By Reed Karaim | RE Magazine
Once upon a time, the greatest security threat to co-op power systems was vandalism or perhaps copper theft. Unfortunately, the world is a much more complicated and dangerous place today, and electric co-ops are often on the front lines of an ongoing battle to keep the information they store secure and the grid safe and reliable.
The proliferation of interconnected smart devices is revolutionizing the efficiency and reliability of power grids. But the sprawling communication networks that are the backbone of these systems have also created vulnerabilities that can be exploited by data thieves, computer viruses, malicious hackers, and even terrorists or state-backed organizations seeking to disrupt power supply, steal profitable information, and create chaos.
“It’s a big change,” says Barry Lawson, NRECA associate director for power delivery and reliability. “Frankly, it’s changed for all utilities in the post-9/11 world and with the way we’re now linked to and dependent upon the Internet and remote capabilities for so much.”
Electric co-ops are confronting these new challenges and playing an important role in the national effort to secure the grid. Co-op leaders and NRECA have been working with the North American Electric Reliability Corporation (NERC), the industry’s reliability standards organization, and the Federal Energy Regulatory Commission on the latest updates to guidelines for the bulk electric system, mainly transmission and generation assets. Expansion of cyber security protocols is among the key changes.
“The intent of these standards is to provide a solid base level of cyber security for the bulk electric system,” Lawson says.
NRECA’s Cooperative Research Network (CRN) has published its Guide to Developing a Cyber Security and Risk Mitigation Plan, which is in use by many entities in the utility industry, not just cooperatives. CRN researchers are also working on a groundbreaking project, dubbed “Essence,” aimed at developing the next generation of automated cyber security for the industry.
In addition, NRECA is backing legislation on Capitol Hill like the Cyber Intelligence Sharing and Protection Act (CISPA or HR 624), which has passed the House, and the Cybersecurity Information Act of 2014 (CISA or S.2588), which has passed out of the Senate Select Committee on Intelligence and is pending floor action, to improve government and private sector information sharing that will make it easier to respond quickly to emerging cyber threats. Taken together, it’s an ambitious national effort to keep the country’s power supply safe. Electric co-ops at all levels are also doing their part.
A PROACTIVE APPROACH
Arkansas Electric Cooperative Corp. (AECC), a generation and transmission cooperative (G&T) based in Little Rock, is an example of co-ops taking a proactive approach to grid security. Arkansas Electric, which serves the state’s 17 distribution co-ops, is already implementing changes in operations to meet new NERC security regulations that won’t go into effect until April 2016.
Until recently, the electric co-ops required to comply with NERC rules—primarily G&Ts—had to do a risk assessment to determine whether they had “critical cyber assets,” systems essential to safe operation. Those that did were given significant security steps to follow, but those that did not had minimal requirements to follow, Lawson says.
The latest NERC standards, however, establish a set of “bright lines,” spelling out which critical assets fall into the “low, medium, and high” impact categories. Supervisory Control and Data Acquisition (SCADA) systems, substations, and generators are examples of assets that can appear in any of the three categories depending on their size, how interconnected they are, and how critical to stable operations.
The new standards, known as Critical Infrastructure Protection (CIP) Version 5, are expected to involve more G&Ts and some distribution co-ops. “Some of the G&Ts will have quite extensive responsibilities,” Lawson says.
AECC is one of those G&Ts. “Up until now, we’ve not had any systems identified as critical,” says Robert McClanahan, co-op vice president & chief information officer. “We’re going from no critical cyber assets and no requirements to meet the full suite of CIP requirements to building a full CIP compliance program.”
The effective date for the new standards may be a year and a half away, but the G&T’s goal is to have its new security program in place a year early, so it has plenty of time to test the system before it has to be in compliance. Among the steps the co-op is taking is implementing “a very vigorous change-management program,” McClanahan says, which means that any change to IT systems, even something as basic as a software patch, is reviewed by a newly established “change committee” to ensure it won’t compromise the security or stability of the system in any way.
In addition, AECC is implementing updated security awareness training for its IT staff and developing recovery plans so the co-op can react quickly “in the event of a catastrophe,” McClanahan says.
Physical security is also part of the NERC standards, and the G&T is in the process of hardening its data center. “It’s had a strong level of security for a long time,” McClanahan says. “But with CIP V5, to be in the room with a [critical] cyber system, you have to have a background check, you have to be trained in what our procedures are, and then you’ll be granted access. If you’re not granted access, you have to be escorted.”
These changes and others AECC is implementing will ensure it’s in compliance with NERC regulatory requirements. But McClanahan says that isn’t the principal motive behind the effort. “Our number-one goal is security, and it’s going to be strong enough to meet all of the standards. But that is almost secondary,” he says. “What I want is a program that’s rigorous because that’s what my G&T and our members need.”
CO-OPS OF ALL SIZES
Vermont Electric Cooperative, headquartered in the small town of Johnson, Vt., serves about 32,000 members stretched across eight counties. That’s a far cry from the 500,000 consumers who receive their electricity through Arkansas Electric’s 17 distribution co-ops.
Despite its smaller stature, Vermont Electric also has initiated an impressive security program, illustrating the steps distribution co-ops can take to make sure they are keeping their member, employee, and cooperative information and their critical systems safe.
“We are putting a lot of effort into cyber security,” says Jacek Szamrej, Vermont Electric’s IT manager. “We are a small co-op, so it’s not always easy. But we think this is something that should be a priority.”
Unless they happen to own transmission or generation assets, most distribution co-ops are not subject to compliance and enforcement with NERC reliability and security standards. There are roughly 100 distribution co-ops that do fall under the preview of a limited number of NERC standards. But it’s a mistake for smaller co-ops to assume their size means they won’t become a target for cyber attacks, says Maurice Martin, CRN cyber security program manager.
Personal data theft is a particular threat. The reality is any entity that stores consumer information online—such as Social Security, credit card, or bank account numbers—is a potential target. A recent report by the Online Trust Alliance estimated that security breaches exposed more than 740 million records in 2013, making it the worst year for vulnerabilities on record.
“Co-ops of all sizes need to take action against data theft, hacking of SCADA systems, and hacking for the purpose of meter tampering,” Martin says.
Vermont Electric has implemented a series of internal firewalls to increase its layers of cyber defenses, including requiring substations and workstations to authenticate themselves when connecting to servers. “Sectionalizing” the network in this fashion helps prevent any intruder or malicious software from moving easily through the system.
The co-op also has added security information and event management hardware that constantly monitors its digital communications. Szamrej says the device accesses 200,000 messages every day to make sure unauthorized users aren’t on the system, among other security functions.
Vermont Electric is focused on cyber security, but that doesn’t mean it’s neglecting its brick-and-mortar facilities.
“We contacted the [U.S.] Department of Homeland Security [DHS], and we had a DHS protective security advisor do an assessment of our physical security,” Szamrej says. “His team gave us several good options for consideration to help enhance our physical security and increase our resiliency … and they did it for free.”
The changes DHS suggested were mostly small ones regarding procedures and other safeguards, he notes, but served as a confirmation that the co-op was basically on the right track.
Lawson says such assistance from the federal government is welcome, but favors industry self-regulation over new government security mandates, which are often cumbersome and can take too long to implement.
“Government mandates can’t keep pace with innovation,” NRECA CEO Jo Ann Emerson wrote in a recent RE Magazine column. “Utilities, like electric co-ops, are always deploying new technologies—and so are cyber criminals and terrorists.” An overreliance on top-down mandates, Emerson said, means the industry will “always be fighting yesterday’s battles.”
But through its work with NERC and CRN, the cooperative community is taking a lead role in grid security. Szamrej, for example, served on the Implementation Method Committee for the first Smart Grid Interoperability Panel, a private-public organization created to help modernize and secure the grid. He also credits CRN’s cyber-security guide as a valuable blueprint for co-ops.
CRN’s cyber-security guide was put together as part of a U.S. Department of Energy (DOE) grant and with the participation of co-ops involved in NRECA’s nationwide Smart Grid Demonstration Project. It has been downloaded more than 12,000 times and has been cited by DOE as a model for other utilities to follow. The guide and additional materials on cyber security are publicly available on NRECA.coop.
The next major step in CRN’s cyber-security efforts is the ongoing “Essence” project.
“ESSENCE”
Firewalls, which block suspicious attempts to connect or upload software, provide the basic protection for computer networks. But these programs depend on lists of known threats and require constant updating by security experts. “They also have the potential for human error,” notes Craig Miller, NRECA chief scientist. “This creates vulnerabilities.”
Essence uses a different approach. Instead of monitoring what’s going in and out of the network, it monitors the network itself and uses advanced algorithms to determine what is normal.
“Essence looks for anomalies—stuff that shouldn’t be happening—and then raises a red flag when it sees something that’s amiss,” CRN’s Martin says.
The Essence project is developing a small device that can be added at key spots in a co-op’s system to perform network monitoring. It’s being designed to use cloud-based data storage and open software standards to increase affordability and minimize the amount of expertise needed to manage the system.
“It’s going to bring state-of-the-art cyber security to co-ops of every size, from the biggest to the smallest,” Martin says. “The philosophy is, ‘No co-op left behind.’ Everyone will be able to use this.”
Essence is being developed through a $4 million grant awarded by DOE to research next-generation cyber-security devices. CRN has partnered with Carnegie Mellon University, the Pacific Northwest National Laboratory, and the cyber-security firm Cigital on the project. Several large corporations are also following the effort.
Researchers hope to have the first Essence devices in the field for testing in early 2015. If it’s as successful as expected, commercial partners will be brought in to manufacture the product, providing electric utilities with another important tool in the ongoing effort to keep the grid secure.
It’s an overall effort that Lawson believes co-ops of all sizes cannot afford to ignore.
“The more co-ops prepare today, even when it’s not required by regulation, the better off they’ll be because more is coming,” he says. “Unfortunately, it’s just the world we live in now.”
The post Cyber Security: Co-ops Work to Confront New Threats and Reduce Grid Vulnerabilities appeared first on NRECA.