Dive Brief:

• FERC has adopted changes to seven Critical Infrastructure Protection standards, including requirements for personnel and training, aimed to bolster the security of the bulk electric system’s cyber systems and information, Smart Grid News reports. 
• FERC specifically addressed calls to mandate secure communications between all bulk power facilities, saying at this time it is not necessary but could become so in the future. New Hampshire-based Foundation for Resilient Societies had called for more secure communications, fearing the impacts a cyberattack could have.
• Cybersecurity has become a growing concern regarding the United States power system, and last summer Lloyd's of London issued a report finding a widespread outage could cause up to $1 trillion in damage.

​Dive Insight:

Federal regulators adopted a set of new security protocols, but Smart Grid News is calling out the commission's order as a "big mistake" because it does not adopt the recommendations of the Foundation for Resilient Societies.

"With regard to Foundation’s argument that the commission should do more to promote grid security by mandating secure communications between all facilities of the bulk electric system, such as substations, the record in the immediate proceeding does not support such a broad requirement at this time," FERC wrote. "However, if in the future it becomes evident that such action is warranted, the commission may revisit this issue."

Just how vulnerable is the U.S. grid to cyberattack? That remains an open question, but vulnerabilities were identified years ago that would allow a sophisticated attacker to shut down a power plant remotely. In 2007, the Idaho National Laboratory's Aurora Project showed that a remote attacker could damage generators by opening and closing certain circuit breakers to ultimately push a machine's rotating parts out of alignment.

"America is increasingly vulnerable to foreign cyberattack," the Foundation said earlier this month, following blackouts in Ukraine that stemmed from cyberattacks. Hackers remotely opened breaker switches at grid substations to cause the blackout, and restoring power meant substation switches had to be manually closed by on-site technicians. Hundreds of thousands of residents lost power and three regional Ukranian utilities were temporarily shut down. 

And in the summer of 2014, the U.S. Department of Homeland Security mistakenly responded to a Freedom of Information Act on an unrelated topic and released more than 800 pages related to the so-called “Aurora vulnerability,” including the location of sensitive pieces of infrastructure that could be disabled.

Lloyd's examined a hypothetical attack and found that a relatively small success rate from hackers could be devastating. In its hypothetical attack, the firm found that “despite only achieving a 10% success rate, the malware successfully infects over 70 generators by exploiting the systemic importance of control rooms, with each control room typically managing several generators.”