The Federal Energy Regulatory Commission does not need to further modify cybersecurity rules for distributed resources on the bulk electric system (BES), a range of utility sector stakeholders indicated in response to a June notice of inquiry (NOI) focused on the potential for a coordinated cyberattack on geographically dispersed targets.
The issues raised in the NOI "are covered under existing and/or soon to be implemented" Critical Infrastructure Protection (CIP) Reliability Standards, the Edison Electric Institute (EEI) and the Electric Power Supply Association (EPSA) said in Aug. 24 comments.
Some industry vendors, such as Siemens Energy, have recommended lowering megawatt thresholds to require stricter cyber rules for smaller BES systems, which they say are more exposed targets and can pose a threat to grid reliability. Security experts say the disconnect in views reflects each group's need to maximize profits.
"I'm not surprised industry vendors are suggesting there should be a lower threshold," said Mike Almeyda, account manager with risk management firm Force 5. At the same time, he said, "it's not that industry doesn't want to do the work." CIP standards are evolving and are already closely aligned with the National Institute of Standards and Technology's Cyber Security Framework, he said.
Enacting stricter standards for smaller resources would raise costs, said Almeyda, including potentially requiring physical security perimeters around smaller renewable facilities. The utility sector is "trying to figure out how they can be within compliance," he said, "but still produce a profit for shareholders."
The North American Electric Reliability Corporation (NERC) and its six regional reliability entities jointly said that federal regulators should move cautiously in extending the data security requirements for medium and high-impact BES facilities to smaller resources.
"NERC has new and modified CIP Reliability Standards in various stages of implementation that will strengthen the requirements already in effect," according to the non-profit corporation charged with overseeing grid reliability. "NERC is also in the midst of several standards development projects aimed at enhancing the CIP Reliability Standards to provide additional protection against cyber threats and vulnerabilities."
New CIP standards being rolled out aim to increase security controls for vendors and include a supply chain risk assessment by utilities.
FERC "should reconsider any additional enhancements until after these standards have been in place for a period of time," EEI and EPSA told regulators. "Experience with these standards will better inform any potential future Commission action in this area."
And the Transmission Access Policy Study Group (TAPS), which represents entities across almost three dozen states that are largely dependent on transmission facilities, said in comments that instead of issuing directives for new standards FERC "should allow NERC's existing processes to work."
"NERC currently has multiple standard drafting teams working on improvements to the CIP Reliability Standards," TAPS told regulators. "New and modified standards are only the tip of the iceberg of NERC's cybersecurity efforts."
Every two years, NERC and the Electricity Information Sharing and Analysis Center (E-ISAC) test the ability of the grid to respond to coordinated cyber and physical attacks in an exercise called GridEx. E-ISAC coordinates, in participation with the U.S. Department of Energy DOE and the Pacific Northwest National Laboratory, the industry's Cyber Security Risk Information Sharing Program.
Collaboration and information sharing between electric sector stakeholders is a key to maintaining security and reliability, said Almeyda.
"There definitely needs to be more collaboration," he said. Regulators need to "promote and encourage registered entities to be more transparent in how their load impacts the bulk electric system, specifically the interconnect they are a part of."
Despite the utility sector's confidence that existing rules are sufficient for now, the industry broadly recognizes a growing vulnerability fueled by the rise of grid-connected resources.
"Threats to the reliability of the BES exist in all connected assets and systems regardless of their high, medium or low-impact designation," security provider Forescout Technologies said in its comments. "Low impact BES cyber systems could benefit from adherence to CIP standards."
"It is possible, if enough of those low impact sites are compromised, that you could have an impact," Almeyda said. "The degree of the impact remains to be seen — depending on which grid they are in, who they're tied to, and what combined megawatts we're talking about."
Some renewable generators have designed their projects to segment into smaller facilities, said Almeyda, in order to retain low-impact designations. Siemens Energy filed comments recommending modifications to CIP standards so that the medium-impact threshold begins at 1,000 MW instead of the present 1,500 MW.
"Reducing the lower threshold for medium impact BES cyber systems supports the reliability of the grid by bringing legacy large single generating plants under CIP Reliability Standard requirements," Siemens said. "This improves reliability of the grid by protecting against potential localized frequency disturbances and voltage sagging related to a successful cyberattack."
Potential CIP changes are not the only route FERC is considering to boost grid security for distributed assets. The commission has also taken comments on a proposal to voluntarily apply certain CIP standards to facilities that are not currently subject to those requirements.
Almeyda expects FERC will make changes to the CIP standards, including stricter requirements for low-impact facilities, but said that the industry should have ample time to adjust. Registered entities have 24 months to come into compliance with new security requirements once they are in place, he said.