NERC Refocusing Cybersecurity Efforts
In the face of mounting attacks against critical infrastructure, NERC, which oversees the United States' electrical grid, is retooling how it addresses cybersecurity.
Officials at the Federal Energy Regulatory Commission (FERC) - the U.S. agency that's in charge of regulating, monitoring, and investigating electric, oil, gas, and hydropower matters - recently announced plans to refocus its efforts to better combat cybersecurity challenges facing the country’s energy grid.
One of the issues FERC is hoping to drill down on is supply chain security and how to better mitigate risks like third-party authorized access and insider threats, according to a presentation at FERC’s November open meeting two weeks ago.
In addition to supply chain security, the NERC’s staff plan to refocus their efforts on:
- Supply chain, insider threat, and third-party authorized access
- Industry access to timely information on threats and vulnerabilities
- Cloud/managed security service providers
- Adequacy of security controls
- Internal network monitoring and detection.
Barry Kuehnle of FERC’s Office of Electric Reliability, David Capka of NERC’s Office of Energy Projects, and Craig Barrett from FERC’s Office of Energy Infrastructure Security, gave an overview of initiatives FERC is undertaking to tackle each bullet point during the meeting.
To arrive at the five focus areas, NERC staff considered known threats – both public and nonpublic threat reports, observed vulnerabilities, in addition to currently enforceable NERC CIP standards, and the Office of Energy Project’s Security Program for Hydropower Projects Revision 3A guidelines.
In addition to those focus areas, FERC's Chairman Neil Chatterjee also said the agency's Office of Electric Reliability would be rededicating an internal group to better focus solely on cybersecurity issues. An additional group, within the Office of Energy Project’s Division of Dam Safety and Inspections focused on cybersecurity issues, was also announced during the meeting.
The formation of the new group should free up engineers in the department to focus on areas of their expertise.
“When cybersecurity became part of the program within OEP, we had to rely heavily on experts outside our office – we relied on the Office of Energy Infrastructure Security (OEIS) and Office of Electric Reliability (OER) to help us – and it quickly became clear that we needed in house expertise, especially on the cyber side,” Capka said during the meeting.
“We’re looking at this as a way to help our program doubly. I think we’re going to have a much more robust security program with the expertise we’ve been able to bring on board, as well as we’re allowing our dam safety engineers to focus on safety.”
The meeting came a few days before a Wall Street Journal article revealed that hackers have been hitting electrical utilities hard of late. More than a dozen, utilities located near dams and other critical infrastructure based in the U.S. were targeted.
Per that WSJ report, the utilities were close to major federal dams and transmission lines that transfer hydroelectricity.