National Academies Press: OpenBook
« Previous: 2 Grid Infrastructure
Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×

3

Cybersecurity of the Grid

In order to provide more reliable and efficient service, the electric power delivery system is incorporating an ever increasing amount of data transfer, with communications occurring over a wide array of systems. Massoud Amin, University of Minnesota, noted that the systems have become so intertwined that operators may forget where the data is coming from, citing an anecdote of a power plant operator who was receiving all of his commands over the internet. Granger Morgan, CMU, pointed out that while adding more points of intelligent control can add capacity, stability, and flexibility, it also adds more entry points for cyberattack. Paul Nielsen, Software Engineering Institute, CMU, asked a question about the conundrum facing utilities today: What risk are you willing to accept for capability?

While the sophistication of cyberattacks is increasing, the level of technical knowledge necessary for the attack is decreasing according to both Dr. Nielsen and Patricia Hoffman, DOE (Figure 3-1). Joseph McClelland, FERC, noted that the power sector is an increasing target for cyberattacks, both in the United States and abroad. Stressing the ubiquitous nature of cyberattacks, Terry Boston, PJM Interconnection, recalled a common saying: “There are two types of people: those who’ve been attacked, and those who don’t know they’ve been attacked.” With such attacks becoming commonplace, it is crucial to understand where the underlying vulnerabilities lie in the electric power delivery system.

Merging of Infrastructures

Galen Rasche, Electric Power Research Institute (EPRI), described the new world that is emerging—just as critical infrastructure has become increasingly integrated with the electric power system, so too has the grid become more reliant upon the communications network (Figure 3-2). An increasing number of sensors applied to the grid allows for both improved flexibility and increasing automation. However, Mr. McClelland noted that such an increase in automation increases the number of on-ramps for cyberattacks. And as Mr. Rasche pointed out, this increased integration with the communications infrastructure can leave the grid vulnerable, as layer upon layer of connectedness results in an increasing amount of trust placed in suppliers.

The legacy systems common in transmission and distribution systems often communicate via insecure protocols, according to Mr. Rasche. One of the biggest challenges in securing this legacy hardware is the fact that these very protocols are created through standards organizations, and such processes are, by design, very slow to change. Therefore, more robust network, system, and security management protocols are necessary for transmission and distribution systems to identify the types of security faults common to antiquated hardware.

Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×

image

FIGURE 3-1 Average intruder knowledge and attack sophistication as a function of time. SOURCE: Presented at the workshop by Patricia Hoffman, Department of Energy, February 27, 2013; from Howard Lipson, Carnegie Mellon University (CMU) Software Engineering Institute CERT®. Copyright 1998-2011. This CMU and Software Engineering Institute material is furnished on an “as-is” basis. CMU makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. CMU does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

image

FIGURE 3-2 The communications network (top) and electric grid infrastructure (bottom) merged, with smart metering being deployed in homes, sensors being deployed at the distribution infrastructure, and all of this being communicated to users at central control facilities. SOURCE: Galen Rasche, EPRI, workshop presentation, February 27, 2013.

Modernized hardware and software do not necessarily offer increased protection, however. As Fred Hintermeister, North American Electricity Reliability Corporation (NERC), pointed out, supply chain security is critical to ensuring that a particular subsystem is secure, regardless of the system or vendor. Dr. Nielsen agreed, expanding on the necessity of knowing who wrote the software for every component of all of your partners’ systems. While this may seem a

Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×

image

FIGURE 3-3 High-profile cyberattacks (2010-2012), with magnification of August through December, 2012. SOURCE: Fred Hintermeister, NERC, workshop presentation, February 27, 2013.

daunting task, the increasing number of attacks is pushing hard on utilities and their partners to ensure that their systems are secure at every level. NERC is working with a global network of governmental intelligence sources, vulnerability researchers, and others to develop products that specifically address emergent issues, particularly in the area of cybersecurity. A system is only as secure as its weakest link, and it is a crucial part of established NERC procedure to push mitigation measures out to the relevant bulk power system entities in a timely manner so that they may address the full chain of operations.

Risk Assessment and Cybersecurity

Given the prevalence of attacks (Figure 3-3), it is crucial to evaluate how best to maintain system integrity with minimal risk. Dr. Nielsen suggested that appropriate choice of architecture can help make these trades in design by linking the business goals to system goals. Dr. Morgan noted that that separate risk assessments could be needed for natural disasters and intelligent agents. While it would be possible to evaluate which architecture is more vulnerable

Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×

than another to a given susceptibility, the probability of attack relevant to making an analytical choice in system architecture will be substantially different for a natural disaster than for a terrorist threat.

Making such a risk assessment is difficult, according to Mr. Rasche. Because cybersecurity involves the meshing of two networks based on completely different expertise, it is difficult to adopt common protocols for risk analysis. Narain Hingorani, Consultant and National Academy of Engineering member, and Anjan Bose, Washington State University, agreed that cross-expertise and operator training are both significant issues at this interface. Mr. Hintermeister mentioned ongoing work in this area: The NERC Information Sharing and Analysis Center maintains a near-real-time, grid-common operational picture to inform risk assessment and mitigation development and delivery.

Diane Munns, MidAmerican Energy Company, noted that the regulatory bodies are at a particular disadvantage when it comes to both expertise and authority. On top of this, the regulatory process itself is not well designed for cybersecurity, according to Mr. McClelland. NERC can develop standards for reliability and cybersecurity and submit them to FERC, but because the process is both slow and open, it is not adequate for national security purposes—in effect, both the threat and the mitigation strategy are announced through the regulatory process.

Given the nature of the cyberthreat, there was significant discussion over the potential for catastrophic damage, particularly for causing damage to the physical infrastructure. Dr. Morgan cited recent work at Carnegie Mellon indicating a low probability that a hacker could destabilize the bulk power grid by toggling customer loads via hacked smart meters.1 However, Mr. McClelland cited both the Aurora test at Idaho National Laboratory 2 and a collaborative project with Lawrence Berkeley National Laboratory to identify critical frequency vulnerabilities for customer load shedding as evidence of the sensitivity of certain aspects of the physical infrastructure to cyberattack.3 Dr. Amin also suggested such potential vulnerability, though other participants commented that the Aurora experiment in particular was not indicative of a typical utility control system. Regardless of the disagreement over a potential causal link, however, participants from both perspectives agreed that a cyberattack combined with a damaged physical infrastructure would magnify the effectiveness of a terrorist threat, particularly in the event of a coordinated attack on multiple fronts.

Solutions

There are many cybersecurity actions that can be taken to reduce vulnerability to a cyberattack. Most obviously, according to Dr. Amin, wireless and public internet access should

___________________________

1 A. Narayanan, 2012, The emerging smart grid: Opportunities for increased system reliability and potential security risks, Dissertations, Paper 138, available at http://repository.cmu.edu/dissertations/138.

2 Video available at http://www.youtube.com/watch?v=fJyWngDco3g.

3 J. H. Eto, J. Undrill, P. Mackin, R. Daschmans, B. Williams, B. Haney, R. Hunt, J. Ellis, H. Illian, C. Martinez, M. O’Malley, K. Coughlin, and K. Hamachi-LaCommare, 2010, Use of frequency response metrics to assess the planning and operating requirements for reliable integration of variable renewable generation, LBNL-4142E, December, available at http://certs.lbl.gov/pdf/lbnl-4142e.pdf.

Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×

be avoided at all costs. Mr. Boston suggested building the system like a nuclear secure lab, where communication is handled as an information diode that does not “shake hands” with the computer, so that information transfer is one-way.

According to Dr. Amin, the vulnerabilities of centralized control seem to demand smaller, local system configurations. Thus, resilience may depend upon the ability to bridge top-down and bottom-up decision making in real time. This highlights the need for building secure sensing, fast reconfiguration, and self-healing into the infrastructure. Mr. Rasche also recognized the importance of real-time analytics and integrity checking, because these systems cannot simply be taken off-line. Mr. McClelland highlighted the ongoing efforts by FERC to anticipate attacks through pattern recognition as one particular example of real-time analytics that can increase cybersecurity in the power system. Ms. Hoffman also acknowledged the importance of situational awareness: Aggregating monitoring information to develop a “common operating picture” enables real-time prevention and can boost the effectiveness of training exercises. Such an approach should be risk-oriented and data-driven, with the data being linked to actionable knowledge, according to Mr. Hintermeister.

Tabletop exercises on the impact of cyberattacks offer an opportunity for close coordination between information technology experts and power system experts, according to Mr. Rasche. Such penetration testing would be significantly improved through a common metric for cyberresilience. Assessing the vulnerability of a system is difficult, particularly in the case of a zero-day, or previously unknown, vulnerability. How can one measure resilience to an unanticipated event?

Because most utilities do not have an integrated security system, according to Mr. Rasche, devices tend to be upgraded in silos. A more systematic approach would allow correlating events across distributed power systems with the data being collected, as suggested above. Dr. Amin suggested that the industry should facilitate and encourage design of security at the start and look to include it in standards where appropriate. The certification of vendor products for cyberreadiness would essentially allow for security by default. Mr. Hintermeister pointed out the use of NERC’s HYDRA network of subject matter experts for the technology vendor supply chain. Because reliable operation necessitates security throughout the entire supply chain, it is crucial to approach the problem at both the hardware and software level.

image

Mr. Boston pointed out that collaboration is key. It is important to leverage industry relationships to share best practices and coordinate response plans. He pointed to the benefits of PJM Interconnections partnerships with DHS, the University of Maryland, Boeing, and the Pacific Northwest National Laboratory as evidence of the way in which shared expertise can benefit the industry. While Mr. Hintermeister agreed on the need to embrace partnerships, he stressed that it is important to have empathy for the partners. Everyone has a different role and different concerns, and one must be aware of those additional requirements.

Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×
Page 10
Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×
Page 11
Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×
Page 12
Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×
Page 13
Suggested Citation:"3 Cybersecurity of the Grid." National Research Council. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/18535.
×
Page 14
Next: 4 Responding to Outages »
The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop Get This Book
×
Buy Paperback | $45.00 Buy Ebook | $36.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters is the summary of a workshop convened in February 2013 as a follow-up to the release of the National Research Council report Terrorism and the Electric Power Delivery System. That report had been written in 2007 for the Department of Homeland Security, but publication was delayed because of security concerns. While most of the committee's findings were still relevant, many developments affecting vulnerability had occurred in the interval. The 2013 workshop was a discussion of the committee's results, what had changed in recent years, and how lessons learned about the grid's resilience to terrorism could be applied to other threats to the grid resulting from natural disasters. The purpose was not to translate the entire report into the present, but to focus on key issues relevant to making the grid sufficiently robust that it could handle inevitable failures without disastrous impact. The workshop focused on five key areas: physical vulnerabilities of the grid; cybersecurity; mitigation and response to outages; community resilience and the provision of critical services; and future technologies and policies that could enhance the resilience of the electric power delivery system.

The electric power transmission and distribution system (the grid) is an extraordinarily complex network of wires, transformers, and associated equipment and control software designed to transmit electricity from where it is generated, usually in centralized power plants, to commercial, residential, and industrial users. Because the U.S. infrastructure has become increasingly dependent on electricity, vulnerabilities in the grid have the potential to cascade well beyond whether the lights turn on, impacting among other basic services such as the fueling infrastructure, the economic system, and emergency services. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters discusses physical vulnerabilities and the cybersecurity of the grid, ways in which communities respond to widespread outages and how to minimize these impacts, the grid of tomorrow, and how resilience can be encouraged and built into the grid in the future.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!