Yesterday I
was interviewed by the always astute Blake Sobczak of Energy and Environment News[i]
about a cyber security report issued by the White House last week, and
specifically about what it had to say about the cyber security of the power
grid. The article
appeared today.
The
discussion of the grid in the report was certainly good and not terribly
inflammatory. My feelings about this report are very similar to my feelings
about Ted Koppel’s book Lights Out,
which I discussed in this
post in early 2016: What Koppel was writing about had very little to do with
cyber security. It had everything to do with the amount of devastation that any widespread and prolonged grid event
could wreak (and we’re talking about a much more serious event than even the
2003 Northeast blackout), whether caused by a huge weather event (even bigger
than Superstorm Sandy), solar storm, EMP
event, physical attack, or yes a cyber attack. Even more importantly, the book
documented in horrifying detail the country’s almost total lack of preparedness
for this. Unfortunately, whoever wrote the book jacket decided the book would
sell more copies if it were made to appear as a book about a big cyber attack on
the grid, without doubt to leverage the popular movies that had depicted such
an attack. So that is how the book is known, but it isn’t what’s actually
between the covers.
In the same
way, the section of the White House report that I commented on quotes the 2015
study by Lloyd’s and the University of Cambridge that estimated the total cost
of a worst-case cyber event at $1 trillion. I totally agree that a worst-case
cyber event could cost that much. But there are two considerations: 1) The cost
would be the same whether the cause of the event were weather, solar storm, or
anything else; and 2) I’d say a worst-case cyber event is probably the
least-likely cause of such a huge grid outage – with a probability somewhere around
1 in 10 to the 10th or the 20th power. I think a solar
storm is far more likely to cause such an event (and the 1859 Carrington
Event probably would have done it, had it occurred today. We’d better hope
these aren’t every-200-year events!).
Although the
report didn’t advocate any particular policy actions (it was actually quite
good as a broad overview of the risks posed by cyber security weaknesses across
the US economy), in my comments I anticipated what I thought might be the
typical response regarding security of the power grid: “Oh my God, we have to
do something about this! We need to really tighten up the cyber security
standards so that the power industry (that would be you, Dear Reader) doesn’t
let his happen to us!”
My response
to this response, whether triggered by the White House report, Ted Koppel’s book
or any
number of alarmist statements, is that the situation won’t be improved by
requiring say a 10-fold increase in the severity of the NERC CIP requirements.
There has never been an outage caused by a cyber attack in North America; nor
has there ever been even a documented penetration of a control network in a
grid asset of any significance (I make this qualification because there was a penetration of a
5MW dam in New York state in 2013. I know of no other such penetration,
although if anyone knows of another I’d appreciate your letting me know about
that in an email). And of course, any amount of increased cyber security
spending by the power industry will do nothing to mitigate the danger of a
different type of event like a solar storm (and NERC is currently in the
process of approving a draft standard to address solar storm risks by “hardening”
grid assets).
I have long
believed that the best protection against widespread outages, no matter what
the cause, is microgrids. If the great majority of populated areas in North
America were protected by microgrids, there could still be widespread grid
events which would destroy huge fixed generation and the high-voltage
transmission network - but these events wouldn’t cause widespread outages. Each
microgrid would automatically activate its local generation resources – wind,
solar, gas turbines – and keep on chugging. Of course, the problem at the
moment is that microgrids are very expensive to implement and they’ve only been
implemented in a small number of high-value locations (like the New Jersey
transit system, which was knocked out by Hurricane Sandy, greatly complicating
the recovery from the storm). But if we’re talking about throwing a lot more
money at grid security, wouldn’t it be a lot better to throw it at a solution
to all potential causes of a huge grid
outage, rather than just at reducing the already-infinitesimal probability of
just one of those causes – a massive cyber attack?[ii]
Before I go,
I do want to point one thing out: I don’t believe for a moment that electric
utilities are paying too much for OT cyber security controls now. In fact,
given the ever-tightening threat environment, I think it’s inevitable they will
need to spend more every year for the foreseeable future. My issue is that a
large portion of what NERC entities spend on NERC CIP compliance now goes
simply to pure
compliance activities, not to increasing the level of cyber security. I
think that virtually all NERC entities understand that this is a tough world,
and they will have to increase their cyber and CIP spending every year just to
stay in the same position. But they will be increasingly reluctant to do this
without changes in the NERC CIP compliance regime (and in the standards
themselves) that will allow a much higher percentage of every dollar they spend
on CIP to go towards cyber security.
And what are
those needed changes? Funny you should ask. That is the topic of a book I am
working on with two co-authors. You may roll your eyes and point out that I’ve
been talking about this book for close to two years. That’s true, but we now
have a lot of momentum and I’m sure we’ll have something out before the end of
the year. And what is the solution we’re advocating? Well, you can find most of
it in my posts, although I’ll admit you’ll have to look hard (and be able to
tie a lot of bits and pieces together). I hope to have everything in a one-stop-shop
this year!
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
This online publication has the best articles about security of the energy
sector of any publication I’ve seen, all written by either Blake or his
colleague Pete Behr. They’re all very in-depth (a few even as long as my
average post, heaven forbid!) and very well-researched – and this applies to
all of the articles, not just those on cyber. Most online news feeds confine
themselves to news feeds or reproductions of articles from other publications,
so E&E News really stands out. This is a subscription-only publication, but
I strongly recommend you try to get your own organization to subscribe to it. I
recommended to my boss at Tom Alrich LLC that we purchase a subscription, but
he hasn’t replied to my email yet.
[ii]
And if you’re tempted to think that the big toughening of the NERC CIP
standards would be paid for by “private industry” while the cost of
implementing microgrids everywhere would have to be borne by the taxpayers, let
me point out something to you: Every taxpayer is a ratepayer to their local
electric utility. Where will the utilities get the money to comply with this
huge increase in the cost of CIP compliance?
A good friend of mine pointed out that I had missed one case of "a documented penetration of a control network in a grid asset of any significance." That was the shutdown of a safety monitoring system at the Davis-Besse nuclear plant in Ohio due to an infection by the Slammer worm. Since the plant was shut down at the time due to another problem, this of course didn't have any effect on the grid, but it definitely was penetration.
ReplyDelete