NERC recommends including cyberattack scenarios now absent in most transmission planning assessments

Dive Brief:

The North American Electric Reliability Corp. and the six regional reliability entities have published a white paper introducing a “cyber-informed transmission planning framework” to help integrate cybersecurity efforts into bulk power system, or BPS, planning activities.
The “relative newness” of the cyber threat largely means the concept of a coordinated attack on the BPS is not modeled in today’s transmission planning practices, according to the May 8 white paper. The framework is designed to drive investments in cybersecurity and be used by stakeholders, regulators and others to perform reliability studies.
The white paper also aims to “potentially reduce the number of critical facilities and their attack exposure.” Minimum physical security standards do not need to be expanded to cover more grid assets, said NERC, but stakeholders need to “evaluate additional reliability, resiliency, and security measures designed to mitigate the risks.”

Dive Insight:

Transmission planners are “strongly encouraged” to consider the framework and adopt the concepts into their business practices, according to the white paper.

The paper provides a “roadmap for integrating cyber security into transmission planning activities.” The white paper is focused on how the framework can be “established to map cyber security risks to BPS reliability studies,” among other questions.

“The concept of a coordinated cyber attack and its impact on BPS reliability is not currently or generally studied as
part of standard industry practice,” NERC said.

NERC and the regional entities “worked closely together to develop this critical framework,” Mark Lauby, NERC’s senior vice president and chief engineer, said in a statement. “The framework sets the stage to plan for a more resilient and secure system, addressing the risk in the long-term planning horizon rather than attempting to bolt on security later in the future.”

Broadly, five steps in the cyber-informed framework can be modified to fit different processes: Transmission planners should define coordinated attack scenarios; translate those scenarios into planning assessments; conduct planning studies with defined attack scenarios and affected assets; identify corrective actions; and implement risk mitigations.

The framework “also seeks to reduce the number of critical stations on the bulk power system through integrated transmission and cyber security enhancements,” Lauby said.

The white paper is part of a series of explorations into grid risks and challenges. In November, NERC published a Distributed Energy Resource Strategy examining approaches to reliably integrate tens of thousands of aggregated megawatts to the bulk power system. A white paper on the security impacts of DERs is expected in the second half of 2023.

Last year, following attacks on substations and other energy infrastructure, the Federal Energy Regulatory Commission asked NERC to determine whether physical security grid reliability standards should be strengthened. NERC concluded current infrastructure protocols for critical substations “appropriately focuses limited industry resources” and should not be expanded.

In its white paper, however, NERC said while it is not recommending an expansion of the CIP-014 applicability criteria, an increase in physical security attacks on BPS substations means there is a need to evaluate additional reliability, resiliency and security measures.

NERC recommended holding a technical conference in coordination with FERC to further explore the topic.