New government standards appear well-timed for improving the resiliency of critical network operations in electric generation and transmission systems and combatting cybersecurity and physical security threats.

In April 2014, the Federal Energy Regulatory Commission (FERC) decided to adopt the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standard for cybersecurity. This decision was followed by a late-May 2014 adoption of NERC CIP-014 to develop reliability standards addressing risks due to physical security threats and vulnerabilities.

And the industry seems to be getting the message. For proof, one need look no further than the rapid rise of cybersecurity to number four among the Top 10 industry issues from a number six ranking a year ago, according to Black & Veatch’s 2014 Strategic Directions: U.S. Electric Industry report. This rise comes on the heels of headline-grabbing cyber incidents and facility assaults.

Respondents to the survey indicated that nearly half do not have integrated security systems – that is, for cybersecurity, physical security, corporate and control system environments.

“While the concept of asset security is not new, investments in generation, transmission and distribution to ensure reliability are typically the primary focus of capital spends,” said Dan Rueckert, head of the Security & Compliance practice in Black & Veatch management consulting. “But there is progress. For instance, one year ago, cybersecurity was identified as an area of concentration for major investments by only 1.7 percent of survey respondents. Physical security was not even polled.”

Rueckert said the lack of adequate physical security funding is driven by several factors. First, utilities are mandated to deliver reliable service and comply with environmental regulations, so that becomes the top priorities. Second, previous versions of CIP have called for reliability, but have not mandated some level of physical security protection and compliance.

Respondents were asked if the expanded definition of “infrastructure protection” to include cyber, physical, corporate and control system environments and the increasingly integrated nature of infrastructure protection systems would cause additional operational security risks.
In the survey, the outlook of nearly 50 percent of respondents is that physical asset attacks will either stay the same or decrease. Without a regulatory mandate to increase investment in security or a clear-cut mechanism for obtaining rate relief from local public utilities commissions (PUCs), “non-core” investments are hampered.

Expanding Cybersecurity Controls

As awareness and publication of cyber threats have grown, several PUCs have taken steps to require the expanded adoption of cybersecurity controls. This would include all assets that are able to communicate and “talk” across networks, according to Forrest Terrell, Director of Total Energy Solutions in the Black & Veatch Special Project Corp. These include essential functions such as enterprise asset management (EAM) systems, document and media data management systems, outage management systems and customer management systems. Often these various systems run on the same logical network without logical segmentation or physical separation.

“To comply with these standards, cybersecurity plans will likely not just be limited to what impacts the bulk electric system but the utility corporation as a whole,” Terrell said.

While well intentioned, in some cases, the problem with these limited actions falling to state PUCs is that it creates a chaotic environment for the many multistate entities providing electric service.

“On the transmission side, many utilities, particularly small- to mid-sized operators, have yet to deploy robust NERC CIP programs and, therefore, will struggle to meet the guidelines of Version 5,” Terrell said.

As an example, he pointed to the many small transformers and devices that often are not top-of-mind in terms of threat assessments.

Respondents were asked to select the option that best described the level of preparedness in their utility with regard to address potential cyber activity.
Under the new standard, once-overlooked assets will require additional funds and technical solutions to protect, Rueckert stated. “The scale of the task is compounded by the lack of expertise and rigorous compliance and management programs within many organizations,” he said. “In addition, a great deal of industry experience is at or near retirement age, and new staff may not have the skill set to address these evolving challenges.”

Wide-Ranging Plans

According to the survey, only 37 percent of respondents stated a belief that their cybersecurity plans were above average. Given these hurdles, there will be a lot of infrastructure deployed to address the specific systems like the network communications, software applications, network and patch management that are drawn out in more detail in Version 5.

For example, Version 5 identifies distinctions between a “critical” cyber asset and a “protected” cyber asset in the electronic security perimeter of a bulk electric system. Everything connected to the network now needs to be protected, at minimum, by a firewall.

Considerations such as employee safety, customer data privacy and protection, and network resiliency are garnering new levels of regulator and insurance industry scrutiny. However, the physical disposition of the asset base also creates significant issues for launching security programs.

Unfortunately, given the myriad of evolving challenges facing many utilities – including aging infrastructure, disruptive changes in generating fuel and elements of regulatory uncertainty impacting cost recovery – many utilities will struggle to implement the compliance programs.

“So what are the alternatives? Shut down assets that would be costly to protect? Unfortunately, those assets are often critical to delivering reliable service,” Terrell said.

Preparing for the Future

In 2009, industry estimates called for upwards of $50 billion in spending on cyber assets with $15 billion to $18 billion for utilities. This figure has not changed, but many utilities do not have the financial wherewithal to make this expenditure, plus there are challenges associated with PUCs for rate recovery.

“In a sense, foresight is forearmed,” Terrell said. “In an environment where threats are both real and virtual and physical damage can be triggered by natural forces or nefarious intent, the best approach is preparedness.”

Since CIP-014 was adopted, Black & Veatch has seen the number of requests for security assessments increase. Once conducted, organizations can prioritize investments using risk-based standards such as the National Defense Industrial Association (NDIA) Responsibility Assignment Matrix (RAM) processes and National Institute of Standards and Technology (NIST) frameworks. As an added benefit, these may provide justification information that could help utilities in making a rate case with their local PUC.

“There is not a single solution,” Rueckert said. “But with an approach that addresses the physical elements of cybersecurity and the cyber elements of physical asset security, organizations will be better equipped and educated to manage the full spectrum of dangers.”

Published originally on Black & Veatch Solutions.