Blake
Sobczak and Pete Behr of E&E News
published a really excellent story
today about the large transformer issue. I was expecting the story would focus
on the big problems with replacing them – long lead times, difficult transportation,
etc. (which wouldn’t be new news, of course). Instead, they focused on the potential
problems posed by China becoming a big source of large transformers in the US.
They talk
about two general problems. One is counterfeit – or deliberately tampered with –
parts that could fail at an important time and cause big problems at key
substations. But then they talk about cyber security problems. I never thought
transformers could have cyber security problems, but they point out that transformers
now all have sensors for maintenance purposes. Generating false readings on a
sensor could lead to control centers taking actions they shouldn’t take, or not
taking actions they should. If an adversary were able to fry a lot of large
transformers at a time, this could cause severe problems for power flows.
So does this
mean that the transformers (or perhaps the sensor monitoring systems) are BES
Cyber Systems, and the industry should start applying all the CIP protections
(including CIP-013) to them? I don’t think so. While these systems would
definitely be Cyber Assets, I don’t think they’d be BES Cyber Assets. Yes, an
adversary might cause a 15-minute BES impact if the monitoring system were didn’t
tell a control center that the oil had drained out of the transformer. But it
wouldn’t inevitably cause an impact.
Maybe the control center would figure out that there was something wrong with
the sensors and send someone to physically inspect the transformer – then there
wouldn’t be an impact; there are many other such scenarios. I’ve always thought
that the word “inevitably” is the key to understanding when a Cyber Asset is a
BCA and when it isn’t – although don’t ask me to show you where I said it. I
just looked and couldn’t find where I said it. But I know I did.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment