U.S. regulators are cracking down on the cybersecurity risks to the electric grid posed by everyday electronics like laptops and flash drives.
A ruling issued last week by the Federal Energy Regulatory Commission requires utilities to implement security controls on portable devices that interact with “low-impact” systems, or ones that utilities deem less critical. FERC also ordered the revision of power reliability standards “to mitigate the risk of malicious code” stemming from the devices.
The move comes as the Department of Homeland Security has warned that Russian government hackers have their sights on U.S. energy firms, and as Congress readies legislation to secure the grid.
Observers say FERC’s tightening of security controls further down the grid could shake up how large portions of the sector approach cybersecurity.
Daniel Skees, a lawyer who represents utilities before FERC, said the new ruling amounts to a “sea change” for utilities because it will require additional cybersecurity compliance for less-critical substations and generators.
With technicians traveling to remote facilities across the U.S. to check security controls, “logistically, it’s going to be…much more complicated than the cybersecurity that utilities have had to do in the past,” Skees, a partner at Morgan Lewis law firm, told CyberScoop.
The North American Electric Reliability Corp., a regulatory entity that FERC oversees, said the updated policy “represents the next stage in cybersecurity standards” and will boost the sector’s baseline cybersecurity.
Michael Toecker, a cybersecurity engineer for industrial systems, said the new regulations add “protections for devices like laptops and USB drives that have been good practice in corporate and industrial environments for years.”
Toecker said his only concern with the new ruling was that, with a January 2020 deadline for implementation, utilities may not be incentivized to update their security practices quickly enough. “The goal for [power asset] owners should be to protect their systems as soon as they reasonably can,” he told CyberScoop.
The specter of USB drives has loomed large in the energy industry ever since Stuxnet, the infamous computer worm that used portable media to reach an “air-gapped” system at a uranium enrichment facility in Iran in 2009. While that was a well-resourced and targeted attack, and the new FERC regulations don’t apply to nuclear facilities, Stuxnet’s cautionary tale reverberates in the energy industry today.
The U.S. utility industry also paid close attention when hackers struck the Ukrainian grid in December 2015, cutting power for 225,000 people, and a year later, when another attack used malware to de-energize a Ukrainian substation.
Since the Ukrainian attacks, grid security has gained more attention on Capitol Hill as lawmakers have looked to strengthen infrastructure that is largely privately-owned. A House Energy and Commerce subcommittee advanced no less than four bills last week on the subject, one of which would set up a voluntary Department of Energy program for testing products used in the industrial control systems (ICS) that underpin the grid.
Such systems have been targeted by Russian government hackers over the course of a two-year campaign against multiple sectors, from nuclear to critical manufacturing, DHS said last month.
Skees said he sees FERC continuing its efforts to regulate cybersecurity for low-impact power assets because the commission has been expanding the scope of facilities subject to cybersecurity requirements.
“Everybody that’s on those networks, that participates in those communications, needs to have robust cybersecurity compliance,” Skees said. “Otherwise, it’s only a matter of time before one of the country’s adversaries finds where the weak link is.”