FERC, in a July 21 notice of inquiry, said it seeks comment on possible modifications to the Critical Infrastructure Protection (CIP) Reliability Standards regarding the cybersecurity of control centers used to monitor and control the bulk electric system in real time.
Comments are due 60 days after publication in the Federal Register, FERC said.
Noting that cyber systems are used extensively for the operation and maintenance of interconnected transmission networks, FERC said that a 2015 cyberattack on the electric grid in Ukraine is an example of how cyber systems used to operate and maintain interconnected networks, unless adequately protected, may be vulnerable to cyberattack.
While certain controls in the CIP Reliability Standards may reduce the risk of such attacks, FERC said that it seeks comment on possible modifications to the CIP Reliability Standards – and any potential impacts on the operation of the bulk power system resulting from such modifications – to address these matters:
- Separation between the internet and the bulk electric system cyber systems in control centers performing transmission operator functions
- Computer administration practices that prevent unauthorized programs from running, referred to as “application whitelisting,” for cyber systems in control centers; application whitelisting is a computer administration practice used to prevent unauthorized programs from running
FERC noted that it approved in January 2008 an initial set of eight CIP Reliability Standards pertaining to cybersecurity. FERC also directed NERC to develop certain modifications to the CIP Reliability Standards. FERC added that since 2008, those standards have undergone multiple revisions to address FERC directives and respond to emerging cybersecurity issues.
FERC also noted that the current CIP Reliability Standards do not require isolation between the internet and bulk electric system cyber systems in control centers performing transmission operator functions through use of physical (hardware) or logical (software) means.
Requiring physical separation between the internet and cyber systems in control centers performing transmission operator functions would require data connections to control centers or other facilities owned by transmission operators over dedicated data lines owned or leased by the transmission operator, instead of allowing communications over the internet, FERC said.
Of application whitelisting, FERC noted that that could be a more effective mitigation tool than other mitigation measures because whitelisting allows only software applications and processes that are reviewed and tested before use in the system network. By knowing all installed applications, the security professional can set the application whitelisting program to know the application is approved; all unapproved applications will activate an alert, FERC added.
Last December, FERC said, three regional electric power distribution companies in Ukraine experienced a cyberattack resulting in power outages that affected at least 225,000 customers. An analysis conducted by a team from the Electricity Information Sharing and Analysis Center (E-ISAC) and SANS Industrial Control Systems (SANS ICS) observed that “the cyber attacks in Urkaine are the first publicly acknowledged incidents to result in power outages,” FERC said.
An “alert” in response to the Ukraine incident that the U.S. Department of Homeland (DHS) Industrial Control Systems Cyber Emergency Response Team issued in February stated that the cyberattack was sophisticated and well planned. The alert reported that the cyberattacks at each company occurred within 30 minutes of each other and affected multiple central and regional facilities, FERC added.
The alert explained that during the cyberattacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.
FERC also said that the alert reported that the affected companies indicated that the attackers wiped some systems at the conclusion of the cyberattack, which erased selected files, rendering systems inoperable.
The alert recommended key examples of best practice mitigation strategies, including procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.
FERC said that it seeks comment on the operational impact to the bulk power system if bulk electric system cyber systems were isolated from the internet in all control centers performing transmission operator functions. Specifically, FERC said that it seeks comment on what, if any, reliability issues might arise from such a requirement.
FERC also said that it seeks comment on whether the CIP Reliability Standards should be modified to require application whitelisting for all bulk electric system cyber systems in control centers, adding: “Is application whitelisting appropriate for all such systems? If not, are there certain devices or components on such systems for which it is appropriate?”
Comments must refer to Docket No. RM16-18-000, FERC said.