July 24, 2018: I just realized that I never finished this post, and it might leave the reader with the wrong impression of what I was saying (although the E&E News article referred to would hopefully correct that). Since I'm referring to this post in a new post I'm doing today, I have added a final paragraph to make clear my position. - Tom
So my position is that, while it wouldn't be completely impossible to cause a widespread outage by attacking generation, it would be very difficult. As I said at the end of the article linked at the top, if you're aiming to bring down the North American power grid, you need to look elsewhere than generation.
On June 26, Energy and Environment News published an
– as usual – excellent article
titled “Coal plants’ vulnerabilities are largely unknown to feds”. Since EE
News is a subscription service and the price is fairly steep, you will probably
need to see if the organization you work for can foot the bill for the service.
But this is an excellent newsletter regarding energy and the environment[i], and I
highly recommend you look into subscribing. Without any doubt, they have the
best coverage of cyber security in the energy industry, written by Blake
Sobczak and Peter Behr.
I’ll let you
read the article, which speaks for itself, but I’d like to add a little to the
quotations from me that appear at the end of the article. Blake didn’t
misrepresent anything I said to him when we talked, but I got (mildly)
chastised by an industry consultant for being too easy on the generation
sector. Here is my overall position on cyber security for that sector.
- I believe most coal, hydro and gas generating plants –
especially those that are Medium impact under CIP – are probably fairly
cyber secure as far as their own operations go. In other words, if one of
these plants were to experience a cyber attack, it is very unlikely that
it would be tripped.
- This also applies to the Criterion 2.1 plants (>1500MW)
that have been segmented so that there are no Medium impact BES Cyber
Systems. There is a popular misconception that the ability to segment the
plant so that no single system can affect 1500MW – which means there are
no Medium BCS - constitutes a “loophole” in the CIP requirements. This is
simply not the case. If say an 1800MW plant with three 600MW units is
properly segmented (and the auditors are looking at this very closely
whenever an entity claims that a 1500MW+ plant has no Medium BCS), then
this plant is no more vulnerable to a complete shutdown from a cyberattack
than would be three 600MW plants situated near each other. The only
difference is that in the first case, the three “plants” share a common
fence and in the second they don’t.[ii]
Of course, if you think the 1500MW threshold is too high and it should
really be around 500MW, that’s another story – but I think this is
appropriate, and it’s actually a lot lower than the 2200MW that I remember
was originally approved by the Standards Drafting Team[iii].
- Even if a single plant, no matter how large, were to be
brought down by a cyber attack, this would most likely not have a BES
impact, since N-1 contingencies are already well planned-for. The danger
to the BES would be from a coordinated attack on multiple plants.
- Such a coordinated attack would be very hard to pull off (I used to think it was literally impossible, but now I’m not quite so sure
about that, given some information I learned fairly recently about a
situation in one part of the US. I am trying to interest various
organizations in investigating this potential vulnerability. So far I
haven’t had any success, but I’m not done yet. I will never publish details about this in my blog, but I’m not going to stop until
some organization has committed to investigating this situation. However, even if this vulnerability were to be exploited, it is highly unlikely that an outage would occur, and certainly not a widespread or even cascading outage).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[i]
There are actually multiple newsletters, all good.
[ii]
Of course, the switching yard that connects a 1500MW+ plant will be Medium
impact under criterion 2.8, regardless of whether the plant is segmented or
not. And the Control Center that dispatches the plant will still have to count it
as a Criterion 2.1 plant for criterion 1.4, or count the entire 1500MW in
determining whether it is Medium impact under criteria 2.11 or 2.13.
[iii]
This was for CIP v4. A 2200MW figure was approved at an SDT meeting in the
summer of 2010. But before CIP v4 was finalized, the threshold was lowered to
1500MW. I must have missed that meeting, or maybe I was doing emails.