What the extension of cybersecurity standards beyond NERC CIP means to utilities

At the Federal Energy Regulatory Commission's (FERC) annual technical reliability conference this past September, FERC Chairman Richard Glick voiced a concern about the effectiveness of standards to protect against ever-more sophisticated cyberattacks launched at the utility industry: The decade-old North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are not sufficient on their own. "There's a growing realization that maybe it’s not the right approach anymore," Glick said.

In many ways, Glick's statement was simply an acknowledgment of the complex and challenging reality utilities and others charged with protecting critical infrastructure face today.

"FERC has stated many times and in no uncertain terms that they believe the CIP standards are insufficient," said Patrick Miller, the owner and CEO of Portland, Oregon-based Ampere Industrial Security, whose extensive cybersecurity experience includes roles as a former regulator and as one of the initial drafters of NERC CIP standards. "I think it's pretty clear that legislation and regulation is going to move slower than the threat actors. Hackers are always faster than laws."

Which is not to say that policymakers and regulators aren’t working hard to keep pace. Already, numerous actions have been taken that have meaningful implications for utilities eager both to remain compliant and, more important, to successfully ward off the very real dangers hackers pose. Indeed, over the past year, the Biden administration issued a number of executive orders as well as a 100-day plan to address cybersecurity risks to the U.S. electric system and, more recently, a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which focuses initially on five of 16 sectors deemed critical by the Department of Homeland Security, including the electric power industry.

While some of these new executive orders and memorandums are voluntary for private industry, Miller said he believed it was just a matter of time before at least some elements became mandatory and, importantly, expanded in scope beyond NERC CIP. More specifically, while NERC CIP requires specific actions to protect critical assets on the bulk power system, Miller said he strongly believed that mandates to protect the lower-voltage distribution grid as well as IT systems and supply chains were inevitable.

The increased focus on the distribution grid makes sense. In part, it’s a logical reaction to the huge and accelerating influx of distributed energy resources (DERs) connecting to the distribution grid – in addition to the fact that distribution is the "last mile" where all of the homes, businesses and other industries reside. Indeed, consultancy Wood Mackenzie forecasts that DER capacity will reach 387 gigawatts in the U.S. by 2025. These new assets bring along new vulnerabilities that NERC CIP doesn’t address — a fact that is likely to change.

"All of the smart grid and distributed generation and renewables and battery storage is entirely outside of FERC's regulatory sphere," Miller said. "But DHS and state commissions own regulation in the distribution space and they are aware of the issues at hand."

Recent experience has demonstrated why that scope will likely expand to the distribution grid and perhaps to the IT supply chain. That’s because cyberattacks, including the successful ransomware attack on Colonial Pipeline last spring, have revealed that the IT-OT interface is vulnerable to cybercriminals. "What happened with the Colonial Pipeline was, their IT assets were impacted. But because there were both business and process dependencies on the IT side, it impacted OT. In most modern utilities, IT hits can directly impact the OT space," Miller said.

Miller said he believed a notice of public rule-making that directs the utility industry to write standards addressing this vulnerability was likely. The potential subjects of these new standards could be wide-ranging, including mandates to protect against IT ransomware threats or to take steps to evaluate a utility’s business processes to ensure there are no IT-OT dependencies. "That could mean something around intelligently islanding off your OT side," Miller said. "Think of it as a turtle mode, where you basically clamp down the OT side and continue operating until the danger goes away and you can come back out and resume business as usual."

For utilities, this evolving threat and regulatory landscape underscore the need for flexible and resilient cybersecurity tools and processes. For example, Keysight Technologies provides Network Visibility tools, including network taps and network packet brokers, which help utilities clearly see potential threats and also helps with the growing issue of IT-OT vulnerabilities.

"It's a solution that provides comprehensive packet data and also flows to OT security tools like Nozomi, Dragos and Claroty," said Eric Floyd, director of industrial solutions and business development for Keysight. "Keysight has recently launched a new product family designed specifically to meet the harsh operating conditions found in electric power substations so that utilities can detect anomalous behavior and meet NERC CIP requirements for full asset visibility."

Keysight also offers Threat Simulator, which allows utilities to simulate attacks on their networks as a way to continuously test and improve their defenses. The need to always test and anticipate new threats is a reality that won’t go away any time soon. And evolving to remain compliant and to improve resilience and reliability is a fundamental business priority.

"As a utility, your only real differentiator in the market is your resilience and your reliability. If you're known to be an unreliable utility, then you not only draw attention from regulators, but fewer utilities will want to connect to you because of the risk you pose to their system. It’s all interconnected," Miller said. "It impacts your bottom line from M&A to insurance to business relationships to regulatory oversight."

In the rapidly changing environment of utility and grid security, nothing is more certain than the imperative of ensuring cybersecurity for critical infrastructure. And while Glick’s pronouncement at FERC's Technical Reliability Conference was deemed newsworthy, in many ways it was simply an acknowledgement of the complex and challenging reality of protecting critical infrastructure today.