Federal Energy Regulatory Commission Moves to Close Gap in Reliability Standards for Electric Grid Cyber Systems

As geopolitical tensions increase in Ukraine, we are in an extremely vulnerable state of increased cyber risk.

The USA power grid has become a serious target of a cyberattack which can demolish the entire grid. The consensus is that this is considerably more devasting than a nuclear attack. Just today a cyberattack occurred in Ukraine which has informed IAEA (International Atomic Energy Agency) of a power loss at Chernobyl.

In this case, the IAEA sees no critical impact on safety as “the heat load of spent fuel storage pool and volume of cooling water at the site is sufficient for effective heat removal without need for electrical supply.” However, there will come a time when this is no longer effective as the spent fuel and water are depleted.

This same scenario is possible, if not imminent in the United States.

As the Biden administration has bungled the Afghan retreat by leaving billions of dollars of weapons behind, some of the more dangerous ones are portable, handheld devices which can bring down power sub-stations via cyberattacks. These can easily be smuggled into the US from the southern open border by Taliban sleeper cells. The current leader of the Taliban Mawlawi Hibatullah Akhundzada and his minions are ready to deploy these undetectable devices inside the USA to destroy substations as well as a larger cyberattack from Afghanistan  which could disable the nationwide power grid, effectively destroying the infrastructure of the entire country and its entire population as would an attack by the Ukraine, Russia or China.

At the New Jersey Regional Operations & Intelligence Center (NJ ROIC). I participated in FEMA training sessions where we table-topped an exercise where we proved that:

This would leave the entire population without power, heat, water, critical services like Hatzalah, EMS, OEM, hospitals, fire departments and police immobilized. People will literally, God Forbid, die in there homes within weeks.

The Federal Energy Regulatory Commission (FERC) Moves to Close Gap in Reliability Standards for Electric Grid Cyber Systems

Individuals and organizations need to be aware that cyberattacks will not just come from geopolitical threat actors. Criminals will take advantage of any distraction happening globally and use it as an opportunity to catch people off guard and execute their nefarious activities.

FERC today proposed to strengthen its Critical Infrastructure Protection (CIP) Reliability Standards by requiring internal network security monitoring (INSM) for high- and medium-impact bulk electric system cyber systems. A Notice of Proposed Rulemaking (NOPR) proposes to direct the North American Electric Reliability Corporation to develop and submit new or modified Reliability Standards to address a gap in the current standards. The FERC is seeking to address concerns that the existing standards do not address potential vulnerabilities of the internal network to cyber threats.

The 2020 SolarWinds attack demonstrated how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack.  This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations, and SolarWinds customers had no reason to suspect the installation of compromised updates because the attacker used an authenticated SolarWinds certificate.

SolarWinds software was used by Dominion and other systems said to bear a major responsibility for the alleged “rigged” 2020 Presidential election.

Incorporating INSM requirements into the CIP Reliability Standards would help to ensure that utilities maintain visibility over communications in their protected networks, FERC said. Doing so can help detect an attacker’s presence and movements and give the utility time to act before an attacker can fully compromise the network. INSM (Internal Network Security Monitoring) also helps to improve vulnerability assessments and can speed recovery from an attack.

INSM better postures an entity to detect an attacker in the early phases of an attack and reduces the likelihood that an attacker can gain a strong foothold and potential command and control, including operational control, on the target system. In addition to early detection and mitigation, INSM may improve incident response by providing higher quality data about the extent of an attack internal to a trust zone. High quality data from collected network traffic is important for recovering from cyberattacks as this type of data allows for: Determining the timeframe for backup restoration; creating a record of the attack for incident response and reporting; and (3) analyzing the attack itself to prevent it from happening again (e.g., through lessons learned that can improve organizational policies, processes, and playbooks). Finally, INSM allows entities to conduct internal assessments and prioritize any improvements based on their risk profile.

Attackers typically follow a systematic process of planning and execution to increase the likelihood of a successful compromise. This process includes: Reconnaissance ( e.g., information gathering); choice of attack type and method of delivery ( e.g., malware delivered through a phishing campaign); taking control of the entity’s systems; and carrying out the attack ( e.g., exfiltration of project files, administrator credentials, and employee personal identifiable information). Successful cyberattacks require the attacker to gain access to a target system and execute commands while in that system. In today’s hacking universe, this is no problem to achieve, as we have seen in recent cyber attacks, where the Colonial Pipeline was rendered inoperable in addition to recent attacks where entire financial and government entities have been taken down.

Unfortunately, given the speed of Government bureaucracies move, it may be too late already.

A widely accepted cybersecurity attack framework for describing the process that an effective adversary typically follows to increase the probability of a successful compromise is referred to as Cyber Kill Chain. The Cyber Kill Chain provides more detail on the specific steps that an attacker could follow. SANS Institute, Applying Security Awareness to the Cyber Kill Chain.

NSA: Command-and-control communication channel is used to issue instructions to the compromised devices, download additional malicious payloads (e.g., malware and/or ransomware), which sit harmlessly until triggered, and exfiltrate data..

Additional Resources:

Executive Order No. 14028, 86 FR 26633, 26635, 26643 (mandating that the “Federal Government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks” and “increas[e] the Federal Government’s visibility into threats.” The Executive Order further emphasizes that “cybersecurity requires more than government action” and “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Executive Order No. 14028 refers to zero trust architecture. Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location ( i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). See generally National Institute of Standards and Technology (NIST), NIST Special Publication 800-207 Zero Trust Architecture, (Aug. 2020), https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-207.pdf (providing a general definition of zero trust and general information and cases where zero trust may improve an entity’s overall cybersecurity posture).

Executive Order No. 14028, 86 FR 26633, 26643 (May 12, 2021).

National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, Section 2 (Industrial Control Systems Cybersecurity Initiative), (July 28, 2021), https://www.whitehouse.gov/​briefing-room/​statements-releases/​2021/​07/​28/​national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/​ (National Security Memorandum). See also The White House, Fact Sheet: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure, (July 28, 2021), https://www.whitehouse.gov/​briefing-room/​statements-releases/​2021/​07/​28/​fact-sheet-biden-administration-announces-further-actions-to-protect-u-s-critical-infrastructure/​ ) (The White House July 28, 2021 Fact Sheet).

The White House July 28, 2021 Fact Sheet. JBS is a meat processing company, which shut down all of its beef processing plants in the USA as a result of a ransomware attack. See U.S. Department of Agriculture, Statement from the U.S. Department of Agriculture on JBS USA Ransomware Attack, (June 2021), https://www.usda.gov/​media/​press-releases/​2021/​06/​01/​statement-us-department-agriculture-jbs-usa-ransomware-attack.

National Security Memorandum, Section 2 (Industrial Control Systems Cybersecurity Initiative).

White House July 28, 2021 Fact Sheet.

CISA, Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (Sept. 21, 2021), https://www.cisa.gov/​control-systems-goals-and-objectives.

Joint Cybersecurity Advisory, Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department, (July 19, 2021), https://www.cisa.gov/​uscert/​sites/​default/​files/​publications/​CSA_​TTPs-of-Indicted-APT40-Actors-Associated-with-China-MSS-Hainan-State-Security-Department.pdf.

Federal Energy Regulatory Commission, 2021 Annual Reliability Technical Conference, Transcript, Panel 3: Managing Cyber Risks in the Electric Power Sector, Docket No. AD21-11-000 (Sept. 30, 2021), https://www.ferc.gov/​news-events/​events/​annual-commissioner-led-reliability-technical-conference-09302021.

(Ben Miller, Vice President, Services and R&D, Dragos Inc.); 178:14:23 (Mark Fabro, President and Chief Security Scientist, Lofty Perch).

(Manny Cancel, Senior Vice President and Chief Executive Officer, NERC E-ISAC).

The White House, Press Briefing by Press Secretary Jen Psaki and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, (Feb. 17, 2021), https://www.whitehouse.gov/​briefing-room/​press-briefings/​2021/​02/​17/​press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021/​.

2021 Annual Reliability Technical Conference, Tr. 201:20-25; 202:1-7 (Miller).

(Tony Hall, Manager, CIP Program, Louisville Gas and Electric Company and Kentucky Utilities Company).

(Puesh Kumar, Acting Principal Deputy Assistant Secretary, Office of Cybersecurity, Energy Security, and Emergency Response, U.S. Department of Energy).

National Rural Electric Cooperative Association (NRECA), DOE Awards NRECA $6M to Take Essence Cybersecurity Tool to the Next Level (Sept. 29, 2020), https://www.electric.coop/​doe-gives-nreca-6m-to-take-essence-cybersecurity-tool-to-the-next-level;​; NRECA, New Cyber Technology Provides Real-Time Defense (March 15, 2021), https://www.electric.coop/​new-essence-cyber-technology-provides-real-time-defense.

Packet capture allows information to be intercepted in real-time and stored for long term or short-term analysis, this providing a network defender greater insight into a network. Packet captures provide context to security events, such as intrusion detection system alerts. See CISA, National Cybersecurity Protection System Cloud Interface Reference Architecture, Volume 1, General Guidance, at 13,25, (July 2020), https://www.cisa.gov/​sites/​default/​files/​publications/​CISA_​NCPS_​Cloud_​Interface_​RA_​Volume-1.pdf.

TTPs describe the behavior of an actor. Tactics are high-level descriptions of behavior, techniques are detailed descriptions of behavior in the context of a tactic, and procedures are even lower-level, highly detailed descriptions in the context of a technique. TTPs could describe an actor’s tendency to use a specific malware variant, order of operations, attack tool, delivery mechanism ( e.g., phishing or watering hole attack), or exploit. See, NIST, NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing, (Oct. 2016), https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-150.pdf.

44 U.S.C. 3507(d).

5 CFR 1320.11 (2021).

Another item for FERC-725 is pending review at this time, and only one item per OMB Control No. can be pending OMB review at a time. In order to submit this NOPR timely to OMB, we are using FERC-725(1B) (a temporary, placeholder information collection number).

Reliability Standards Development as described in FERC-725 covers standards development initiated by NERC, the Regional Entities, and industry, as well as standards the Commission may direct NERC to develop or modify.

Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. 30,783 (1987) (cross-referenced at 41 FERC (61,284).

18 CFR 380.4(a)(2)(ii) (2021).

5 U.S.C. 601-612.

Cyber Security Incident Reporting Reliability Standards, Notice of Proposed Rulemaking, 82 FR 61499 (Dec. 28, 2017), 161 FERC ¶ 61,291 (2017) (proposing to direct NERC to develop and submit modifications to the NERC Reliability Standards to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES).

FR Doc. 2022-01537 Filed 1-26-22