What's interesting about this most recent occurrence is that it proved shocking to some political leaders and may drive electric grid companies to be held more accountable for their inaction in protecting critical systems.
As SANS pointed out in a recent brief, power company execs had reassured members of Congress and the public that they were doing all they could to protect the nation's power systems. But, just as they made these assurances, their systems already had been breached.
The hope by most experts in the industry is that public and, perhaps more importantly, Congressional indignation over this most recent system break-in will prompt Congress to empower even more the North American Electric Reliability Corporation (NERC), the organization that sets and enforces standards for power company owners, operators and users that comprise the bulk power system. Such reinforcement by Congress of NERC's regulatory power would, in theory, allow them to crack down on electric grid companies failing to meet standards that are supposed to help them safeguard the critical components of the national infrastructure.
Michale Assante, the still fairly new VP and CSO of NERC, who has an impressive background in the information security field, in an published April letter to ‘industry stakeholders,' shared the results of a recent self-certification compliance survey related to NERC's Reliability Standard that addresses “Critical Cyber Asset Identification.” Among many other unsettling results, one of the most pressing revealed that only 29 percent of owners and operators of components running the electric grid identified at least one critical asset (CA), which is defined by NERC as “facilities, systems, and equipment which, if destroyed degraded or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.” Meantime, “fewer than 63 percent of transmission owners identified at least one critical asset.”
He goes on to note that cybersecurity issues abound when it comes to protecting the integrity of the power grid -- issues that NERC is asking its regulated entities to “take a fresh, comprehensive look at.” Specifically, NERC wants these organizations to examine “their risk-based methodology and their resulting list of CAs with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.”
Unsurprisingly, according to SANS, power grid execs complained in April that results of the survey shared in Assante's letter never should have been made public -- even though compliance audits related to the NERC standard are supposed to begin in these companies at the start of July, Assante noted in the letter.
Electric power officers' ignorance of the threats posed to them and their companies were shown clearly in their criticism of Assante's letter and their voiced collective desire that the results not be made public. But now, their blatant mishandling of critical systems has been uncovered with this most recent penetration by other state-sponsored cybercriminals.
Congress needs to do what's necessary to help NERC call these executives to task and get the power systems they own and operate secured fast and as fully as possible. It has become obvious that these organizations' leaders are grossly negligent in properly safeguarding these critical operations. The bulk power grid absolutely is critical to the nation's day-to-day operations. It should be seen as such by the very people who own and manage them.
Illena Armstrong is editor-in-chief of SC Magazine.