How often is U.S. grid attacked? Monitor doesn’t know — yet

Source: Peter Behr, E&E News reporter • Posted: Monday, June 25, 2018

U.S. power grid companies should expect dangerous cybersecurity intrusions to keep increasing, with adversaries seeking to break through defenses by infecting utilities’ trusted suppliers, the North American Electric Reliability Corp. says.

NERC’s State of Reliability 2018 report, issued last week, provides a largely technical, backward look at the ability of high-voltage transmission companies and generators to meet grid operating requirements.

NERC officials who briefed reporters on the latest assessment offered no comments on the ongoing debate over a proposed Energy Department grid resilience policy. The DOE plan — not yet acted on by the administration — would subsidize money-losing coal and nuclear power plants to keep them from retiring, in order to strengthen grid resources against emergency threats.

Measures of day-to-day grid performance reflect continuing improvement, NERC said. Outages on transmission lines caused by human error and equipment failures declined.

But like chin-stroking physicians at the foot of a patient’s bed weighing their uncertainties, NERC grid monitors’ confidence in grid security is limited by what they can measure, said James Merlo, vice president of reliability risk management for NERC, the high-voltage grid security monitor.

Uncertainties stem from conditions they can’t yet track precisely or adequately, like evolving cybersecurity threats or possible new operating challenges due to the transitions from traditional fossil-fueled power plants to renewable energy and storage technologies, Merlo said.

Based on reports from industry, NERC stated that there were no successful cyberattacks on the federally regulated power networks. But, it added, “While there were no NERC-reportable cyber security incidents during 2017 and therefore none that caused a loss of load, this does not necessarily suggest that the risk of a cyber security incident is low, as the number of cyber security vulnerabilities are increasing.”

In fact, 2017 saw a succession of cyber campaigns against U.S. energy companies, including sophisticated cyber espionage aimed at penetrating nuclear plants to implant malware to steal operators’ credentials and open secret internet channels for further compromises. Officials say that campaign, attributed to Russian state-backed hackers, did not penetrate reactor systems.

NERC does not receive consistent information on attacks that don’t succeed in causing power outages, Merlo noted.

“Those are types of metrics we don’t currently have,” he said.

“We don’t know how many times the firewall worked. As we start to understand the threat, we find every day that, gosh, there were more attacks than we ever knew were coming, and we didn’t even know they were attacks because they were so well camouflaged.

“How many shots on goal are there? How many are we actually blocking or that never got even close?” Merlo asked. NERC is hoping to get better data on that front.

The Federal Energy Regulatory Commission, which named Merlo’s organization as its designated security monitor, is also seeking a more complete picture of the threat. On Dec. 21, the commission advanced a proposed rule that would require regulated grid companies to report cyber “break-in” attempts as well as hacking attacks that succeeded in interrupting power service (Energywire, Jan. 8).

NERC yesterday repeated warnings from its threat coordination center, the Electricity Information Sharing and Analysis Center (E-ISAC), predicting continued increases in phishing attacks against grid companies by hackers trying to steal operator’s sign-on credentials.

More of those attacks are expected to be routed through utilities’ trusted vendors, construction contractors and business partners whose systems have been compromised by hackers and used as way stations to mount campaigns against utilities — an issue that is also subject to FERC rulemaking.

The E-ISAC said that “smaller business partners may make easier targets of compromise from their smaller security budgets. Small businesses make for attractive initial targets because a phishing email from a trusted source may be more likely to be opened.”

Merlo said NERC is seeking more understanding of new complications faced by control room operators when a large power plant unexpectedly is forced to shut down, causing grid voltages or frequencies to veer from the normal, tightly controlled boundaries.

When such shutdowns happen, nearby generators automatically step up their output to keep the system in balance. If frequency levels fall too low, then protective equipment on the grid begins to automatically shut down programmed sections of the systems, blacking out the customers — called “under frequency load shedding” (UFLS).

One emerging issue is whether the special digital controls on solar power installations — inverters that convert solar energy from direct to alternating current — may inadvertently upset automatic frequency or voltage support processes, said David Till, NERC senior manager of performance analysis.

“We’re not sophisticated enough, nor is anyone, to say exactly how close you can get [to the load-shedding threshold] before you are in a troubled area,” Till said.

“With the changing resource mix, we have to make sure there’s not a degradation that allows the frequency drop to start trigging UFLS, and do so multiple times before we can get it corrected. So we want to stay ahead of that.”