FERC Approves Extending Risk Management Practices to Low-Impact Cyber Systems
March 19, 2023
by Paul Ciampoli
APPA News Director
March 19, 2023
The Federal Energy Regulatory Commission on March 16 approved a new cybersecurity standard that will expand supply chain risk management practices for low-impact bulk electric system cyber systems.
The new standard, proposed by the North American Electric Reliability Corporation in December 2022, requires entities with bulk electric system facilities whose assets are designated low impact to have methods for determining and disabling vendor remote access.
Generally, low-impact assets are generation or transmission facilities that pose a lower risk to the bulk electric system if they are compromised.
“This standard improves the reliability of the grid by expanding existing security controls to provide greater visibility into electronic communication between low-impact bulk electric system cyber systems and vendors,” FERC Said.
The security controls will allow detection and the ability to disable vendor remote access in the event of a known or suspected malicious communication, it said.
APPA Voices Concerns About Redundant Cyber Incident Reporting Bill
March 6, 2023
by Paul Ciampoli
APPA News Director
March 6, 2023
The House Energy and Commerce Committee’s Subcommittee on Energy, Climate, and Grid Security in late February approved a bill that would set up redundant cyber incident reporting mandates.
The American Public Power Association believes the bill, H.R. 1160, the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, would create significant confusion, as well as impose a significant burden on public power utilities with little, if any, security benefits. The bill is sponsored by Representatives Tim Walberg (R-MI) and Kim Schrier (D-WA).
H.R. 1160 would define the Department of Energy as the designated agency within the federal government to receive notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other federal agencies and owners, operators, and users of critical electric infrastructure.
Owners, operators, and users of critical electric infrastructure (including federal agencies, such as the Power Marketing Administrations) would be required to report cybersecurity incidents and potential cybersecurity incidents to DOE within 24 hours of discovery. DOE would be directed to, within 240 days of enactment, promulgate regulations to facilitate the submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents.
In a Feb. 26 letter to lawmakers, Desmarie Waterhouse, Senior Vice President of Advocacy and Communications & General Counsel at APPA, detailed APPA’s concerns with H.R. 1160.
She said it is not clear how this legislation would work with existing cybersecurity incident reporting requirements, such as what is required through the North American Electric Reliability Corporation, or with pending cybersecurity incident reporting requirements, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
CIRCIA directs the Cybersecurity and Infrastructure Security Agency to work with sector risk management agencies (DOE, in the electric utility industry’s space) to harmonize implementation of the law with existing reporting requirements.
“APPA believes that task will be a significant undertaking and enactment of this legislation would create great confusion,” wrote Waterhouse.
CIRCIA says that covered entities that report “substantially similar information” within a “substantially similar timeframe” to another federal agency can be exempted from reporting directly to CISA provided that the federal agency has an “agency agreement and sharing mechanism in place” with CISA.
APPA believes that DOE should prioritize getting the legal agreements and technology in place that would allow electric utilities to report incidents directly to DOE (or NERC/FERC) and have that reporting count as fulfilling our reporting obligations under CIRCIA. This would benefit DOE without setting up a separate process as this bill envisions, Waterhouse said.
Defining what constitutes a “potential cybersecurity incident” is “deceptively difficult – it is subjective and highly dependent on the situation and assets involved,” wrote Waterhouse.
Such mandated reporting of “potential incidents,” especially with a 24-hour reporting window, would likely result in utilities overreporting, making it difficult if not to impossible to get a meaningful signal through the noise.
“For example, one large APPA member says that it blocks roughly one million attempts to connect to internal networks on any given day. Each of these one million attempts could fall into the ‘potential cybersecurity incident’ definition. But none of these attempts were successful, nor were they targeted, which negates the usefulness of reporting,” the letter notes.
In addition, critical electric infrastructure is defined in the 2015 FAST Act as “a system or asset of the bulk power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of such matters.”
“This is a broad definition. No list exists of CEI and this legislation does not offer any guidance as to who would determine what constitutes CEI — would DOE have to create one to figure out who is covered by this law or would utilities have to self-designate? Each of these possibilities comes with a host of issues,” wrote Waterhouse.
APPA is urging member utilities that have members of Congress who sit on the full Energy & Commerce Committee to reach out to those lawmakers immediately to flag concerns with this legislation and to share APPA’s letter.
New Resource Focuses on Electricity Substation Physical Security
February 23, 2023
by Paul Ciampoli
APPA News Director
February 23, 2023
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has released a new resource that provides owners, operators, and stakeholders with updated threat information and protective measures that can help improve a substation’s on-site physical security. CISA produced the resource in collaboration with the Department of Energy.
The product also provides resources to guide in the awareness of the threat environment facing electrical substations, the implementation of protective physical security measures, and options for a layered security strategy that will ultimately reduce or minimize the impact of an attack.
The resource, “Sector Spotlight: Electricity Substation Physical Security,” is available here.
The American Public Power Association has a suite of resources to help in hardening a utility’s physical security.
Those resources include Physical Security Essentials: A Public Power Primer, which addresses physical security protective measures and describes leading practices that can help mitigate risks.
To access that and other resources on the APPA website, click here.
Department of Justice Charges Two People With Conspiracy to Attack Maryland Substations
February 6, 2023
by Paul Ciampoli
APPA News Director
February 6, 2023
The U.S. Department of Justice on Feb. 6 announced the filing of a federal criminal complaint charging two people with conspiracy to destroy substations in Maryland.
The criminal complaint was unsealed upon the arrests of the defendants, Sarah Beth Clendaniel, of Catonsville, Maryland, and Brandon Clint Russell, of Orlando, Florida.
As alleged in the affidavit filed in support of the criminal complaint, from at least June 2022 to the present, Russell conspired to carry out attacks against critical infrastructure, specifically electrical substations, in furtherance of Russell’s racially or ethnically motivated violent extremist beliefs.
Russell posted links to open-source maps of infrastructure, which included the locations of electrical substations, and he described how a small number of attacks on substations could cause a “cascading failure.” Russell also discussed maximizing the impact of the planned attack by hitting multiple substations at one time, the DOJ said.
According to the DOJ, Clendaniel collaborated on a plan to carry out the attacks. Clendaniel conspired to secure a weapon and identified five substations she planned to target.
Clendaniel allegedly stated that if they hit a number of them all in the same day, they “would completely destroy this whole city,” and that a “good four or five shots through the center of them . . . should make that happen.” She further added, “[i]t would probably permanently completely lay this city to waste if we could do that successfully.”
If convicted, Russell and Clendaniel each face a maximum sentence of 20 years in federal prison for conspiracy to damage an energy facility.
In a statement released on Feb. 6, investor-owned Exelon and its subsidiary Baltimore Gas & Electric said that the Federal Bureau of Investigation had notified Exelon and BGE that it had disrupted a plot to target several BGE electric substations with gunfire.
“We are working closely with the FBI and state and local law enforcement as they continue their investigation, and we are thankful for their vigilance and the precautions taken to protect the electric grid for our customers and employees,” the companies said.
Exelon and BGE noted that law enforcement acted before the perpetrators were able to carry out their plan, and there was no damage to any of the substations, nor was any service disrupted.
“The substations are not believed to have been targeted out of any connection to BGE or Exelon, or because of any particular vulnerability. We have a long-standing partnership with law enforcement and state and federal regulators of the grid to secure critical infrastructure; this work is even more important now as threats have increased in recent years. There are no currently known threats to any of our facilities,” the utilities said.
The American Public Power Association offers a wide array of resources to help its members create a more resilient and secure electric grid that is prepared for both cyber and physical threats. Click here for additional details.
APPA offers a suite of resources to help in hardening a utility’s physical security including “Physical Security Essentials: A Public Power Primer,” which addresses physical security protective measures and describes leading practices that can help mitigate risks. This publication is available through the APPA product store. The physical security checklist associated with this publication can be accessed here.
The Electricity Information Sharing and Analysis Center recently released the Physical Security Resource Guide for Electricity Asset Owners and Operators. This publication is only available to logged-in APPA utility, joint action agency, or state association members.
Michael Coe Joins APPA as Vice President for Security, Resilience, and Energy Solutions
February 6, 2023
by Paul Ciampoli
APPA News Director
February 6, 2023
Michael Coe recently joined the American Public Power Association as Vice President for Security, Resilience, and Energy Solutions at APPA.
Prior to his new role at APPA, Coe held a series of positions at the U.S. Department of Energy starting with his role as Chief of Staff for DOE’s Office of Electricity in 2018.
Coe subsequently served in the following positions at DOE: Acting Deputy Assistant Secretary, Transmission Permitting and Technical Assistance Division in 2019, Director of Transmission Development (2019-2020), Director of Energy Planning and Strategy (2020-2021) and Director of Defense Critical Energy Infrastructure (2021-2023).
Coe also held positions with consulting firm ICF, the Hawthorn Group, an international public affairs company, and the Camber Corporation.
Coe, who received a JD from the University of Baltimore School of Law, reports to Adrienne Lotto, Senior Vice President for Grid Security, Technical & Operations Services at APPA.
FERC Takes Steps to Bolster Reliability Standards for Monitoring Grid Cyber Systems
January 26, 2023
by Paul Ciampoli
APPA News Director
January 26, 2023
The Federal Energy Regulatory Commission on Jan. 19 directed the North American Electric Reliability Corporation to develop and submit reliability standards requiring internal network security monitoring for high-impact bulk electric system cyber systems and medium-impact systems with high-speed internet connections.
The final rule, Order No. 887, issued at FERC’s monthly open meeting, also directs NERC to study the risks posed by the lack of internal network security monitoring at bulk electric cyber systems that would not be addressed by the new or modified standard, and the feasibility of extending monitoring to those systems.
In issuing the directive to NERC, FERC observed that current NERC reliability standards require monitoring at a network’s electronic security perimeter, but do not require similar monitoring of anomalous activity within the network environment, which the Commission characterized as a gap in the current NERC reliability standards.
NERC has flexibility in developing the content of the new requirements, but the Commission said the new standards should address the need for entities to develop baselines of their network traffic inside the applicable networked environments and to monitor for and detect unauthorized activity, connections, devices and software inside those networked environments.
FERC said the new standards also should require entities to identify anomalous activity to a high level of confidence by logging network traffic, maintaining logs and other data and implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques and procedures from compromised devices.
The rule takes effect 60 days after publication in the Federal Register, and NERC has 15 months from the effective date to submit the new standards for Commission approval. NERC has 12 months from the date of the order to submit its report on low-impact bulk electric cyber systems and medium-impact systems with no broadband access.
Order No. 887 results from a notice of proposed rulemaking issued by FERC in January 2022 proposing internal network security monitoring for all high and medium impact bulk electric system cyber systems. The NOPR also asked for comments on whether internal network security monitoring should be applied to low impact BES Cyber Systems.
The American Public Power Association responded to the NOPR in joint comments filed with the Edison Electric Institute, the Electric Power Supply Association, the Large Public Power Council, and the National Rural Electric Cooperative Association.
The joint comments urged FERC to conduct additional information gathering on internal network security monitoring before issuing a directive. The comments also cited the significant technological and practical challenges associated with deploying internal network security monitoring, and the Joint Associations urged FERC to limit the applicability of any internal network security monitoring directive to high impact BES cyber systems and medium impact BES cyber systems at control centers.
APPA and the other groups also argued that use of internal network security monitoring for low impact bulk electric system cyber systems is unlikely to be practicable.
Order No. 887 partly responds to the concerns raised by the groups, insofar as it only applies the internal network security monitoring requirement to a subset of medium impact assets, and the directive does not require internal network security monitoring for low impact assets at this time.
APPA Details How it Can Help Implement DOE Cybersecurity Grant and Technical Assistance Program
December 20, 2022
by Paul Ciampoli
APPA News Director
December 20, 2022
There are a number of ways in which the American Public Power Association (APPA) can help the Department of Energy successfully implement a Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program including assisting in identifying solutions as well as potential pathways for increasing information sharing with small- and medium-sized public power utilities, APPA said.
APPA made its Dec. 19 comments in response to a request for information (RFI) issued by the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to inform its implementation of the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.
In its comments, APPA noted that public power utilities are eligible entities for the new program, with over 1,000 of these utilities likely to fall into one or more of the priority categories of: (1) having limited cybersecurity resources; (2) owning assets critical to the reliability of the bulk power system; or (3) owning defense critical electric infrastructure (as defined in section 215A(a) of the Federal Power Act.
APPA said that along with awarding grants directly to owners and operators to address individual entity needs, DOE should also consider working with trade associations and other trusted partners around technical assistance options and needs.
“The needs of eligible utilities are diverse — some entities are in need of technical assistance on simply how to begin or move forward with basic programs, whereas others are more advanced and may be in need of assistance (financing and/or technical) in implementing technology or other cybersecurity solutions,“ APPA said.
APPA “presents a robust pathway for assisting large swaths of these communities, especially for those whose cybersecurity preparedness is not as mature as others,” it said.
For smaller utilities — including many public power utilities that make up the majority of eligible utility entities for this new grant program — cybersecurity can be daunting task, APPA pointed out.
“Many public power utilities have limited resources to put toward cyber services, technology deployments, additional cyber staff, or to increase participation in threat intelligence information sharing programs. Moreover, most public power utilities are distribution only utilities, whereas most existing government cybersecurity resources are focused on the bulk electric system (BES).”
The program’s focus on small- and medium-sized electric utilities, particularly public power and rural electric cooperative utilities, is a welcome development, the trade group told DOE.
In addition, APPA encouraged DOE to work with trade associations to reach their smaller members to ensure they are engaged and have clear pathways for resources available under the program.
APPA pointed out that it has worked with DOE through cooperative agreements on efforts like increasing increase adoption of cybersecurity solutions for operational technologies. This work has included the production of templates and guidance to assist in the adoption of these types of technologies, such as data sharing considerations.
APPA went on to note that tools and resources that are specifically intended for small distribution utilities are more likely to be utilized. “Therefore, it would be beneficial for DOE to consider pathways for creating, updating, or promoting these types of materials and resources.”
It would also be beneficial, when it comes to public power utilities, for DOE to consider ways it could partner with the Department of Homeland Security to identify tools and resources that DHS has already created for State, Local, Tribal, or Territorial communities that could be promoted, updated, and utilized by public power utilities, APPA told DOE.
“APPA is very interested in assisting and promoting such an effort within its membership, including bringing members to the table to help shape such products.”
These efforts would need to be complementary, not in place of, individual grant awards to qualifying utility owners and operators to implement solutions they have individually identified, the public power trade group said. “Access to a trusted community-focused forum where best practices can be confidentially shared and learned from would be very valuable for these communities.”
APPA also said the program will provide opportunities for smaller utilities to lean further in on cybersecurity issues to the benefit of their communities and the nation. “The ease of the process and the ability for smaller utilities to meet program requirements will be enormous factors in how much traction this new program is able to generate. To that end, DOE should also seek opportunities to limit the application of cost share or compliance reporting requirements, as these obligations may place an undue administrative burden on smaller utilities and be a significant barrier to participation.”
FERC Directs NERC to Assess Effectiveness of Physical Security Reliability Standard
December 17, 2022
by Paul Ciampoli
APPA News Director
December 17, 2022
The Federal Energy Regulatory Commission (FERC) on Dec. 15 issued an order directing the North American Electric Reliability Corporation (NERC) to submit a report to the Commission analyzing the effectiveness of the existing NERC reliability standard addressing physical security of the bulk power system.
At its monthly open meeting, FERC directed NERC to conduct a study evaluating the need for improvements to Reliability Standard CIP-014-3, which pertains to physical security for the electric grid.
FERC staff noted that in recent months, there has been an increase in reports of physical attacks on electric substations that in some incidents have resulted in thousands of customer outages. In early December, Duke Energy responded to power outages caused by vandalism against utility equipment in North Carolina.
In its order, FERC requires NERC to provide an assessment of the effectiveness of the physical security reliability standard that considers, but is not limited to, the potential risks highlighted by recent events.
Specifically, the order directed NERC to conduct a study evaluating:
- The adequacy of the applicability criteria set forth in the standard;
- The adequacy of the required risk assessment set forth in the standard; and
- Whether a minimum level of physical security protections should be required for all bulk-power system transmission stations and substations and primary control centers.
The report is due 120 days from issuance of the order.
APPA’s Adrienne Lotto Emphasizes Importance of Layered Defenses for Grid Security
December 12, 2022
by Paul Ciampoli
APPA News Director
December 12, 2022
When it comes to grid security, the importance of layered defenses cannot be overstated, and while the power sector has a good overall understanding of the risk it is facing in this area, to the extent that more information can be shared from the federal government to entities and utilities, that is helpful for utilities to understand their risks and respond accordingly, said Adrienne Lotto, Senior Vice President of Grid Security, Technical & Operations Services, American Public Power Association (APPA), on Dec. 7.
She made her comments at a joint Department of Energy-Federal Energy Regulatory Commission supply chain risk management (SCRM) conference in Washington, D.C.
Lotto was a panelist at the conference that examined current supply chain risk management reliability standards, implementation challenges, gaps, and opportunities for improvement.
Other panelists were Jeffrey Sweet, Director of Security Assessments, American Electric Power, Shari Gribbin, Managing Partner, CNK Solutions, Scott Aaronson, Senior Vice President of Security and Preparedness, Edison Electric Institute, and Lonnie Ratliff, Director, Compliance Assurance and Certification, North American Electric Reliability Corporation.
Panelists were asked whether they think the currently effective supply chain risk management standards are sufficient to successfully ensure bulk power system reliability and security in light of existing and emerging risks to the cyber security supply chain.
“The simple answer is yes,” Ratliff said. “The standards provide a foundation to address and mitigate some of the supply chain challenges that we have across our industry. With this foundation, there’s always opportunities to improve so as we look at the effectiveness” of the standard, “NERC has taken several opportunities to assess those standards, bring up teams and evaluate the effectiveness and propose change to those standards.”
Lotto said that NERC and the power industry have shown a willingness to continue to partner and examine the NERC Critical Infrastructure Protection (CIP) standards as it relates to supply chain security and are continuing to do so.
As threats continue to evolve, the utility sector and NERC have also shown a willingness to evolve and take a second look at those standards and “that risk-based approach remains ongoing.”
At the same time, Lotto highlighted jurisdictional limitations to FERC “and the burden that that then places on the utilities trying to gain insight into the suppliers that they are utilizing in their systems.”
“I do believe that the standards that are in place today are effective and are appropriate,” said Sweet. “They provide the flexibility for the utilities to be able to address the risks that they realize within their organizations.”
The supply chain risk management standard requires entities to have a supply chain risk management plan.
Supply Chain Risk Management Plan
Panelists were asked to address the question of whether it would be beneficial to provide additional clarity for the supply chain risk management plan in a couple of areas.
“One is in identifying and assessing risks,” said David Ortiz, Director of the Office of Electric Reliability at FERC. “Identifying triggers that would require activation of the plan and then requirements in that plan to respond to risks that are identified.”
Addressing the question of whether the power sector needs help in identifying and assessing risk, Lotto said, “the short answer is yes.”
She said that to the extent that more information can be shared from the federal government to entities and utilities, large or small, that is helpful for utilities to understand their risks and respond accordingly.
Lotto cautioned against an idea floated earlier in the conference that proposed throwing out the definition of high, medium and low in the risk-based approach currently being used at NERC.
She warned against making a holistic change in this approach. “The NERC CIPS standards are effective. They are working and that is sound risk management practice in any sector – to understand what your high, medium, low impacts are, so a holistic change like that at this time I think would actually set us back, as opposed to enable NERC to continue doing what it’s doing with the utilities and move us forward towards greater supply chain security.”
Prior to joining APPA, Lotto was vice president, chief risk and resilience officer at the New York Power Authority, where she led a team of risk management professionals.
Meanwhile, Puesh Kumar, Director of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, noted that utilities “are trying to manage risk, but to do that they first need to understand the risk.”
He asked Lotto whether utilities “know the risk well enough and, if not, what are the gaps? What more could we be doing?”
Do utilities “have a good understanding of the risk that they’re managing to?”
“I would say holistically the answer is yes,” Lotto responded. There has been a “tremendous amount of work” done at the DOE, Department of Homeland Security, the Electricity Information Sharing and Analysis Center and the Multi State Information Sharing and Analysis Center “that helps to inform and provide industry insight into the risks. Now, that said, could we always do better? Of course.”
Lotto said that a recent incident involving an attack on Duke Energy substations in North Carolina “is a physical example where you see the risk in day-to-day life that the grid is exposed to, so continuing to foot stomp and provide situational awareness in a timely fashion with context and suggested solutions or guidelines, I think is important.”
She noted that APPA provides resources and guides and partners with the DOE through agreements “that enable us to do that. Particularly for the smaller members, it’s exceedingly helpful.”
EEI’s Aaronson said that “we understand the risk, but risk is always changing. Risk is a factor or a function of threat, likelihood and consequence.”
He said that “what is the consequence of something is also evolving, not just because the threat is evolving but the grid is constantly evolving.”
At a later point, Lotto emphasized the need for layered defenses when it comes to grid security. She said that while FERC and NERC have done a good job in addressing the baseline, the energy sector continues to collaborate, which includes discussing baselines and focusing on “getting even better and stronger.”
This continued coordination, not just in the regulatory arena, but also in terms of best practices, needs to continue to happen, she said.
“I think the greatest power that the federal government has is the power to convene,” Lotto said. Continuing to bring industry experts together with the federal government “to solve critical problems has to continue to evolve.”
She also said that the importance of economies of scale must not be overlooked “because individually we can’t do it alone. Our members can’t do it alone. The cyber threat, unfortunately, is advancing to the front lines where, fundamentally, our members are getting asked on a day-to-day basis to act as frontline defenders of networks and that’s an almost impossible task. They’re not set up to defend networks on a day-to-day basis from nation state adversaries that are attacking them.”
The power to convene at the federal government level, both through the NERC process “wherein they’re continuously looking and trying to evolve to meet the threat, together with best practices and advancing through groups that already exist or at the federal government level to achieve economies of scale and layered defenses is critical.”
Duke Energy Responds to Outages Caused by Substation Vandalism
December 5, 2022
by Paul Ciampoli
APPA News Director
December 5, 2022
Duke Energy over the weekend said that it was responding to power outages caused by vandalism against utility equipment in North Carolina.
Duke Energy on Dec. 4 said that crews were responding to widespread outages in Moore County, N.C. The company experienced multiple equipment failures affecting substations leaving about 45,000 customers without power.
Media reports on the vandalism reported that two electric substations were damaged by gunfire.
The utility crews are working 24-hour shifts to make repairs and restore service to all impacted customers. Several large and vital pieces of equipment were damaged in the event, the utility said. “Repairing the equipment is a multi-step process that will take several days to complete. Once repairs are made, the company must test the equipment before beginning the final restoration process.”
Due to the nature of the damage, the company is working with local, state and federal agencies on their ongoing investigation into this incident.
On Sunday evening, Secretary of Energy Jennifer Granholm tweeted that she has been in contact with Duke Energy about the vandalism and the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is working with federal partners.
“Law enforcement is investigating this serious incident and Duke is working around the clock to restore service,” she said.
Rich Glick, Chairman of the Federal Energy Regulatory Commission, also sent a tweet over the weekend saying that FERC is monitoring the events in North Carolina. “The security & reliability of our grid remains the top priority” as Duke Energy works to restore services, he said.