US power sector recognizes cyber risks, but violations show enforcement issues

The importance of the energy sector as the underlying engine of the U.S. economy has put a target on the backs of almost every utility in the country.

Industry, regulators and others are all well aware of the risks associated with outdated and vulnerable IT systems. But as a string of recent cyber rule violations has shown, the regulatory framework requires refinement to prevent a large-scale attack.

Recent reports of repeat offenders have further called the industry's cybersecurity efforts into question. Some of the country's largest utilities, including Duke Energy, PG&E and DTE Energy have recently been sanctioned by federal regulators for violating the North American Electric Reliability Corporation's (NERC) critical infrastructure protection (CIP) rules.

"Self-regulation, rarely, if ever, is effective, and in this case, it clearly is not working."

Tyson Slocum

Director, Public Citizen's Energy Program

In February, North Carolina-based Duke Energy agreed to the largest cybersecurity-related penalty in NERC's history, a $10 million fine. According to company policy, Duke did not to confirm, deny or comment on any enforcement filing issued by NERC.

As a result, the current practice of keeping the names of violators confidential in order to encourage self-disclosure within the industry has been called into question.

"Self-regulation, rarely, if ever, is effective, and in this case, it clearly is not working," Tyson Slocum, director of Public Citizen's Energy Program, told Utility Dive.

The advocacy group said the latest revelations and investigations show that despite the promised cloak of secrecy, utilities are not getting the job done.

Violator confidentiality

Slocum noted that NERC's boards and steering committees are dominated by people with direct financial ties to utilities, which could impact their oversight.

"There are times when NERC's interest and the interests of utilities they are supposed to be overseeing are actually indistinguishable," he said.

Public Citizen is calling on NERC and the Federal Energy Regulatory Commission (FERC) to not only start publicly identifying violators and move away from the concept of self-regulation, but also to allocate more financial resources toward direct oversight and compliance.

FERC declined to comment on its current procedures, while NERC pointed to its track record.

"Reliability is NERC's mission, and grid security is inextricably linked to reliability. To date, there has not been any loss of load in North America that can be attributed to a cyberattack," James Robb, president and CEO of NERC, said.

While there still hasn't been any reported loss of load, E&E News late last month reported that the first cyberattack disrupting grid operations occurred in early March.

The March 5 attack, which targeted Cisco Adaptive Security Appliance devices across Utah, Wyoming and California, did not cause any blackouts or harm power generation, E&E reported, citing multiple sources and a Department of Energy filing.

The most direct impact of the hack was likely a temporary loss of visibility of certain control systems, though operators in the regions denied suffering an attack, the report stated.

NERC plans to conduct a root cause analysis of the attack.

Despite the growing threat, utilities have largely rejected changes to the system, arguing that naming violators could jeopardize national security by exposing potential grid vulnerabilities.

"It appears the financial penalties associated with findings of noncompliance are increasing, yet as the industry matures in its understanding of the standards, the cyber protections supporting the [bulk electric system] are stronger than ever."

Nick Brown

President and CEO, Southwest Power Pool

"PG&E continues to follow and support the existing processes associated with discovery and reporting of NERC CIP violations," Jason King, PG&E spokesperson, told Utility Dive. "The confidentiality of the violation reporting process promotes self-reporting."

Other utilities have voiced concerns over increasing fines related to cybersecurity violations, urging regulators to make a distinction between non-compliance and negligent security with respect to CIP standards.

For Slocum, the reason that so many utilities fail to prioritize security investments comes down to cost.

"Of course, companies are saying that they are committed to preparing and defending against cybersecurity. That's the public face of what they need to do," he said. "But actually getting it done involves prioritization and effective management. That costs money, and these utilities are sometimes reluctant, especially those utilities that are operating to maximize returns for their shareholders. They don't see the value in it."

Frustrated by utilities' reluctance to report cyberattacks, FERC commissioners last year started broadening the definition of what constitutes a reportable incident.

A daily threat

While no large-scale attack has so far occurred in North America, suspicious cyber activities occur on a daily basis. The cybersecurity tools utilized by the Western Area Power Administration (WAPA) identified more than 10,000 individual cases of suspicious activity on its system in 2018.

"More than 97% of these were investigated and resolved within two days. In an average day, WAPA's firewalls are pinged nearly 200,000 times by suspicious or potentially damaging events," Mark Gabriel, WAPA administrator and CEO, said.

, "The top three critical infrastructure areas we look at are energy, telecommunications and financial systems. I will proffer to you, none of the other two work without energy."

William Evanina

Director, National Counterintelligence and Security Center

U.S. adversaries are no longer targeting military bases, but rather their surrounding infrastructure, including power sources, William Evanina, director of the National Counterintelligence and Security Center and security advisor to the Director of National Intelligence, said during a FERC/DOE technical conference in Washington, DC in March.

"The top three critical infrastructure areas we look at are energy, telecommunications and financial systems. I will proffer to you, none of the other two work without energy," Evanina said.

China and Russia currently pose the greatest threat, according to a Worldwide Threat Assessment from National Intelligence Director Daniel Coats. "For years, they have conducted cyber espionage to collect intelligence and targeted our critical infrastructure to hold it at risk," Coats wrote in a January 29 statement for the record provided to the Senate Select Committee on Intelligence.

"Our domestic critical infrastructure is in many ways on the front line. Energy infrastructure is and increasingly will be targeted by sophisticated competitors as a part of their efforts to disrupt U.S. critical infrastructure during a conflict. A stronger and more resilient grid is a national security priority," Chuck Kosak, deputy assistant secretary of defense for Defense Continuity and Mission Assurance at the U.S. Department of Defense, said during the conference.

Vulnerabilities

Conference participants also identified supply chain as one of the most vulnerable areas across the industry.

"Virtually every device now has a chip in it, you are getting your chip from overseas, [what] if there's anything in there that makes us vulnerable?" FERC Commissioner Bernard McNamee asked.

The Trump administration has raised similar concerns in regard to telecommunications equipment from Chinese companies Huawei and ZTE.

"Huawei is owned by the state of China and has deep connections to their intelligence service. That should send off flares for everybody who understands what the Chinese military and Chinese intelligence services do. We have to take that threat seriously," U.S. Secretary of State Mike Pompeo said.

"Virtually every device now has a chip in it, you are getting your chip from overseas, [what] if there's anything in there that makes us vulnerable?"

Bernard McNamee

FERC Commissioner

The concern over cyber defense measures is shared by a large number of power sector CEOs across the country.

Almost half of all power and utility CEOs believe a cyberattack on their company is inevitable, according a 2018 KPMG report. Of those surveyed, 48% feared that cyberattacks were a matter of "when" not "if."

However, the survey also found 58% felt prepared to identify a cybersecurity threat, a notion that was shared during the FERC/DOE conference. The message among regulators and industry stakeholders was clear: cybersecurity is a threat, but our industry is prepared.

America's energy companies are clearly cognizant of the ever increasing threat, which is expected to grow exponentially as utilities expand the use of new technologies to transition from fossil fuels to a more distributed grid, according to 2016 report from DOE's Idaho National Laboratory.

But Slocum sees a need for a greater sense of urgency.

"We've got enough information now that the system, as it's currently structured, is failing. That NERC is not doing the job it needs to do. That the utilities are failing at their jobs of self-policing, and that FERC is refusing to assert the authority that it has to take a bigger role and start publicly naming violators," Slocum said.