If you haven’t read the excellent SANS/E-ISAC analysis of the Ukraine attack, I recommend you do so. They do a great job of drawing out the appropriate cyber security lessons learned. I can’t add to what they say regarding cyber practices, but I do see two lessons that can be learned regarding cyber regulation for the grid, beyond what I pointed out in this recent post.
As I think most people know now, the substations that were attacked in the Ukraine were distribution substations, not transmission. They would therefore not have been subject to CIP. NERC and FERC don’t have any authority over distribution assets; the state Public Utility Commissions do. In fact, even though a few of the states have taken initial steps (including this recent order by the New Jersey BPU) toward cyber regulations for utilities that operate in their state, there is certainly no current national cyber regulation of distribution assets. But the question arises: Should there be such regulation?[i]
I must admit my initial reaction on learning that the Ukraine substations were distribution ones was to assert – rather breathlessly – that distribution substations pose a point of attack for the entire grid (i.e. both transmission and distribution), the implication being that they need to be regulated in something like the same way that CIP regulates transmission.
However, a NERC professional for whom I have a lot of respect organized a call with one of her colleagues to discuss my implication that distribution poses a “soft underbelly” to the transmission grid (also known as the BES). These two people pointed out two important points:
- There is no significant cyber integration among distribution and transmission substations, either within a particular utility or certainly on a regional or nationwide basis. I already knew this, since I realized that most substations still have no data communications other than serial, and that is only with their immediate control center. Distribution substations are even more likely to be purely serially connected than transmission ones. Some parties have pushed the idea that there is a huge flat routable network – or even the public Internet itself – that connects a large portion of US grid assets; this is the stuff of fantasy.
- Even more importantly, there is no purely electrical means by which a disturbance on the distribution grid would automatically propagate to the transmission grid; this is what I didn’t understand previously. My friends pointed out that outages happen all the time, for lots of reasons. Utilities live and die according to how quickly they can restore power after outages. But a distribution outage is not the same as a cascading transmission outage, since it doesn’t automatically propagate to other areas.[ii]
So my main takeaway from when my friends staged this “intervention” (my word, not theirs) is that the Ukraine attack, even though it did cause widespread temporary outages (restored within a few hours), is qualitatively as well as quantitatively different from the attack everyone fears in North America: an attack on the Bulk Electric System that causes a cascading outage, leading to a blackout of a large area for an extended period of time. And the former won’t ever lead to the latter.
On the other hand, neither I nor my friends believe that there shouldn’t be any cyber regulation of the distribution grid. After all, even the few hours that some 800,000 people in the Ukraine were blacked out had to be tremendously expensive, for the people and for the economy. But it is important to understand that the reason for doing this is different from the reason for regulating BES security.
As you are well aware, NERC CIP – as other NERC standards – is completely asset-focused. While its purpose is to protect the BES as a whole, it does this entirely through protecting the most important assets that comprise the BES, especially generating stations, transmission substations, and control centers. This is demonstrated by the fact that CIP v5 only applies to cyber assets located at one of six asset types listed in CIP-002-5.1 R1, and that there are no protections that apply to the IT network, which is usually as big or bigger than the OT network.
For the non-CIP NERC standards, this asset focus isn’t a problem, because it doesn’t leave out very much (if anything at all) that’s important. After all, those standards are all about what happens on the grid; other areas of the company such as Accounting have no impact at all on things like grid stability and resiliency.
This mindset has clearly been applied to NERC CIP as well. That is, the only thing that matters currently in CIP are OT cyber assets. I think almost everyone involved with CIP will tell you proudly that the IT network is simply out of scope, and CIP can’t be expected to apply to that. I would have told you the same thing if you’d ask me this question last year.
But should the IT network be out of scope? Look at the Ukraine attack: It all started with well-crafted phishing emails that were opened by people who only had access to the IT network. Their systems were infected with malware, and the attackers used them as a stepping stone to the systems they were really aiming at: the workstations of engineers with OT network access. The attackers weren’t concerned about preserving the IT/OT boundary, so they attacked IT systems first because they knew they had a much better chance of succeeding than if they spent months or years trying to directly access the substation relays, which were the ultimate target.
This is why I believe that IT networks of NERC entities should be in scope for NERC CIP – but not for the prescriptive CIP we all know and (some of us) love. You may have begun to notice that in just about every post nowadays I’m beating the drum of moving CIP to a risk-based format, something like CIP-014: the entity gets an assessment of their risks and vulnerabilities, they develop a plan to address those vulnerabilities on a risk-prioritized basis, and they execute the plan. Were this to be the framework for CIP, I would absolutely argue that the assessment should include all cyber threats and vulnerabilities faced by the entity, not just those that are found only in OT assets. And the prioritization of the elements of the cyber security plan should be based on risks to the entire enterprise, not just those faced strictly by the OT network. As Ukraine showed, the enterprise needs to be protected as a whole. If IT is compromised, OT will inevitably follow.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] It is important to keep this question separate from the question whether distribution assets are vulnerable to cyber attack. I am sure utilities are currently providing appropriate cyber protection to most of their distribution substations. But the idea of mandatory national standards is that they would ensure a certain minimum level of protection is achieved for all distribution assets, just as CIP is there to ensure a (higher) minimum level of protection for BES assets. Just to give you an idea of the numbers involved, I know one utility has about 60 Medium impact substations, but they have 1,100 substations that are Low impact transmission substations or purely distribution ones. I don’t know the exact breakdown, but I’m sure a big majority of those are purely distribution.
[ii] I believe that the only mechanism by which a large loss of load could impact the transmission grid would be through the fact that a lot of generation would trip out as a result. But I don’t believe this in itself would then lead to a cascading outage. There could conceivably be a way in which a cyber attack, combined with this large load loss, would lead to a widespread transmission outage, but for the moment I’m only discussing purely electrical events. I know of no real dispute that there needs to be cyber protection for the distribution grid, to protect both against an attack causing loss of load and against the remote possibility of a combined cyber/physical attack - which could conceivably lead to a cascading outage on the BES.