Are Generating Plants Vulnerable to a Cyber attack?

July 24, 2018: I just realized that I never finished this post, and it might leave the reader with the wrong impression of what I was saying (although the E&E News article referred to would hopefully correct that). Since I'm referring to this post in a new post I'm doing today, I have added a final paragraph to make clear my position. - Tom

On June 26, Energy and Environment News published an – as usual – excellent article titled “Coal plants’ vulnerabilities are largely unknown to feds”. Since EE News is a subscription service and the price is fairly steep, you will probably need to see if the organization you work for can foot the bill for the service. But this is an excellent newsletter regarding energy and the environment[i], and I highly recommend you look into subscribing. Without any doubt, they have the best coverage of cyber security in the energy industry, written by Blake Sobczak and Peter Behr.

I’ll let you read the article, which speaks for itself, but I’d like to add a little to the quotations from me that appear at the end of the article. Blake didn’t misrepresent anything I said to him when we talked, but I got (mildly) chastised by an industry consultant for being too easy on the generation sector. Here is my overall position on cyber security for that sector.

1. I believe most coal, hydro and gas generating plants – especially those that are Medium impact under CIP – are probably fairly cyber secure, as far as their own operations go. In other words, if one of these plants were to experience a cyber attack, it is very unlikely that it would be tripped and wouldn't be damaged.
2. This also applies to the CIP-002 R1 Criterion 2.1 plants (plants >1500MW) that have been segmented so that there are no Medium impact BES Cyber Systems. There is a popular misconception that the ability to segment the plant so that no single system can affect 1500MW – which means there are no Medium BCS and therefore a much smaller CIP compliance burden - constitutes a “loophole” in the CIP requirements. This is simply not the case. If say an 1800MW plant with three 600MW units is properly segmented, then this plant is no more vulnerable to a complete shutdown from a cyberattack than would be three separate 600MW plants that happened to be situated near each other. The only difference is that in the first case, the three “plants” - i.e., the 3 units of the 1500+MW plant) share a common fence and in the second they don’t.[ii] Of course, if you think the 1500MW threshold is too high and it should really be around 500MW, that’s another story. However, I think 1500MW is appropriate. In fact, it’s actually a lot lower than the 2200MW that was originally approved by the Standards Drafting Team[iii].
3. Even if a single generating plant, no matter how large, were to be brought down by a cyber attack, this would most likely not have a BES impact, since N-1 contingencies are already well planned-for. The danger to the BES would be from a coordinated attack on multiple plants.
4. Such a coordinated attack would be very hard to pull off (I used to think it was literally impossible, but now I’m not quite so sure about that, given some information I learned fairly recently about a possible vehicle for a large generation outage in one part of the US. I am trying to interest various organizations in investigating this potential vulnerability. So far I haven’t had any success, but I’m not done yet. I will never publish details about this in my blog, but I’m not going to stop until some organization has committed to investigating this situation. 
5. Note from Tom, July 2025: I finally got FERC interested in investigating this situation in 2018 or 2019, although I had to approach one of the Commissioners to accomplish this. I remain quite disappointed that the two large grid operators I approached originally not only didn't want to investigate the problem themselves, but they didn't even encourage me to find someone else to investigate it - although the second one suggested I could talk with FERC. If I told you what I had learned that set me off on my quest, your hair would stand on end. In fact, I had a full head of hair before I learned of the problem :).

So my position is that, while it wouldn't be completely impossible to cause a widespread outage by attacking generation, it would be very difficult. As I said at the end of the article linked at the top, if you're aiming to bring down the North American power grid, you need to look elsewhere than generation. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.                   

---

[i] There are actually multiple newsletters, all good.

[ii] Of course, the switching yard that connects a 1500MW+ plant will be Medium impact under criterion 2.8, regardless of whether the plant is segmented or not. And the Control Center that dispatches the plant will still have to count it as a "Criterion 2.1" plant for criterion 1.4, or count the entire 1500MW in determining whether it is Medium impact under criteria 2.11 or 2.13.

[iii] This was for CIP v4. A 2200MW figure was approved at an SDT meeting in the summer of 2010. But before CIP v4 was finalized, the threshold was lowered to 1500MW.