The Fight for Electric Grid Cyber Security
“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” – Justice Louis D. Brandeis
Recently I wrote about our campaign to fight for electric grid cyber security. The battle played out last week before an obscure federal agency that most people have never heard of – the Federal Energy Regulatory Commission (FERC). Because, as Justice Brandeis pointed out, there is nothing better than the light of day to hold the government accountable, this fight needs to be made public.
Petition for electric grid cyber security
Under a law called the Administrative Procedure Act (APA), “each agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.” This means that the public can file a petition with an agency to add, delete or change a regulation. This is how the Foundation for Resilient Societies picked this fight on January 13, 2017. In a petition for rulemaking to FERC, Resilient Societies forced the federal government to finally face the fact that electric grid cyber security is lacking.
But just who is the Foundation for Resilient Societies? They are a non-profit organization “engaged in scientific research and education with the goal of protecting technologically-advanced societies from infrequently occurring natural and man-made disasters.” In other words, they are trying to protect us from catastrophic disasters such as a loss of the electric grid from a cyber attack, geomagnetic disturbance (GMD), electromagnetic pulse (EMP) and other threats.
Resilient Societies has been active in petitioning the government to make regulations to protect the electric grid and nuclear power plants from catastrophic events for years. It is clear that for over two decades, the federal government has known about the existential threats to United States posed by the vulnerability of our critical infrastructures – including the lack of electric grid cyber security, and the government has failed to act. The Foundation for Resilient Societies is one of the members of the Secure The Grid Coalition working to hold the government accountable to protect us.
So, with their petition for rulemaking last year, Resilient Societies forced FERC (the government) to consider instituting stronger electric grid cyber security regulations. But this wasn’t going to happen without a fight. You see, as I explained in a previous article, the electric grid regulates itself. The federal government can’t easily tell the industry what to do. There is a mind-numbingly complex process involved.
The electric industry says that protecting your family’s lives is “unduly burdensome” and “unnecessary”
Not surprisingly, the industry, through it’s proxy the North American Electric Reliability Corporation (NERC), fought the effort for better electric grid cyber security. After all, the thousands of companies that comprise the electric grid are trying to make a profit. All of this regulation about cyber security and EMP and GMD are just a nuisance when you are worried about the bottom line. The industry attempted to harpoon the effort to increase electric grid cyber security by arguing to FERC that such rules are “unduly burdensome” and “unnecessary.”
Remember that people: The electric industry says that protecting your family’s lives is “unduly burdensome” and “unnecessary.”
The other side of the story is that lives are at stake. Millions of lives. In fact, on March 28, 2017 the Senate Committee on Homeland Security and Governmental Affairs reported this about the critical infrastructure:
“The United States depends on its critical infrastructure, particularly the electric power grid, as all critical infrastructure sectors are to some degree dependent on electricity to operate. A successful nuclear electromagnetic pulse (EMP) attack against the United States could cause the death of approximately 90 percent of the American population. Similarly, a geomagnetic disturbance (GMD) could have equally devastating effects on the power grid.” (Page 6.)
The threats to the electric grid are real. They are proven. They exist. Protecting America should not be “unduly burdensome” and “unnecessary.”
Is the regulator asleep at the switch?
Incredibly, FERC let the industry plow them over and issued an order on December 28, 2017 denying part of the petition for rulemaking. Specifically,
“The Foundation for Resilient Societies filed a petition asking the Commission to require additional measures for malware detection, mitigation, removal and reporting. We decline to propose additional Reliability Standard measures at this time for malware detection, mitigation and removal, based on the scope of existing Reliability Standards, Commission directed improvements already being developed and other ongoing efforts.”
What does that even mean?
What it means, is that the industry (through NERC) bullied FERC – or woke them up just long enough to have them sign this order. The industry told FERC that malware detection, mitigation and removal would be “unduly burdensome” and “unnecessary.”
Okay. Here is what we know.
- On November 20, 2014, Admiral Michael Rogers, Commander, U.S. Cyber Command and Director, National Security Agency testified before the U.S. House Select Intelligence Committee that “foreign cyber actors are probing America’s critical infrastructure networks and in some cases have gained access to those control systems.”
- On December 2, 2014, cyber security vendor Cylance published its “Operation Cleaver” report, demonstrating that Iran-based hackers had compromised at least one U.S. electric generation company.
- On December 23, 2015, a cyberattack struck the Ukrainian grid causing 225,000 customers to lose power, using malware called “Black Energy.”
- On December 17 and 18 2016 the Ukaranian power grid was again attacked, causing another blackout. This time with malware called “Crash Override.”
- In December of 2016, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) publicly reported on a Russian developed malware tool, called “BlackEnergy.” BlackEnergy was previously identified by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the Department of Homeland Security (DHS) as being present in America’s energy sector.
- “Crash Override” and “Black Energy” – the malware that took down the Ukrainian electric grid are a threat to the U.S. electric grid.
Recap: Malware is known to have taken down the electric grid in the Ukraine. Malware has been shown to be present in the U.S. critical infrastructures and hackers have gained access to the U.S. electric grid. Check.
Amazingly and disturbingly, FERC bought the industry’s argument that detecting malware on the electric grid would be “unduly burdensome” and “unnecessary.” So FERC “declined to propose” that the industry do anything about malware!
Did the U.S. government (FERC) really just say that protecting your family’s lives is “unduly burdensome” and “unnecessary”? Is the regulator asleep at the switch – or just too chummy with the regulated? Hmmm.
The fight for electric grid cyber security continues
The Secure The Grid Coalition and the Foundation for Resilient Societies are continuing the fight and we are taking the fight to the streets. Although FERC declined to do anything about malware, they did agree with one aspect of the petition:
“However, we propose to direct broader reporting requirements. Currently, incidents must be reported only if they have ‘‘compromised or disrupted one or more reliability tasks,’’ and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm.”
This reporting issue is almost too ridiculous to believe.
“The grid” reported only 3 cyber related incidents in 2014 and none (zero) in 2015 and 2016. Meanwhile, on April 14, 2016, the U.S. House of Representatives held a hearing and the Committee noted that:
“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)
Obviously there is a huge disconnect. The DHS and the NSA say that 40% of all cyber attacks are directed at the energy sector and the grid has been penetrated by entities that could take down the critical infrastructure.
But “the grid” reports few or no cyber related incidents during the same periods.
So we did something about it. Many members of the coalition submitted comments to FERC in the rulemaking process urging FERC to order NERC to improve electric grid cyber security reporting standards.
Not surprisingly, the usual suspects from the industry replied that this would all be “unduly burdensome” and “unnecessary.”
In order to bring this fight to the streets, we are publishing all the comments on this electric grid cyber security issue below. (Be patient – it is a large PDF file). In the chart to the right, you can see in green are the comments in favor of better cyber security reporting standards. The comments in red are against better cyber security reporting standards. Many of the green comments are from members of the Secure The Grid Coalition.
Look for yourself. Decide for yourself. Is your family’s safety and security is “unduly burdensome” and “unnecessary”?
If you believe that the electric grid needs to be protected, write to your state or federal legislator. Send them a copy of this article. Tell them that the first job of the government is the protection of it’s citizens. They need to protect us by protecting the critical infrastructures.
FERC Docket RM18-2-000 and AD17-9-000 comments:
Click Here for Comments to FERC on Electric Grid Cyber Security.
The PDF file is 240 pages – be patient. Once the PDF opens in a separate window, click on the bookmarks icon (circled in red below) to navigate.
Fun facts:
- The word “burden” appears 56 times in these 240 pages.
- The phrase “unduly burden” appears 6 times in these 240 pages.
- Best (bureaucratically ridiculous) use of the word “unnecessary: “Such process adds significant additional administrative burden for all involved entities, which is inefficient and unnecessary…” (Page 83.)