NERC task force recommends actions to identify, protect against cyber attacks

A report by NERC’s Cyber Attack Task Force (CATF) recommended actions the bulk power industry should take to reduce the likelihood and effects of cyber attacks on North America’s power system, including developing strategies to attract and retain advanced cyber security talent.

In its 88-page report, the CATF identified actions that were sorted into one or more of three categories: actions to prevent or deter an attack, actions to detect an attack, and actions to respond to an attack.

The CATF report included eight recommendations for bulk power system entities.

The report recommended that entities develop strategies to attract cyber security talent and further develop the knowledge, skills, and abilities of existing staff to address increasingly sophisticated cyber threats.

Entities should also enhance their training to incorporate simulated cyber attacks that raise operator awareness for a coordinated cyber attack, the report said.

In addition, training should be expanded to include a broader range of utilities, experts, and other stakeholders. The report specifically recommended that NERC work with the U.S. Department of Energy’s (DOE) national laboratories and a pilot group of electricity utilities to coordinate a transmission planning exercise that would simulate a coordinated cyber attack that creates a cascading event and blackout.

The report also said NERC’s Critical Infrastructure Protection Committee (CIPC) should support further development and implementation of several DOE initiatives to help ensure protection of critical systems supporting the bulk power system.

The report also called for greater participation in and support of NERC’s initiatives. That support “can help the industry with cyber attack identification, defense, and response,” the report said.

Recommendations included establishing a NERC working group “to further develop attack trees with the goal of …  performing detailed analysis, and providing recommendations to industry from this analysis.”

Attack trees are modeling representations that display how possible attacks might take place, a NERC spokesperson told TransmissionHub on May 24.

“The tree is very helpful to allow defenders to see how they can efficiently and effectively defend against attacks,” Michael Assante, president and CEO of the National Board of Information Security Examiners, told TransmissionHub on May 24.

The report recommended that entities use information contained in the companion report by NERC’s Severe Impact Resilience Task Force (SIRTF), which offers a number of recommendations regarding the state of “conservative operations” that would likely follow a major disruption.

Finally, the CATF report said entities should ensure that operational, security, technical, and managerial staff know their roles in evaluating, responding, and making timely decisions to slow or stop a coordinated cyber attack. In addition, the entities should participate in programs established to share security-sensitive or classified information regarding cyber threats and vulnerabilities.

The task force did not attempt to determine the likelihood of a cyber attack, nor did it attempt to determine which functional entities might be more susceptible or vulnerable to attack.