06 Feb 2020 The GAO and Disaggregation of Generating Assets in the North American Electric Grid
In August 2019, the US Government Accountability Office (GAO) published a Report to Congressional Requesters expressing concern regarding the current state of security and resilience for the US power grid. The GAO found that there are credible and sophisticated threat actors capable of targeting North American grid systems, and due to advancing digital technology installed in grid operations, the grid is becoming more vulnerable to cyberattacks by these actors. These concerns form the background for the GAO investigation and the report’s recommendations to the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC).
Our focus in this piece is the GAO recommendation to FERC to:
Evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and … determine if changes are needed in the threshold for mandatory compliance with requirements in the full set of cybersecurity standards.
A Bit of Background
FERC delegates standards development to the North American Electric Reliability Corporation (NERC), who has developed the NERC Critical Infrastructure Protection (CIP) series of standards. NERC CIP 002 requires cyber systems affecting generation capacity of 1500 megawatts or more in a single interconnection to comply with a long list of “Medium-Impact” requirements, provided that impairment or misuse of those cyber systems could impair the delivery of power to the bulk electric system (BES) within 15 minutes of compromise. These NERC CIP Medium Impact requirements for power plants represent a significant cost to power generation sites, as well as potential heavy fines if the sites are found noncompliant.
The GAO critiques NERC’s practice of encouraging the disaggregation of generation resources so that large generators no longer meet the 1500 MW threshold and are thus categorized as Low Impact BES cyber systems:
NERC encourages entities to disaggregate their industrial control systems so that individual systems operate and maintain less than 1,500 megawatts of generation capacity.
This critique is presumably motivated by documentation such as is found in the transition guidance document NERC Lessons Learned CIP-002-5.1 Requirement R1: Impact Rating of Generation resource Shared BES Cyber Systems. This guidance documents how to segment generating units and their associated shared BES Cyber Systems so that no BES Cyber System at large power plants meets the 1500 MW impact criteria any longer. While the NERC guidance does not say “do such segmentation,” it does describe how to do it, and the compliance cost benefits of such segmentation are significant. NERC’s argument in providing the advice is that “segmenting generating units and their associated BES Cyber Systems can reduce risks to the reliable operation of the BES.”
Disaggregation Security Issues
Now, disaggregation in theory is a very good thing if it is done well. Disaggregation can be an effective security strategy if it takes one large target and splits it up into multiple targets in such a way that the cost to an attacker of compromising the multiple targets is much greater than the cost of compromising a single target. In a thoroughly-segmented power plant, when an attacker wants to impair power production, that attacker would need to break into many truly independent generating unit control systems.
The problem with the current CIP disaggregation/segmentation guidance, however, is that the guidance primarily describes putting a firewall between the DCS of each segmented generating unit and the power plant network and duplicating any physical infrastructure that is shared among generating units. This approach is not enough to make the generating units truly independent in the face of modern coordinated attacks. An attacker who discovers credentials or any other path to break through one generating unit firewall at a power plant is likely to be able to use that same mechanism to break through all of the firewalls on all of the generating units at the plant, negating the benefits of segmentation.
Two Ways to do Robust Disaggregation
One robust way to segment generating-unit networks is to install unidirectional gateway technology on each generating unit, to allow real-time external monitoring of the units, but prevent any information whatsoever – including sophisticated, coordinated attacks – back into the generating units. With this change, the generating units are truly independent. No attacker, no matter how sophisticated, can propagate an online attack from one generating unit to another, or from the Internet or a compromised IT network into a generating unit.
A second path to robust disaggregation is what we at Waterfall see the majority of our power generation customers doing: replace the plant’s IT/OT firewall with unidirectional gateway technology and follow the CIP segmentation advice for firewalls on each generating unit. Unidirectional protection at the IT/OT interface means that no remote attacker, however sophisticated, can contact any generating unit. In addition, any common malware that somehow lands in the disaggregated generating units faces conventional firewalled protections against propagation between the units at the site.
Updating NERC CIP Guidance
The first step towards addressing the GAO’s concerns should not be new regulations, however. The sector has too many prescriptive regulations already. The first step should be clearer advice from NERC in their transition and other guidance documents. Robust, unidirectional disaggregation strategies are already in widespread use at generation sites in the BES, but are not even mentioned in current NERC guidance. Clear guidance describing the correct use of unidirectional technology to facilitate robust disaggregation of power generation assets would materially reduce cybersecurity risk to the BES.