Mere days before Reuters reported that a blackout that hit Ukraine's capital in December 2016 was the result of a cyberattack, the Foundation for Resilient Societies pressed FERC to require the establishment of a new "enhanced" reliability standard aimed at detecting, reporting, mitigating and removing malware on electric utility computer systems.
According to the group, the U.S. grid already has been compromised, but no one knows to what degree because the North American Electric Reliability Corp.'s current reliability standards "do not explicitly require the reporting of malware infections."
"Assets of the bulk power system have become interconnected with the public internet, allowing foreign adversaries to implant malware in electric utility computer systems," the FRS warned. "Once implanted, this malware can be used to steal passwords, conduct reconnaissance, exfiltrate data, remotely execute grid control, cause blackouts, and destroy equipment."
NERC has revised its critical infrastructure protection, or CIP, reliability standards several times since FERC approved the first version in January 2008. Most recently, FERC in July 2016 directed NERC to develop a new standard aimed at safeguarding the bulk power system from attacks targeting links in the power industry's supply chain.
At the same time, FERC issued a notice of inquiry (RM16-18) seeking stakeholder input on whether reliability standards related to control centers used to monitor and operate the bulk electric system in real-time needed to be modified in light of a coordinated cyberattack that knocked out a portion of Ukraine's electric grid in December 2015. Many who weighed in on the NOI, including NERC, asserted that the existing standards are adequate for now and the lessons learned from the Ukraine attack have helped validate their effectiveness.
When a portion of Ukraine's grid went down again Dec. 17-18, 2016, plunging the northern section of Kiev into darkness, speculation that the outage was the result of a malware attack immediately began flying. On Jan. 18, Reuters reported that Ukrainian utility Ukrenergo indeed had preliminarily concluded that workstations and Supervisory Control and Data Acquisition, known as SCADA, systems linked to a 330-kW substation had been "influenced by external sources."
"The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion," Ukrenergo reportedly said.
In its Jan. 13 petition for rulemaking, the FRS lamented that NERC's standards currently require only mitigation, not removal, of any malware that is discovered, and set no timeline for when that mitigation must take place. They also result in underreporting of cybersecurity incidents, FRS suggested, noting that NERC's 2015 state of reliability report represented that only three reportable incidents had occurred for the entire bulk power system in all of 2014 while the U.S. Department of Homeland Security responded to 79 cybersecurity incidents in the energy sector in fiscal year 2014.
Moreover, NERC's method of ensuring cybersecurity by establishing a boundary between protected and unprotected systems "suffers from several fundamental flaws," according to the FRS. Systems within a utility's electronic security perimeter can be taken down by attacks on systems outside that perimeter and passwords and other credentials still may be stored on systems outside the perimeter, FRS continued. Similar weaknesses on the Ukraine power system were exploited in the case of the December 2015 blackout in that country, FRS said.
Yet another problem with the current standards is that "electronic access points" to within the security perimeter still are subject to breach, FRS added. "The existence of unremoved malware in information technology systems outside the electronic security perimeter exacerbates all of these security flaws."
FRS therefore asked that FERC give NERC 90 days to develop and file a proposed standard aimed at addressing "the grave and immediate threat of widespread, long-term blackouts enabled by malware."
On its website, FRS describes itself as a "non-profit organization engaged in scientific research and education with the goal of protecting technologically advanced societies from infrequently occurring natural and man-made disasters." (FERC docket AD17-9)