By Branko Terzic, Former FERC Commissioner
February 1, 2022
We hosted a (CS)²AI Online™ symposium on January 19, 2022 that focused on Cyber Security for Energy: Part 2 - Electric Sector.
Here is a bit about the event:
Part 2 of the Symposium on Control System Cyber Security for Energy will provide tangible recommendations and best practices for electric utilities to address current and upcoming compliance and cybersecurity challenges. First, attendees will gain a detailed understanding of the latest government regulations that have been pushed by recent changes in the threat landscape. Second, industry practitioners will share their experience on technology solutions and process improvements to mitigate risk faster and build a strong culture of cyber resiliency. The symposium will provide ample opportunities throughout the event to interact, ask questions, and leverage the shared expertise of the (CS)²AI community.
Speakers:
• Melissa Hathaway (President, Hathaway Global Strategies) - Keynote
• Marc Rogers (VP of Cybersecurity at Okta): Hands-on experience on exploit
• Ben Sooter (Principal Project Manager EPRI: Responding to High Impact Cyber Security events in Operations
• Branko Terzic (Former FERC Commissioner): Challenges for electric utilities
• Philip Huff (Univ. of Arkansas): Vulnerability Management for electric utilities
• Todd Chwialkowski (EDF-RE): Implementing Electronic Security Controls
• Robin Berthier (Network Perception): NERC CIP Firewall Change Review Workflow
• Saman Zonouz, Threats to Programmable Logic Controllers (PLCs)
As always, we encourage our audience to participate throughout the event by contributing feedback and questions for our speakers. We weren't able to answer all of your questions, so we have asked some of our speakers to answer a few of them. Below, are some answers to a few questions posed during the event.
Do you want to have access to more content like this? Register for our next (CS)²AI Online™ seminar or symposium here, or consider becoming a member of (CS)²AI to access our entire library of recorded sessions.
******************************
QUESTION:
What additional challenges will green technologies bring to the operators?
ANSWER:
Challenges will come, not from the fact that the technologies will be “green”, but that many of the solar units will be small, distributed on customer premises and customer owned rather than at large utility owned facilities. California utilities a looking to address the problem of secure communications with residential solar by application of HardSec.
QUESTION:
What are your thoughts on improving transmission capability between Eastern and Western grids to aid resilience, and ERCOT's unreliability in winter (as demonstrated in Feb 2020!)?
ANSWER:
I am all for it. The problem is that transmission siting and expansion is under state regulation and not under the FERC. It is very difficult to obtain licensing for new transmission from those states between the power sources and the remote market region. Congress has to address the problem but is reluctant to remove authority from the states.
QUESTION:
For self-regulated rural utilities, what have you seen to be the best framework to follow for cybersecurity?
ANSWER:
I guess I would follow whatever guidelines are set out by the National Rural Electric Cooperative Association (NRECA) and other similar organizations. The NRECA has, for example, filed joint comments at the FERC with the EEI the trade organization of investor-owned utilities.
QUESTION:
Grid operators with high penetration of intermittent resources, such as Ireland, have shifted capacity acquisition to specific "essential grid services". How important is it for the US Grid operators to also change from acquiring "plain old capacity" to the acquisition of specific grid services, like ramping?
ANSWER:
The question goes to the point that electricity is an instantaneous “service” and not a bulk commodity to be stored, repackaged and delivered when convenient to the marketer. The various US wholesale power markets have already moved to identifying specific electricity “ancillary services” which need to recognized, measured and priced to insure adequate and reliable service. The Texas ERCOT ignored this fact by not having a capacity market and only relying on an “energy market”.
QUESTION:
Your comment about a status quo in terms of vulnerabilities suggests that something new needs to enter the picture. Does that include federal funding of capabilities and capacity in "secure" microelectronics manufacture within the boundaries of the United States?
ANSWER:
Its always nice to get federal funding rather than spend your own funds, I suppose. The microelectronics problem is a slightly different one from the problem of vulnerability of electric utilities to hacking. My suggestion was that utilities look at the new HardSec claims and capabilities, especially for OT systems.
QUESTION:
Are operators just accepting they will not be able to block attackers and so focusing on how to manage the risk and minimize the blast radius?
ANSWER:
That seems like the current standard for cybersecurity services, a recognition that either the computer systems are already infected or that an intrusion can only be identified, not blocked. The job of the cybersecurity firms is then is one of rapid identification and recovery.
QUESTION:
With more security services being offered on the cloud, is FERC/NERC moving towards allowing cloud services for the energy sector? And what are the major concerns of using a cloud service for the energy sector?
ANSWER:
FERC and NERC regulation is somewhat limited as state Public Service Commissions have significant authority over electric utility budgets, for example, among their ratemaking powers. If use of “cloud services” is demonstrably cost effective versus alternatives then its likely state PSC’s would approve “cloud services’. I do not know about FERC’s position.
QUESTION:
When a new safety mechanism is introduced, like NERC CIP 013,......is that a FERC lead and NERC follow or vice versa?
ANSWER:
The NERC can lead but it s under the authority of the FERC, which means that the FERC can approve, modify or supersede NERC regulations.
QUESTION:
How do you recommend mitigating the security issues of the legacy systems in utilities sector?
ANSWER:
That sector is perfect for the capabilities of the new HardSec option which is indifferent to software type or age.
QUESTION:
Is it a problem to implement compliance for power companies because of the different sizes of the power companies?
ANSWER:
I think the problem has more to do with the management priorities of power companies than the actual size of the utility. Even the smaller Investor-Owned Utilities are large enough to have significant budgets to address cyber security issues.
QUESTION:
If this sector is heavily regulated, why not force the Supply chain Vendors to adhere for regular upgrade cycles?
ANSWER:
That can be done by the utilities themselves in their purchasing practices.
QUESTION:
How should/could a regulator incentivize good cybersecurity practices?
ANSWER:
The regulator can make cybersecurity performance an explicit indicator of management performance and of utility service quality. Then both penalties and rewards in the forms of financial incentives and disincentives can be adopted after the necessary regulatory procedures. Of course, the regulator has to approve electric budgets commensurate wit the new cyber security requirements.
Comments