Taking just one sip, or CIP in this case, and we might find ourselves drowning as we are forced to continue to sip from what might become a firehose. At least that is a concern I hear from individuals who fear that the cost of cyber protection could engulf us without providing us with sufficient protection. Is it possible to evolve our critical infrastructure protection (CIP) rapidly enough to secure our grid?
I have been thinking about grid security a lot lately. We have a remarkable grid that was the driver of the early growth of our global economy and that is now foundational for everything we do in our increasingly connected world. With the rapid growth in distributed energy resources (DERs) — including solar, storage, fuel cells, combined heat and power, and home energy management — we are far less reliant on central station power plants. In addition to supporting significant reductions in greenhouse gasses, DERs have, in many cases, enabled the deferral of the construction of new transmission and substation facilities, while leading to better utilization of existing assets and investments. The proliferation of DERs is increasing connectivity, improving utilization of data and creating new business opportunities and services. Clearly, the growth in DERs brings many benefits to society and to the electric utility industry. I believe that it also brings a new set of risks.
Whenever I ask proponents about the need for cybersecurity on DERs, the most common response is that cybersecurity standards are not necessary for most DERs, as they have limited reach and it would take a significant amount of time on the part of hackers to locate the vulnerabilities on a widely distributed set of resources. They also express valid concerns that applying the same cybersecurity standards to DERs that are now applied to utility-owned facilities would add significant costs, thus undermining the economics.
While I see the logic in these answers, I find them unsettling as DERs become an increasingly critical component of our electric infrastructure. We already see constant attacks on our generation plants, substations and control centers. We have taken steps to address this situation in the U.S. through the FERC-approved NERC CIP standards. New CIP standards apply to control centers that control an aggregation of DERs of at least 1500 MW in a single interconnection. I believe this is a clear indication that FERC and NERC recognize that protecting generation, including DERs, plays a role in grid security.
Are we evolving fast enough? I thought we were until I considered the Distributed Denial of Service attack that took place across the U.S. in October 2016. This attack shut down access for thousands of users of Twitter, Spotify, Netflix, Amazon and others. By all accounts, it was a sophisticated attack that adapted to defend itself against attempts to stop it. It lasted several hours, causing significant disruption for many of these businesses.
This suggests that hackers are willing to invest the time and effort to perpetrate large-scale hacks with big impact. If they can do this to nanny cams, could they do it to any grid-connected DER? If they did succeed at shutting down DER sites, it would result in significant lost revenue but an even higher cost to add additional security after the hack(s) for the suppliers and owners of the DERs.
We should also remember gaps in grid security were exploited during the 2015 Ukraine grid blackout caused by hackers who found small exploratory vulnerabilities very much in advance of the actual attack. This was the first known widespread grid blackout caused by cyber terrorists. The lesson here is not about the details of this event, but that there is intent, motive and focus behind all the effort it takes to infiltrate and gain knowledge prior to causing a large effect.
Just as the “Internet of Things” grows our use of data and new services, the “Internet of the Grid” that includes DERs gives rise to technical abilities to connect very disparate things together such as residential and commercial grid assets. We see innovative companies aggregating solar sites for performance and asset management purposes, essentially putting many megawatts of rolled up capacities into a “cloud” environment that may or may not be protected. This makes it fertile ground for hackers to quietly look for exploits and creative ways to think about how to create a much larger impact than any given site.
CIP is a “floor” of protection that FERC/NERC have been struggling with utilities to adopt nationwide. The DER jurisdiction for putting mandatory controls in place is not part of FERC or NERC, and it may be falling into somewhat of a regulatory “hole” that could become the next unprotected vulnerability that gets exploited by those with intent and motive to do our society harm.
For me, this comes down to the question: When do we reach the tipping point where there are sufficient grid-connected DERs that grid security is vulnerable to coordinated attacks on DERs? At what point do we conclude that we need more than just one CIP? I expect it may be sooner than we think.