On July 22, 2015, The Federal Energy Regulatory Commission (FERC) proposed new critical infrastructure protection (CIP) standards to address concerns over the cyber threat posed by an increasingly global supply chain. Specifically, FERC is concerned with the potential introduction of vulnerabilities into the grid by the hardware and software components of Supervisory Control and Data Acquisition (SCADA) devices and other grid control systems. This type of vulnerability struck Dell Computers in 2010, when motherboards it procured from an international supplier were shipped containing malware. Although the attack was discovered, it was not until after some products had already been received by customers. Like the computer industry, components of grid control systems are made by a globally diverse supply chain which is largely outside the reach of U.S. regulatory authority.

Key Details

• According to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, the energy industry was the most commonly targeted industry in the United States for cyberattacks in fiscal year 2014 with 32% of all attacks being directed against the energy sector. By some estimates, the vulnerability of the grid to cyberattack is in the billions of dollars
• SCADA devices, programmable logic controllers (PLCs), as well as other control systems which are linked and transfer data across third-party networks are often the targets of cyberattack against the energy industry
• The hardware and software components that make up these systems are produced by a globally distributed supply chain that has no common incentive or guidance to compel them to design components to an agreed-upon security standard and which falls outside of U.S. regulatory authority
• The proposed supply chain security standard would also include new security protocols and standards for data flowing across unsecured third-party networks
• In addition to the new supply chain standards, FERC is proposing modifications to existing standards to improve upon the current FERC-approved, CIP Version 5

Implications

The power grid has become increasingly dependent on the variety of SCADA devices, PLCs, and control systems that make the modern grid possible. The Utility of the Future will continue to rely on a growing portfolio of “smart” technologies, communication networks, and integrated customer-side resources that are all linked together through communications and data networks. Importantly, the components that make up this integrated platform are provided by a complex and globally distributed supply chain on which the industry is dependent. In addition, many of these technologies are developed outside the oversight of the regulatory construct of the U.S. utility industry.

To achieve the vision of interoperability and maintain a two-way flow of grid and customer-side information, securing the supply chain that manufactures these technologies will be paramount. Utilities and their suppliers must play an active role in helping to shape security standards and take the measures needed to protect against ever-growing threats to these systems. This will require ongoing investment and the dedication of resources to work with FERC, NERC, and the providers of technology and communication services to develop standards and implement solutions that are reasonable but effective at protecting control systems and the broader bulk electric system.

More Information

FERC: https://www.ferc.gov/whats-new/comm-meet/2015/071615/E-1.pdf

SNL: https://www.snl.com/InteractiveX/article.aspx?ID=33259152&KPLT=4

NERC: http://www.nerc.com/pa/Stand/Workshops/NERC%20101.pdf

Congressional Research Service: http://www.fas.org/sgp/crs/misc/R43989.pdf

This report is part of the Grid Edge Minute series. To view all featured Minutes, please click here.