Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Database of Chinese Transformers and Equipment in the U.S. Electric Grid
      • Why Haven’t We Secured the Grid?
      • What is the Electric Grid and How is it Regulated?
      • Grid Protection Posts
      • Video (EMP and Grid Security)
    • Civil Defense Library
      • The cavalry is not coming
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • In the Press
  • Take Action!
  • Fund The Fight!
  • About Me
    • About Michael
    • Interviews – Michael Mabee
    • Subscribe to Mike’s Blog
    • Contact Me
  • My Book
Menu
Electric Grid Cybersecurity

Electric Grid Cybersecurity: A Victory for the Secure the Grid Coalition

Posted on June 24, 2019June 25, 2019 by Michael Mabee


Coalition plays the long game on electric grid cybersecurity

On June 20, 2019, the Federal Energy Regulatory Commission (FERC) approved the electric grid cybersecurity reliability standard CIP-008-6 (Cyber Security—Incident Reporting and Response Planning). The Secure The Grid Coalition has been fighting this battle now for several years. The result of our efforts is an improved Critical Infrastructure Protection (CIP) Standard—a victory for electric grid cybersecurity, citizen activism and the American people.

Electric Grid CybersecurityA law called the Administrative Procedure Act (APA) says that “each agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.” This means that the public can file a petition with an agency to add, delete or change a regulation. This is how the Foundation for Resilient Societies picked this fight on January 13, 2017. In a “Petition for Rulemaking” to FERC, Resilient Societies forced the federal government to finally face the fact that electric grid cybersecurity is lacking.

Electric Industry: “Move along, nothing to see here…”

Specifically, “the grid” reported only 3 cybersecurity incidents in 2014 and none (zero) in 2015 and 2016. Meanwhile, on April 14, 2016, the U.S. House of Representatives held a hearing and the Committee noted that:

“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)

Obviously there was a huge disconnect. DHS and the NSA say that 40% of all cyber attacks are directed at the energy sector. Moreover, DHS and the NSA say that hackers have penetrated the grid and could take down the critical infrastructure.

But “the grid” reports few or no cyber related incidents during the same periods.

Another issue was that there was no requirement for malware detection, mitigation and removal. (Malware is what took down the electric gird in the Ukraine in 2015 and 2016.)

The Petition for Rulemaking forced FERC to initiate the long process which resulted in what is known as a Notice of Proposed Rulemaking (or “NOPR”) on December 28, 2017. The NOPR said:

“The Foundation for Resilient Societies filed a petition asking the Commission to require additional measures for malware detection, mitigation, removal and reporting. We decline to propose additional Reliability Standard measures at this time for malware detection, mitigation and removal, based on the scope of existing Reliability Standards, Commission- directed improvements already being developed and other ongoing efforts. However, we propose to direct broader reporting requirements. Currently, incidents must be reported only if they have ‘‘compromised or disrupted one or more reliability tasks,’’ and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm.”

While we were (and remain) disappointed that the malware detection, mitigation issue was shelved, FERC agreed that the reporting requirements needed improvement. In the NOPR, FERC proposed to order the industry “to improve the reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system.”

The grid tries to go minimal on cybersecurity

The catch is that the electric utility industry writes their own standards through their mouthpiece, the North American Electric Reliability Corporation (NERC). So even though FERC directed NERC to improve the standard, the process frequently takes years and the industry—which does not want to be regulated—took a minimal approach to this standard as they have in past standards.

Grid Cyber Security Comments
Click For Larger View

And if nobody intervened, history shows that they may have gotten away with it.

But we did something about it. The fight subsequently played out in FERC Docket RM18-2-000. Many members of the coalition submitted comments to FERC in the rulemaking process. We urged FERC to order NERC to improve electric grid cybersecurity reporting standards.

Not surprisingly, the usual suspects from the industry, including industry lobbyist Edison Electric Institute—whose members include the government of the People’s Republic of China—replied that this would all be “unduly burdensome” and “unnecessary.”

Click HERE for a PDF file with all the comments on this electric grid cybersecurity docket. (Be patient—it is a large PDF file). In the chart to the right, you can see in green are the comments in favor of better cybersecurity reporting standards. The comments in red are against better cybersecurity reporting standards. Many of the green comments are from members of the Secure the Grid Coalition.

When the smoke cleared, FERC issued the final order (“Order 848“) on July 19, 2018.

The Good News

We won the battle on getting broader reporting requirements. The final order “directed NERC to develop and submit modifications to the Reliability Standard to require the reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).” In English, FERC did not buy the industry’s argument that reporting attacks on these critical components was “unduly burdensome.”

That was the good news.

The Bad News

electric grid cybersecurityThe bad news was that FERC did not require a standard for malware detection, mitigation and removal as Foundation for Resilient Societies initially proposed. However, FERC states that malware falls within the reporting requirement:

“In addition, we do not agree with Resilient Societies that the detection of malware infecting a responsible entity’s ESP or associated EACMS would fall outside the new reporting requirement. While Resilient Societies asserts that a malware infection would not meet the threshold of a compromise, breach, impact, or disruption, we believe that it would fall within the parameters of an attempted compromise.” (Order 848, page 25.)

So, there is no requirement to detect, mitigate or remove malware. But if a utility bumbles across it, they are at least required to report it.

(Why am I not relieved?)

NERC Submitted the modified reliability standard CIP-008-6 (Cyber Security—Incident Reporting and Response Planning) on March 7, 2019 and FERC issued the order approving CIP-008-6 on June 20, 2019.

The final bit of bad news is that FERC bought off on NERC’s 18-month implementation period. This means the new standard is not effective until January 21, 2021—four years after the Foundation for Resilient Societies submitted the petition for rulemaking.

Fixing electric grid cybersecurity needs a great deal more work

Although perhaps not as strong a rule as we would have liked, citizens in this docket (largely members of the Secure the Grid Coalition) moved the needle significantly.  First, citizens started this process with a petition for rulemaking. (None of this ever would have happened but for Foundation for Resilient Societies initiating it.)  Second, citizens through their participation in the regulatory process, forced the industry to make a stronger rule than the industry initially proposed.

However, there is still much work to be done.

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” – Justice Louis D. Brandeis

  1. The industry (enabled by FERC) is covering up the names of regulatory violators from the public, investors, Congress and state regulators. (Read more HERE.)
  2. Data and analysis on the effectiveness of the regulatory system covering the electric grid is not publicly available. (Read more HERE.)
  3. The Critical Infrastructure Protection (CIP) Standards are still lacking in several areas, requiring the intervention of the public and watch-dog groups. (Read more HERE.)

Members of the Secure the Grid Coalition are working hard on these and other initiatives to secure the nation’s critical infrastructures. Most of us do not get paid. We have actual “day jobs” that pay the mortgage and we volunteer our time and expertise to protect and serve our country. And we are fighting a multi-billion dollar industry with armies of lawyers, lobbyists and over 150 million last year in political donations and congressional influence.

To protect the grid—and your family, we need your help.

What you can do to help secure the grid

Take Action! electric grid cybersecurityThere are two things you can do to help:

  1. Take Action. Click on our Take Action Page to see specific things you can do to help.
  2. Make a tax-deductible donation to the Secure The Grid Coalition. Click HERE to donate.

If it bothers you that the country is in such grave danger, please do something about it!

###


Reference Materials:

  • FERC Order issued on June 20, 2019 Approving CIP-008-6 (Docket RD19-3-000). https://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=15278927
  • Petition of the North American Electric Reliability Corporation for Approval of Proposed Reliability Standard CIP-008-6 (Docket RD19-3-000). (Large file—be patient)  https://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=15180084
  • FERC Order 848 issued on July 19, 2018 (Docket RM18-2-000). https://ferc.gov/whats-new/comm-meet/2018/071918/E-1.pdf
  • Comments Submitted in Docket RM18-2-000. (Large file—be patient) https://michaelmabee.info/wp-content/uploads/2018/03/RM18-2-Comments.pdf
  • FERC Notice of Proposed Rulemaking (NOPR) issued on December 28, 2017 (Docket RM18-2-000). https://www.gpo.gov/fdsys/pkg/FR-2017-12-28/pdf/2017-28083.pdf
  • Foundation for Resilient Societies Petition for Rulemaking submitted on January 13, 2017: https://www.resilientsocieties.org/uploads/5/4/0/0/54008795/resilient_societies_petition_for_rulemaking_ad17-9.pdf



 

News

  • How to Fix Electric Grid Security
  • U.S. Continues to Import Large Transformers from China
  • 60 Minutes – How secure is America’s electric grid?
  • COVERUP UPDATE: CIP Violation Database and FOIA Lawsuit
  • Q: How Did We Become So Vulnerable?
  • Rate Recovery: How Electric Customers Fund Industry Lobbying
  • Energy Sector Supply Chain Review – U.S. Department of Energy
  • Criminally Negligent Homicide in February 2021 Texas Blackout Deaths?
  • Chinese Transformer Threat Now Confirmed by Two Administrations
  • Secretary of Energy Advisory Board: Comments of Michael Mabee
  • Electricity Advisory Committee: Comments of Michael Mabee
  • How the electric utility industry torpedoed grid security
  • Chinese Transformer Complaint Filed with U.S. Government
  • U.S. Electric Grid Imports More Chinese Transformers in 2020 and 2021
  • Recent Grid Threats: Frank Gaffney and Michael Mabee Break It Down
  • Secret Penalties: The Electric Grid Is Making You Pay Their Fines
  • Government Misses the Boat on Grid Security – Again
  • Critical Electric Infrastructure – The Government Must Step Up
  • FERC Dismisses Texas Grid Collapse Complaint
  • FERC Office of Public Participation: End the Electric Industry Coverup
  • Testimony of Michael Mabee on SB 1606 – All Hazards Grid Security
  • Federal Complaint Filed on Texas Grid Collapse
  • We Are Plugged In To Life Support
  • Texas Blackout: The Unacceptable Outcome of a Foreseeable Event
  • Chinese Transformers in the Electric Grid: Lights Out For NYC?
  • Message to Governor Jennifer Granholm and the Department of Energy
  • Chinese Transformers in the Electric Grid
  • The U.S. Has 300 Chinese Large Power Transformers
  • Senator Murkowski Questions Cybersecurity Order Suspension
  • Grid Supply Chain Cybersecurity Order “Suspended”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

8 months ago

The Civil Defense Book
Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97apple.news/AkFt2MfXqTCWTe4KGOFDOPg ... See MoreSee Less

Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97 — CNN

apple.news

Bradford Clark Freeman, believed to be the last surviving original member of the historic World War II parachute infantry regiment of the US Army known as Easy Company, died Sunday in Columbus, Missis...
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

9 months ago

The Civil Defense Book
Here Comes the Sun—to End Civilizationwww.wired.com/story/sun-storm-end-civilization/ ... See MoreSee Less

Here Comes the Sun—to End Civilization

www.wired.com

Every so often, our star fires off a plasma bomb in a random direction. Our best hope the next time Earth is in the crosshairs? Capacitors.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2023 Grid Security Now! | Theme by SuperbThemes