New cybersecurity standards proposed by the North American Electric Reliability Corp. (NERC) to protect the nation’s power infrastructure are not broad enough and fail to cover a significant number of interdependent assets.
The standards also give electric utility owners, operators and users too much discretion when it comes to implementing the prescribed controls, a group of experts told members of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Wednesday.
James Langevin (D-R.I.), chairman of the committee, said the NERC’s proposed standards require stakeholders in the power grid to establish plans, protocols and controls for safeguarding physical and electronic access to the control systems that manage the national’s electric infrastructure. The problem is the standards are focused purely on the reliability of “bulk power systems” and don’t require electric sector owners and operators to secure their generation systems, distribution systems or telecommunication equipment, Langevin said in prepared testimony.
“We know from countless real-world examples that these units are highly vulnerable to intentional and unintentional cyber-events. Knocking any of these units off could affect the power supply to our nation’s critical infrastructure,” he noted in his statement.
The narrow focus of NERC’s proposed cybersecurity standards is especially troubling, Langevin said, in light of a recent simulated attack against a power utility control system that was carried out by Department of Homeland Security researchers at the Idaho National Laboratory. The same methods that were used in that experiment could be used to carry out attacks against larger generators and other equipment and cause “widespread and long-term damage to the electric infrastructure,” he warned.
“I’ll be blunt: If this administration doesn’t recognize and prioritize these problems soon, the future isn’t going to be pretty,” Langevin said.
Joseph Weiss, managing partner of Applied Control Solutions LLC, testified as an expert at the hearing. He said the growing interconnectedness of control systems with other networked computing systems is happening without a corresponding appreciation for the security risks resulting from such connectivity.
For the most part, he stated in written testimony submitted to the committee, security issues have been the purview of the IT organizations within utility companies, whose control system groups manage grid and plant operations. As a result, it’s often the case that some parts of the system are sensitized to security while others do not fully appreciate the risks, he said.
Exacerbating this issue is the fact that many control system applications run in Windows and Unix environments and are therefore susceptible to the same security threats as other systems are. Traditional IT security controls, Weiss said, can help alleviate some of these issues, but they can also cause control system reliability problems.
Against this backdrop, he said in his prepared remarks, the NERC’s proposed standards are too narrowly focused on bulk power grid reliability, and not, for instance, on smaller substations that might support a major oil or gas pipeline in a remote locale. Similarly, there’s not much priority given to securing the continuity of electricity to facilities such as municipal waterworks, manufacturing plants, refineries, hospitals and military installations.
Experience has already shown the significant impact that an attack or a security incident against a control system can have on the electricity infrastructure, said Gregory Wilshusen, director of information security issues at the Government Accountability Office. Wilshusen provided written testimony to the committee.
As examples, he cited a 2006 incident in which a foreign hacker planted malicious software capable of affecting a water treatment plant’s operations, and another incident in which excessive traffic in a nuclear power plant’s control system caused two circulation pumps to fail — forcing the unit to be shut down manually.
David Whiteley, executive vice president of the NERC, said that the security issues raised by the interconnectedness of the electric infrastructure and other infrastructures are important and need to be addressed. However, under its existing mandate, the NERC has the authority and responsibility for enforcing reliability standards on only the bulk power grid, not on the distribution system. Developing and enforcing standards on connected infrastructures is beyond the capability of a single body, he said.
Whiteley said that in July of this year, the NERC sought comments from the Federal Energy Regulatory Commission on a proposal for approving eight CIP reliability standards. Those cybersecurity standards have been in development for several years and were developed with extensive input from industry experts.