Are Generating Plants Vulnerable to a Cyber attack?

July 24, 2018: I just realized that I never finished this post, and it might leave the reader with the wrong impression of what I was saying (although the E&E News article referred to would hopefully correct that). Since I'm referring to this post in a new post I'm doing today, I have added a final paragraph to make clear my position. - Tom

On June 26, Energy and Environment News published an – as usual – excellent article titled “Coal plants’ vulnerabilities are largely unknown to feds”. Since EE News is a subscription service and the price is fairly steep, you will probably need to see if the organization you work for can foot the bill for the service. But this is an excellent newsletter regarding energy and the environment[i], and I highly recommend you look into subscribing. Without any doubt, they have the best coverage of cyber security in the energy industry, written by Blake Sobczak and Peter Behr.

I’ll let you read the article, which speaks for itself, but I’d like to add a little to the quotations from me that appear at the end of the article. Blake didn’t misrepresent anything I said to him when we talked, but I got (mildly) chastised by an industry consultant for being too easy on the generation sector. Here is my overall position on cyber security for that sector.

1. I believe most coal, hydro and gas generating plants – especially those that are Medium impact under CIP – are probably fairly cyber secure as far as their own operations go. In other words, if one of these plants were to experience a cyber attack, it is very unlikely that it would be tripped.
2. This also applies to the Criterion 2.1 plants (>1500MW) that have been segmented so that there are no Medium impact BES Cyber Systems. There is a popular misconception that the ability to segment the plant so that no single system can affect 1500MW – which means there are no Medium BCS - constitutes a “loophole” in the CIP requirements. This is simply not the case. If say an 1800MW plant with three 600MW units is properly segmented (and the auditors are looking at this very closely whenever an entity claims that a 1500MW+ plant has no Medium BCS), then this plant is no more vulnerable to a complete shutdown from a cyberattack than would be three 600MW plants situated near each other. The only difference is that in the first case, the three “plants” share a common fence and in the second they don’t.[ii] Of course, if you think the 1500MW threshold is too high and it should really be around 500MW, that’s another story – but I think this is appropriate, and it’s actually a lot lower than the 2200MW that I remember was originally approved by the Standards Drafting Team[iii].
3. Even if a single plant, no matter how large, were to be brought down by a cyber attack, this would most likely not have a BES impact, since N-1 contingencies are already well planned-for. The danger to the BES would be from a coordinated attack on multiple plants.
4. Such a coordinated attack would be very hard to pull off (I used to think it was literally impossible, but now I’m not quite so sure about that, given some information I learned fairly recently about a situation in one part of the US. I am trying to interest various organizations in investigating this potential vulnerability. So far I haven’t had any success, but I’m not done yet. I will never publish details about this in my blog, but I’m not going to stop until some organization has committed to investigating this situation. However, even if this vulnerability were to be exploited, it is highly unlikely that an outage would occur, and certainly not a widespread or even cascading outage).

So my position is that, while it wouldn't be completely impossible to cause a widespread outage by attacking generation, it would be very difficult. As I said at the end of the article linked at the top, if you're aiming to bring down the North American power grid, you need to look elsewhere than generation. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.                   

---

[i] There are actually multiple newsletters, all good.

[ii] Of course, the switching yard that connects a 1500MW+ plant will be Medium impact under criterion 2.8, regardless of whether the plant is segmented or not. And the Control Center that dispatches the plant will still have to count it as a Criterion 2.1 plant for criterion 1.4, or count the entire 1500MW in determining whether it is Medium impact under criteria 2.11 or 2.13.

[iii] This was for CIP v4. A 2200MW figure was approved at an SDT meeting in the summer of 2010. But before CIP v4 was finalized, the threshold was lowered to 1500MW. I must have missed that meeting, or maybe I was doing emails.