White House official questions FERC’s ‘next to impossible’ grid assault scenario

Source: Peter Behr, E&E reporter • Posted: Monday, April 14, 2014

A senior White House security official downplayed conclusions of a confidential study last year by the Federal Energy Regulatory Commission warning that attacks on a handful of high-voltage substations could cause cascading power outages across the United States.
Rand Beers, deputy assistant to the president for homeland security, said at a conference on cybersecurity that a headline finding in the FERC analysis — which was obtained and published by The Wall Street Journal in March — was built on “extraordinarily narrow” assumptions. The likelihood of such an event happening was “of such a low probability as to be next to impossible,” Beers said.Beers comments were the first from the Obama administration suggesting that FERC’s study might not be of critical value to a potential attacker who obtained it. Beers said he believes the information should have been classified and restricted in its release. “That is at least the starting point on this information,” he said.He added, “There have been a lot of different scenarios, and a lot of different questions” about where the grid’s most critical points would be found.

Responding to concerns in Congress, FERC commissioners on March 7 ordered the North American Electric Reliability Corp. (NERC) to prepare standards for protection of grid facilities against physical assaults with a 90-day timetable (Greenwire, March 10). FERC approved an expanded version of cybersecurity standards last year.

Conclusions from the confidential FERC modeling study were revealed a week later, exposing the commission to criticism from members of Congress led by Sen. Lisa Murkowski of Alaska, ranking Republican on the Senate Energy and Natural Resources Committee.

At a hearing yesterday, Murkowski pressed FERC acting Chairwoman Cheryl LaFleur on the agency’s actions to deal with the disclosure of the information, and on a finding by Department of Energy Inspector General Gregory Friedman that at least one presentation from the study should have been classified and protected from release.

Friedman, in a public “management alert” this week, reported that the presentation, or its essence, may have been shared with industry officials in an unclassified session (E&E Daily, April 10).

Murkowski said her staff has prepared a series of questions it will put to FERC about whether the agency was the source of the leak, and if so, how that happened.

‘Hundreds of people saw it’

LaFleur said she, too, was distressed that the information had gotten out of the agency. “We are working on many fronts to understand what happened and to make sure it does not happen again,” she told the senators.

“We are meticulously following, first of all, the instructions of the inspector general’s management alert,” she said. “We are wiping and scrubbing all databases, computers, and portable devices across the commission to make sure the documents in question that potentially should have been classified are protected.”

She said the agency has reached out to former officials, including her predecessor, Jon Wellinghoff, “trying to get our arms around any information that may be out there.”

Wellinghoff commented following the Wall Street Journal report that the FERC study had been widely communicated around the power industry to highlight the threat of physical attacks on critical substations — a threat dramatized in April 2013 by the still-unsolved shooting attack on the Pacific Gas and Electric Co. Metcalf substation near San Jose, Calif.

LaFleur said FERC had classified the study as “critical energy infrastructure information,” and several company officials said industry executives were required to sign nondisclosure statements before being briefed on the findings.

Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security, noted the purpose of the study to a group of state regulators at a conference in November. “We’ve identified key nodes, substations and generators that if we were attackers we would target.” The results were reviewed with the industry to verify conclusions, he added.

FERC has gone over company safeguards against cyber and physical attacks and best practice defenses, he said. “Who is targeting their facilities, what methods and means they’re using, what technologies, and what they can use to protect their systems,” McClelland said.

“Hundreds of people saw it,” Wellinghoff said about the FERC study’s conclusions, in comments to EnergyWirelast month (EnergyWire, March 14).

He would not discuss the content of FERC study. “I can’t comment at all,” Wellinghoff said, adding that he didn’t know how the information became public. “I have no idea.”

Dependence on vendors

Whether or not the FERC report described a plausible scenario, concerns about the grid’s vulnerability have escalated since the Metcalf attack and as evidence of increasingly sophisticated cyber campaigns against retail and Internet companies has emerged.

The latest major cyber shock is this week’s disclosure of the “Heartbleed” vulnerability in versions of security software used ubiquitously across Internet sites to safeguard user names, passwords and other confidential information.

The bug compromises some routers and security systems sold by Cisco Systems Inc. and Juniper Networks Inc., the two leading vendors have announced, and lists of other affected vendors are growing, grid experts note. Persistent hackers can use the flaw in software code to extract sensitive personal information unless the bugs are fixed, experts said.

Annabelle Lee, senior technical executive at the Electric Power Research Institute, says the potential impact on the utility industry is not known at this point. “It would be more common on the [information technology] side of utilities” than in control systems, she said in an interview.

Cyber security officials point to the danger of cyberattackers who try to gain access into protected energy control systems by stealing passwords and other authentication from Internet-connected company networks.

The vulnerability highlights the critical dependence of energy companies on their technology vendors. “It is not a problem with the underlying cryptology,” Lee said. “It is in the implementation. Each company has to work with its vendors. It is up to the vendors that implement and install patches, and they need to notify customers that the patch is available.”

While utilities must comply with evolving federal cybersecurity standards, backed by audit and enforcement authority, no such oversight extends to vendors, a highly competitive industry whose companies closely guard their intellectual property.

Dress rehearsal for ‘the unimaginable’

While FERC was modeling its worst-case scenarios last year, NERC responded to the Metcalf attack by holding a training exercise for utility officials in mid-November that simulated a massive, coordinated attack on grid facilities.

Thomas Kuhn, president of the Edison Electric Institute, told the George Washington University conference that the scenario began by knocking out power to 30 million people. The attacks with high-power weapons and improvised explosives were coupled with the infiltration of a potent cyber virus that invaded utility control centers.

“You try to exercise the unimaginable,” Kuhn said. “Sometimes those things end up happening.”

Michael Wallace, senior adviser at the Center for Strategic and International Studies, said the exercise, called GridEx II, “was not an implausible scenario, notwithstanding that it was very extreme.”

Joseph Rigby, chairman and CEO of Pepco Holdings Inc., which provides electricity power to the nation’s capital and its Maryland suburbs, said his company has expanded its planning to consider worst-case scenarios that include the loss of communications between the control center and substations that manage power flows across its system.

“We’ve thought through, if we lost almost all capability to automatically run the system, what is our preparedness to run the system manually?” he told the GWU audience yesterday. “If we were going way back in time, and managing the system perhaps the way we did it in the ’50s, what is our capability to do that?”