NERC Compliance and the Worst-Case Scenario of Cyber Attacks on the Grid

Share Article

Cyber attacks outage only two-weeks says NERC, but takeover of Control Centers can yield even worse damage. Control Center takeover is not currently addressed in NERC Compliance Standard CIP-014-2; yet it is considered by some utilities to be as critical as active shooters or bombs.

Drone risk to substations

Drone Threat to BES Substations - Webinar on June 15th @ 1 PM CST

Mr. Cauley told Congress that while simultaneously attacking multiple sites would be difficult given the improved security measures implemented in the industry, "It's the one I worry about the most."

North American Electric Reliability Corporation (NERC) president and CEO, Gerry W. Cauley, testified in a Congressional hearing recently stating, “It’s very technically challenging to go from an electronic cyber attack to causing physical damage to equipment.”

He also indicated that a “worst case” scenario for any outage, whether as a result of a cyber-attack or other conditions, is considered by NERC to be unlikely to last more than two weeks. This NERC analysis includes information from the December 2015 cyber attack of Ukraine’s electric grid that affected some 48 substations and 250,000 customers, as well as the results of a NERC analysis, published in January, of industry restoration plans and the results of the fall 2015 GridEX III exercise.

“There was no damage to equipment,” said Mr. Cauley of the Ukrainian attack, while testifying that in his 35-year experience working substations that little damage is possible as a result of cyber attacks. In the Ukraine attack, access through remote connections enabled the attackers to open breakers stopping the flow of electricity. However, the success of the attack in physically bringing down part of the Ukraine electrical grid using BlackEnergy was assisted by a “denial of service” effort to jam and overload grid operations telephone systems, greatly reducing the ability to assess and communicate what was going on and coordinate response services. And it is possible by hacking into the generation side of an electrical system to alter rotating turbines and generators potentially causing serious damage, a concern voiced by Congressman Meadows of North Carolina at the hearing. While Cauley’s testimony that “physical damage is rare” is typically thought to be correct, Congressman Meadows of North Carolina pointed out that some cases of mis-operation of digital control systems can cause damage to physical components, a reference in this case to the Aurora vulnerability largely addressed by NERC and the industry from 2007 to 2011.

Mr. Cauley told Congress that while simultaneously attacking multiple sites would be difficult given the improved security measures implemented in the industry, “It’s the one I worry about the most.” Mr. Cauley noted that physical attacks would need to occur at multiple locations to cause extensive damage and extended power outages. However, in discussions with senior utility executives, Corporate Risk Solutions, Inc. (CRSI) has concluded that a physical attack on major control centers, likely through clandestine efforts and use of inside help, and perhaps in conjunction with a cybersecurity attack, could result in the same potential shutdown of power that occurred in Ukraine, outright damage to generation capabilities, or catastrophic transmission failures.

Control Center takeover is not currently addressed in NERC CIP-014-2, the Physical Security Reliability Standard issued in March 2015 designed to harden substations and primary control centers against coordinated physical attacks. Yet, it is considered by some utilities to be as critical as active shooters or bombs. As an example, GridEx III utilized active shooter, vehicle-borne bombs and drones. Drone threat to Substations and the Bulk Electric System is the subject of a future CRSI webinar in June 2016. To register, click here.

If you are subject to Standard CIP-014-2 or Standards CIP-002 - 011, we strongly recommend you consider this threat vector in your vulnerability assessments. While not an explicit requirement of the standards today, it could be argued that the standards are implicitly defined to be inclusive of such identified threat vectors. More importantly, future standards development may explicitly include these threat vectors to Control Centers. CRSI can assist you with recommendations and solutions in this area.

Our next webinar, “Low Impact CIP Requirements, are you ready?” is on May 11, 2016 at 2:00 PM EST. To register, click here.

Corporate Risk Solutions, Inc. is the leader in NERC Compliance consulting; providing technical expertise and strategic leadership to the energy industry since 2001. CRSI has completed literally thousands of projects since its inception, including working with more than 230 electric utilities across all 8 NERC regions in the past 5 years alone. CRSI specializes in NERC Critical Infrastructure Protection (CIP), NERC 693, Physical Security and IT/Cyber Security, among other areas. CRSI is highly experienced in performing Cyber Vulnerability Assessments, Mock Audits, Gap Analysis, Implementation Programs and Subject Matter Expert (SME) Training.

CRSI wrote the definitive NERC CIP Compliance Guide for our utility partners. Learn more by visiting our website.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jonathan Roe
@CoRiskSolutions
Follow >
Corporate Risk Solutions, Inc.
Like >
Corporate Risk Solutions, Inc.