It is designed to withstand any number of potential threats which range from natural hazards to equipment malfunctions to human error. The grid can withstand a lot of disruption on its own. At some point, actual physics take over and thankfully, a vast array of threats to grid stability have been accounted for in both design and operation.
Advanced technologies, methods have helped reduce cyber threats
When considering cybersecurity threats, threat actors and grid vulnerabilities, we’ve come a long way. The so-called industrial security community—of which I humbly consider myself a part—has continually learned from research and actual events to advance available technologies and the art and practice of the field. This extends into a wide array of highly technical training on control systems security methods.
There are also multiple industrial-focused security frameworks available, including those published by ISA/IEC, NIST, SANS, among others. All these new, advanced technologies and methods go a long way to help mitigate cyber risks to critical infrastructure and associated industries.
Cybersecurity frameworks normally include physical security controls, which take the form of things like physical perimeters, door and other access controls, cameras and recorders, and access monitoring or alarm systems. Physical security has become highly automated, with many physical access control and monitoring systems operating across IT networks.
Are we prepared to address the new cybersecurity risks?
Comparing and evaluating longstanding practices in physical security and cybersecurity is beyond the scope of this post. Suffice it to say, joint cyber-physical planning and methods have vastly improved over time and many organizations have taken concrete steps to harmonize and, in some cases, merge their security functions. But how far does our existing knowledge of physical risks to electric power operations extend into planning and approaches to reduce cybersecurity risks? In my estimation, not far enough. Let’s examine a few key points.
Considering physical risks to critical equipment and their associated communications infrastructure isn’t typically the starting point when planning for cybersecurity, but it should be. Looking at the most vulnerable and critical equipment should be the foundation upon which cybersecurity is built in utility operations.
If a malicious actor compromised a critical operational network, control system or protection system, the compromise might lead to a loss of control or denial of control event related to the associated equipment and functions it supports. Thus, a cyber event could potentially translate to a physical event such as a large-scale power outage. The question becomes: are we adopting this foundational point of view when it comes to cybersecurity in the electric grid? Perhaps not.
NERC-CIP standards: do they still serve us well?
A detailed presentation and analysis of the NERC-CIP standards isn’t possible here, but a few points can be made. The North American bulk electric power industry is regulated by FERC through NERC, which enforces a set of minimum security compliance requirements. CIP-006 defines physical security requirements, including physical access control and monitoring, and CIP-014 defines physical security requirements for transmission substations meeting specific criteria.
Here are two things to know. NERC-CIP is a compliance-based scheme, with non-compliance penalties, and is not performance-based as would be the case with security frameworks like IEC-62443 or ISO 27001. It’s also important to understand that the NERC-CIP process takes an iterative approach to identify specific assets for protection and inclusion into compliance scope. This process might result in a markedly different set of assets being protected and methods being applied than otherwise might result from applying a non-compliance-based approach to infrastructure protection.
Multiyear Plan for Energy Sector Cybersecurity, U.S. Department of Energy
This document, published in March 2018, provides a comprehensive primer on various federal efforts around energy cybersecurity, and key drivers for proposed initiatives. Among others, the plan proposes advanced technologies including self-defending grid devices that can potentially withstand cyber-attack. Among the proposals included in the plan are several based on assessments of cybersecurity risks and associated performance-based outcome measures.
However, given the fact that North American bulk power entities are regulated by FERC and subject to NERC-CIP compliance, it is concerning that the plan doesn’t recognize the dichotomy between these two models. On the one hand, DOE outlines performance-based mechanisms to improve security, but it also fails to recognize that the bulk electric power industry is subject to an arguably non-compatible framework. In fact, only four passing references to NERC are made in the plan, none of which make note of this issue.
In addition, the plan rightly recognizes the importance of cyber-physical threats and attacks, yet oddly makes no mention of the risks related to Large Power Transformers in another DOE publication, as noted below.
Assessment of Large Power Transformer Risk Mitigation Strategies, U.S. Department of Energy
This document, published in October 2016, provides a detailed assessment of grid operations, reliability objectives and security risks. It introduces critical vulnerabilities related to availability of Large Power Transformers and potential impacts due to a lack of spares and their availability during times of electric grid disruption.
Highlights include a description of the various transformer sparing programs available to the industry and recommendations for improvements. A key item to note is that NERC’s own reliability criteria for “credible contingencies” doesn’t seem to be in line with the real risks outlined in the report. This leads one to suspect that the NERC-CIP standards might not fully take into account this gap and its potential impact to grid reliability. Recent NERC studies have also evaluated “extreme” events, but the NERC-CIP standards do not currently take these into account.
Strategic Transformer Reserve, Report to Congress, U.S. Department of Energy
This document, published in March 2017, provides an overview of the available Larger Power Transformer sparing programs to Congress. It proposes developing a number of potentially effective NERC performance-based standards for improving these programs and further reduce risks to grid reliability, to be overseen by FERC. But interestingly, the report makes no mention that NERC standards are compliance-based, and potential challenges this might pose in implementing the report’s recommendations.
Parting thoughts: planning to mitigate tomorrow’s cyber risks
When considering how to most effectively plan for cybersecurity and mitigate advanced cyber threats today, utility professionals must embrace the imperative to encompass physical security risks in their work. A compelling starting point for any electric grid cybersecurity assessment would be the most critical operational assets and the devices and networks associated with their continued operation and control.
Conversely, any physical security planning effort should encompass cybersecurity threats, vulnerabilities and capabilities as well, recognizing that physical security is highly automated and the two domains are interdependent. As I’ve said over the years in my own work and with customers, the “last door” at some point equates to cyber access. No amount of cyber protections can overcome an adversary who has physical access to the object being targeted.
There are strong arguments to be made for converged security programs in order to effectively plan for and mitigate all security risks to utility operations. By encompassing known physical threats, inherent physical vulnerabilities and their anticipated operational impacts, a utility’s cybersecurity protections can be much more effective in the long run. Doing so can help achieve a goal that cybersecurity and physical security share: making the grid more resilient.
About the author: Jon Stanford leads IoT solution incubation for Cisco Advanced Services, Emerging Technologies & Innovation, to meet customer needs in the global industrial OT sector. He serves as a trusted advisor to global clients with a focus on securing industrial automation environments and enabling IoT transformation. He has more than 25 years of experience in public, private and Big-4 consulting.
Stanford is a speaker and media contributor, contributes to industry standards initiatives and also serves on the Industrial Control Systems Information Sharing and Analysis Center (ICS-ISAC) governing board. He is a graduate of the Executive Leaders Program at the US Naval Postgraduate School Center for Homeland Defense and Security and holds CISSP, CISM, CRISC and CGEIT certifications.