Cybersecurity Risk and Reality

Russell Ray,
Chairman, POWER-GEN International

While thousands of cyberattacks launched against U.S. power plants and distribution systems have not yielded a meaningful disruption in power supplies, the probability that hackers already have the ability to shut down U.S. power stations at will is very real.

This sobering reality was disclosed last week after the Department of Homeland Security (DHS) said Russian hackers secured access to critical control systems to U.S. nuclear plants. “We now have evidence they’re sitting on the machines… that allow them to effectively turn the power off or effect sabotage,” Eric Chien, a security technology director at digital security firm Symantec, told The New York Times. “From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation.”

Last year, former PJM Interconnection CEO Terry Boston said hackers targeted the firewalls of the nation’s largest regional transmission organization between 3,000 and 4,000 times a month.

The nation’s power system is more secure, but cyber threats are becoming more sophisticated. And as the power sector adds more digital technologies to power plants, the opportunities for hackers continue to grow. Cybersecurity regulation and requirements are not enough, said Mark Rabuano, manager of NERC Services for NAES Corp.

“Largely, they are insufficient to provide complete protection,” Rabuano said. “The threats are not going to diminish. If anything, the vulnerabilities are going to increase as the sector becomes more reliant on technology and networking.”

Rabuano’s comments came during a session on cybersecurity at POWER-GEN International 2017.

Every power producer and every power plant faces uniquely different circumstances related to the security of cyber assets. Ultimately, a comprehensive strategy that fills the security gaps for each plant will have to come from industry ingenuity, not government mandates and standards.

“Getting down into control logic is where you start to tackle the issue of security,” said David Zahn, general manager of cyber security at PAS. “Our ability, at a government level, to affect deterrence is very limited. It’s left to us to figure out what the right defense-in-depth strategy is.”

Integrating cybersecurity protections into a utility’s supply chain management program may be key to preventing hackers from penetrating critical controls inside a power plant.

The alert issued by DHS last week indicated the hackers were targeting businesses working within a utility’s supply chain. According to the alert, the hackers’ initial victims were “peripheral organizations such as trusted third-party suppliers with less secure networks.”

The Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop security standards for hardware, software, computing and networking services used in a utility’s supply chain. In January, FERC issued a proposal to adopt NERC’s standards to mitigate specific supply chain cybersecurity risks surrounding procurement processes.

The new standards mean companies providing goods and services to electric utilities must adapt to the new requirements. The new measures stem from a contentious debate as critics argued the new standards would disrupt business relationships with third-party contractors.

The growing number of cyber threats facing America’s fleet of power plants stems from a need to improve efficiencies, reduce costs and better serve customers through digitalization.

However, efforts to make more sense of the information collected from power generation equipment are also increasing the industry’s vulnerability to a cyberattack. This may explain some utilities’ reluctance to fully embrace the digital revolution.

A recent survey of utility executives indicated 76 percent of those in North America believe the region faces at least a moderate risk of electricity supply interruption from a cyberattack.

The survey, conducted by Accenture, indicated 57 percent of respondents said they’re most concerned by an interruption of the power supply from cyberattacks, while 43 percent indicated the destruction of their physical assets was their biggest concern. Another 77 percent of utility executives indicated the growth of Internet of Things devices are a potential threat to cybersecurity.

Four in ten of the respondents claimed cybersecurity risks were not, or were only partially integrated, into their broader risk management processes.