Cyber attacks, pandemics and electromagnetic disturbances are the three top "high impact" risks to the U.S. and Canadian power-generation grids, according to a report from the North American Electric Reliability Corp. (NERC).
"The specific concern with respect to these threats is the targeting of multiple key nodes in the system, if damaged, destroyed or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria," states the report, "High-Impact, Low-Frequency Risk to the North American Bulk Power System."
The contents of the 118-page report are largely the result of closed-door discussions held since November by NERC (which plays a key role in setting security standards for the U.S. power grid),
power providers and U.S. government officials.
The report, which calls for better coordination between U.S. power-grid providers and the government, sets the stage for what may be new guidelines and processes required to combat the major threats identified, according to NERC officials.
The threat of a coordinated cyber attack, which might be combined with a physical attack, is considered the first of the top three "high-impact, low-frequency" threats to North American electricity supply, according to the report.
The electric power grid, on a daily basis, endures "hundreds of thousands of probes," said Gerry Cauley, president and CEO of NERC, in a conference call to unveil the report. He noted there has been "suspicious activity around control systems."
But NERC officials declined to confirm or deny past reports that spies have compromised the U.S. power grid with malicious code that would allow intruders to damage or otherwise interfere with safe operation of the grid.
However, the report does say "an intelligent attacker" could "mount an adaptive attack that would manipulate assets," and possibly "provide misleading information to system operators attempting to address the issue."
Cyber attacks would impede the grid’s operation, but the report suggests few details about possible defensive plans, except that there should be better "forensics tools and network architecture to support graceful degradation," with an "eye toward designing for survivability."
The report says: "Components and system design criteria should also be re-evaluated with respect to these threats and an eye toward designing for survivability. Prioritization of key assets for protection will be a critical component of a successful mitigation approach."
Mark Lauby, director of reliability assessments at NERC, said the outfit is looking at "creating specific mitigation measures" and possible new standards to strengthen the power grid and its operation. Though NERC sources say there’s no specific timeframe for doing so.
The report provides few clear answers on how to combat any of the three named threats, including electromagnetic disturbance (said to originate in violent solar activity, or possibly "detonation of a large nuclear device," or some kind of intentional electromagnetic interference that might target local power-grid elements).
In fact, the report points to some dismaying weaknesses in the U.S. power grid. "Many of these components are manufactured overseas, with little manufacturing capability remaining in North America," the report states.
A pandemic is essentially a "people " issue, the report notes. If large numbers of people fell sick to a disease, "less-experienced people" would have to operate the generation plants, the report says.
NERC does plan to identify "mitigation steps" to address these top risks, noting that any effective response will require close communication with federal agencies.
But the tone of the report is not highly optimistic.
"The first step," the report says, is "acknowledgement that fully protecting the system from a coordinated attack is not possible," noting "the bulk power system is literally comprised of hundreds of thousands of miles of high-voltage transmission lines," and much more. Any defense is going to require "a strong mix of preventative measures built on the inherent resiliency of the system and preparatory measures that will enable system operators to recognize an attack and respond to it when it does occur."
"The electric utilities have done very, very little to secure their power plants, substations and control centers," says Joe Weiss, managing partner at engineering consultancy Applied Control Solutions, who has testified before Congress on the topic and contributed to the NERC report. Weiss says the NERC report is intended to "try and wake the utilities up," and will most likely lead to greater regulation for them in terms of cybersecurity.
Today, says Weiss, "The standards out there for the electric-power industry are incredibly weak," noting the report is looking at the possibility of events occurring that would "bring the power grid down for months."
One idea put forward in the NERC report, having a security manager in power-plant environments who would be the main contact with a government liaison to communicate on serious security issues, is something Weiss said he would favor.
Weiss said he's skeptical about this notion that somehow malicious code planted by spies has compromised electric-power plant control systems but he adds, "We have done very little forensics to even be able to know."