Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Substation attacks may lead to new energy security rules in 2023, experts say | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Amid a growing cyber threat to the U.S. electric grid, 2022 ended with a spate of physical attacks that could portend new security rules for some energy infrastructure, say experts.

“The physical substation attacks toward the end of last year raised the alarm bell,” Jason Christopher, director of cyber risk at Dragos, said in an email.

Multiple substations in Washington were damaged on Dec. 25, leading to more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And a North Carolina firearms attack earlier in the month knocked power out to about 45,000 Duke Energy customers.

“Unfortunately, with 55,000 substations nationally, there are obvious risk-based limitations on addressing physical threats that need to be managed,” Christopher said. “The industry should expect further regulatory inquiries and potential actions from the federal government in response.”

The North American Electric Reliability Corp. oversees a set of critical infrastructure protection standards, known as CIP, governing rules for Bulk Electric System power equipment.

“I am hearing rumors that [the Federal Energy Regulatory Commission] may require NERC and the industry to revisit CIP-014, which is the physical security standard for critical BES transmission substations,” Kevin Perry, former director of critical infrastructure protection at Southwest Power Pool, said in an email.

FERC could consider stricter rules for more substations that operate between 200 kV and 499 kV, said Perry. But he added, “I don’t see FERC mandating costly physical security protections for those substations that engineering studies determine do not have a significant reliability impact if damaged or destroyed.”

Cost is a major barrier to improving physical security, experts agreed, particularly because grid equipment is often in remote areas and the electric system is designed with redundancies in place. Loss of a single substation, for instance, should not cause an outage.

“What are you gonna do wrap everything in Kevlar? That would be a very poor use of regulation, in my opinion,” said Thomas Pace, CEO and co-founder of NetRise.

While physical attacks may have grabbed headlines, the cyber threat is growing and hackers in Russia, China, Iran and North Korea all have sophisticated hacking abilities, say experts. And the rise of distributed energy resources creates a larger attack surface.

The Federal Energy Regulatory Commission is considering developing new cybersecurity rules for DERs on the bulk electric system, and the U.S. Department of Energy is funding “next-generation” cybersecurity research, development and demonstration projects.

Pace formerly worked with DOE, where he focused on industrial control systems security and said he expects more focus on software security in the coming year. That could include the potential for a software bill of materials, or SBOM, to be required for some vendors of some energy or grid-related services. The requirements would likely be “very prescriptive,” he said.

Modern software is constructed of many components, making vulnerabilities difficult to track, say experts. The federal government and the electric power sector are collaborating on an initiative to more readily disclose what components go into grid software.

“I predict that the biggest cyber threat to the power industry in 2023 won’t be direct hacks like those depicted in the movies, but supply chain attacks, especially those that come through software,” said independent security consultant Tom Alrich. “These are currently the least understood of cyberattacks, and aren’t directly covered by the NERC CIP standards.”

Electric utilities “should be prepared for the increasing sophistication of supply chain compromise threats,” Roya Gordon, a security expert at Nozomi Networks, said in an email.


Click Here For The Original Story From This Source.

National Cyber Security