FERC Docket RM18-2-000

The Fight for Electric Grid Cyber Security

 

 

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” – Justice Louis D. Brandeis

Recently I wrote about our campaign to fight for electric grid cyber security. The battle played out last week before an obscure federal agency that most people have never heard of – the Federal Energy Regulatory Commission (FERC). Because, as Justice Brandeis pointed out, there is nothing better than the light of day to hold the government accountable, this fight needs to be made public.

Petition for electric grid cyber security

electric grid cyber securityUnder a law called the Administrative Procedure Act (APA), “each agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.” This means that the public can file a petition with an agency to add, delete or change a regulation. This is how the Foundation for Resilient Societies picked this fight on January 13, 2017. In a petition for rulemaking to FERC, Resilient Societies forced the federal government to finally face the fact that electric grid cyber security is lacking.

But just who is the Foundation for Resilient Societies? They are a non-profit organization “engaged in scientific research and education with the goal of protecting technologically-advanced societies from infrequently occurring natural and man-made disasters.” In other words, they are trying to protect us from catastrophic disasters such as a loss of the electric grid from a cyber attack, geomagnetic disturbance (GMD), electromagnetic pulse (EMP) and other threats.

Resilient Societies has been active in petitioning the government to make regulations to protect the electric grid and nuclear power plants from catastrophic events for years. It is clear that for over two decades, the federal government has known about the existential threats to United States posed by the vulnerability of our critical infrastructures – including the lack of electric grid cyber security, and the government has failed to act. The Foundation for Resilient Societies is one of the members of the Secure The Grid Coalition working to hold the government accountable to protect us.

So, with their petition for rulemaking last year, Resilient Societies forced FERC (the government) to consider instituting stronger electric grid cyber security regulations. But this wasn’t going to happen without a fight. You see, as I explained in a previous article, the electric grid regulates itself. The federal government can’t easily tell the industry what to do. There is a mind-numbingly complex process involved.

The electric industry says that protecting your family’s lives is “unduly burdensome” and “unnecessary”

Not surprisingly, the industry, through it’s proxy the North American Electric Reliability Corporation (NERC), fought the effort for better electric grid cyber security. After all, the thousands of companies that comprise the electric grid are trying to make a profit. All of this regulation about cyber security and EMP and GMD are just a nuisance when you are worried about the bottom line. The industry attempted to harpoon the effort to increase electric grid cyber security by arguing to FERC that such rules are “unduly burdensome” and “unnecessary.”

Remember that people: The electric industry says that protecting your family’s lives is “unduly burdensome” and “unnecessary.”

The other side of the story is that lives are at stake. Millions of lives. In fact, on March 28, 2017 the Senate Committee on Homeland Security and Governmental Affairs reported this about the critical infrastructure:

“The United States depends on its critical infrastructure, particularly the electric power grid, as all critical infrastructure sectors are to some degree dependent on electricity to operate. A successful nuclear electromagnetic pulse (EMP) attack against the United States could cause the death of approximately 90 percent of the American population. Similarly, a geomagnetic disturbance (GMD) could have equally devastating effects on the power grid.” (Page 6.)

The threats to the electric grid are real. They are proven. They exist. Protecting America should not be “unduly burdensome” and “unnecessary.”

Is the regulator asleep at the switch?

Incredibly, FERC let the industry plow them over and issued an order on December 28, 2017 denying part of the petition for rulemaking. Specifically,

FERC Grid Cyber Security“The Foundation for Resilient Societies filed a petition asking the Commission to require additional measures for malware detection, mitigation, removal and reporting. We decline to propose additional Reliability Standard measures at this time for malware detection, mitigation and removal, based on the scope of existing Reliability Standards, Commission directed improvements already being developed and other ongoing efforts.”

What does that even mean?

What it means, is that the industry (through NERC) bullied FERC – or woke them up just long enough to have them sign this order. The industry told FERC that malware detection, mitigation and removal would be “unduly burdensome” and “unnecessary.”

Okay. Here is what we know.

  • On November 20, 2014, Admiral Michael Rogers, Commander, U.S. Cyber Command and Director, National Security Agency testified before the U.S. House Select Intelligence Committee that “foreign cyber actors are probing America’s critical infrastructure networks and in some cases have gained access to those control systems.”
  • On December 2, 2014, cyber security vendor Cylance published its “Operation Cleaver” report, demonstrating that Iran-based hackers had compromised at least one U.S. electric generation company.
  • On December 23, 2015, a cyberattack struck the Ukrainian grid causing 225,000 customers to lose power, using malware called “Black Energy.”
  • On December 17 and 18 2016 the Ukaranian power grid was again attacked, causing another blackout. This time with malware called “Crash Override.”
  • In December of 2016, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) publicly reported on a Russian developed malware tool, called “BlackEnergy.” BlackEnergy was previously identified by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the Department of Homeland Security (DHS) as being present in America’s energy sector.
  • “Crash Override” and “Black Energy” – the malware that took down the Ukrainian electric grid are a threat to the U.S. electric grid.

Recap: Malware is known to have taken down the electric grid in the Ukraine. Malware has been shown to be present in the U.S. critical infrastructures and hackers have gained access to the U.S. electric grid. Check.

Amazingly and disturbingly, FERC bought the industry’s argument that detecting malware on the electric grid would be “unduly burdensome” and “unnecessary.” So FERC “declined to propose” that the industry do anything about malware!

Did the U.S. government (FERC) really just say that protecting your family’s lives is “unduly burdensome” and “unnecessary”? Is the regulator asleep at the switch – or just too chummy with the regulated? Hmmm.

The fight for electric grid cyber security continues

electric Grid Cyber SecurityThe Secure The Grid Coalition and the Foundation for Resilient Societies are continuing the fight and we are taking the fight to the streets. Although FERC declined to do anything about malware, they did agree with one aspect of the petition:

“However, we propose to direct broader reporting requirements. Currently, incidents must be reported only if they have ‘‘compromised or disrupted one or more reliability tasks,’’ and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm.”

This reporting issue is almost too ridiculous to believe.

“The grid” reported only 3 cyber related incidents in 2014 and none (zero) in 2015 and 2016. Meanwhile, on April 14, 2016, the U.S. House of Representatives held a hearing and the Committee noted that:

“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)

Obviously there is a huge disconnect. The DHS and the NSA say that 40% of all cyber attacks are directed at the energy sector and the grid has been penetrated by entities that could take down the critical infrastructure.

But “the grid” reports few or no cyber related incidents during the same periods.

Electric Grid Cyber Security Comments

[Click to enlarge chart]

We do not trust NERC and the electric power industry with the safety and security of your family, our communities and America. We believe that your family’s safety and security is NOT “unduly burdensome” and “unnecessary.”

So we did something about it. Many members of the coalition submitted comments to FERC in the rulemaking process urging FERC to order NERC to improve electric grid cyber security reporting standards.

Not surprisingly, the usual suspects from the industry replied that this would all be “unduly burdensome” and “unnecessary.”

In order to bring this fight to the streets, we are publishing all the comments on this electric grid cyber security issue  below. (Be patient – it is a large PDF file). In the chart to the right, you can see in green are the comments in favor of better cyber security reporting standards. The comments in red are against better cyber security reporting standards. Many of the green comments are from members of the Secure The Grid Coalition.

Look for yourself. Decide for yourself. Is your family’s safety and security is “unduly burdensome” and “unnecessary”?

If you believe that the electric grid needs to be protected, write to your state or federal legislator. Send them a copy of this article. Tell them that the first job of the government is the protection of it’s citizens. They need to protect us by protecting the critical infrastructures.


FERC Docket RM18-2-000 and AD17-9-000 comments:

Click Here for Comments to FERC on Electric Grid Cyber Security.

The PDF file is 240 pages – be patient. Once the PDF opens in a separate window, click on the bookmarks icon (circled in red below) to navigate.

Electric Grid Cyber Security

 

Fun facts:

  • The word “burden” appears 56 times in these 240 pages.
  • The phrase “unduly burden” appears 6 times in these 240 pages.
  • Best (bureaucratically ridiculous) use of the word “unnecessary: “Such process adds significant additional administrative burden for all involved entities, which is inefficient and unnecessary…” (Page 83.)

 


My Comments to FERC on Grid Cyber Security

 

 

[Click Here for Background Info]

[Click Here for the filed PDF copy: FERC Comment Docket RM18-2-000 (Mabee)]


February 23, 2018

 

Comments submitted in FERC Docket RM18-2-000

Cyber Security Incident Reporting Reliability Standards

 

Dear Chairman McIntyre, Commissioner Chatterjee, Commissioner LaFleur, and Commissioner Powelson, and Commissioner Glick:

 

Background:

I am a private citizen who has taken it upon himself to study the vulnerabilities of the U.S. electric grid to a variety of threats. My research lead me to write a book about how communities can prepare for and survive a long term power outage.[1]  It is a book that never should have had to be written. I’m a regular working American with a regular day-job, but in my spare time I work with several non-profit groups to raise awareness of the existential threats the United States faces vis-à-vis the threats to the electric grid. I continue to write extensively on the subject. It is an occupation I never should have had to have.

On January 13, 2017, the Foundation for Resilient Societies filed a petition for rulemaking[2] with FERC because the electric grid does not have sufficient cyber security protection. Not surprisingly, the electric industry objects and seems to try to assure us that everything is fine.

Threats to the Bulk Power System and Critical Infrastructure:

On March 28, 2017[3] the Senate Committee on Homeland Security and Governmental Affairs reported this about the critical infrastructure:

“The United States depends on its critical infrastructure, particularly the electric power grid, as all critical infrastructure sectors are to some degree dependent on electricity to operate. A successful nuclear electromagnetic pulse (EMP) attack against the United States could cause the death of approximately 90 percent of the American population. Similarly, a geomagnetic disturbance (GMD) could have equally devastating effects on the power grid.” (Page 6.)

And the previous year, the House held a hearing entitled: “Blackout! Are We Prepared to Manage the Aftermath of a Cyberattack or Other Failure Of The Electrical Grid?”[4] In this hearing, the Committee noted that:

“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)

On February 12, 2013, President Obama[5] noted:

“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”

In 2008, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack reported about the bulk power system:

“Electrical power is necessary to support other critical infrastructures, including supply and distribution of water, food, fuel, communications, transport, financial transactions, emergency services, government services, and all other infrastructures supporting the national economy and welfare. Should significant parts of the electrical power infrastructure be lost for any substantial period of time, the Commission believes that the consequences are likely to be catastrophic, and many people may ultimately die for lack of the basic elements necessary to sustain life in dense urban and suburban communities.” (Page vii.)[6]

In fact, there have been over two decades of congressional hearings, federal reports and studies about the various threats to the U.S. electric grid.[7] Of the numerous hearings on threats to the critical infrastructures, below are a select few in which Congress examined the cyber threats to the grid:

There is no debate that a loss of the electric grid for a long period of time, for any reason, would be catastrophic for the United States. Because we cannot support our present human population without the electric grid, the loss of life would be unimaginable. Here are the undisputed facts:

  1. Fact: We know that cyber threats to the U.S. electric grid exist and are increasing.[8]
  2. Fact: We know that the electric grid in the Ukraine was attacked and taken down twice by cyberattacks.[9]
  3. Fact: We know that cyber-attacks have been known to destroy equipment.[10]
  4. Fact: We know that all U.S. critical infrastructures are dependent on the bulk power system.[11]

Therefore, the cyber threat to the bulk power system represents an existential threat to the United States. The federal government – not the electric industry – is responsible for protecting against threats to national security. Therefore, the electric industry’s objections to more stringent regulations are unpersuasive. The bulk power system must, without fail, be protected.

It is critical that the federal government insure that the critical infrastructures are adequately protected against known threats. In this case, the cyber security of the U.S. bulk power system is not a matter of convenience; it is a matter of paramount importance for the federal government.

 

Conclusion:

I urge you to require NERC to promulgate strict cyber security standards and reporting requirements. Thomas Jefferson famously said: “The first duty of government is the protection of life, not its destruction.  Abandon that, and you have abandoned all.”

FERC’s duty here is clear. You must protect life. The threats to the electric grid constitute a national security issue. This is not a matter of a benevolent government being friendly to businesses. This is a matter of national security and the very real threat to millions of Americans’ lives.

 

Respectfully submitted by:

 

Michael Mabee

 

End Notes:

[1] Mabee, Michael. The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community. ISBN-13: 978-1974320943, first edition published July 4, 2013, second edition published October 17, 2017.

[2] Foundation for Resilient Societies. “Petition for Rulemaking to Require an Enhanced Reliability Standard to Detect, Report, Mitigate, and Remove Malware from the Bulk Power System.”  Filed January 13, 2017. https://www.resilientsocieties.org/uploads/5/4/0/0/54008795/resilient_societies_petition_for_rulemaking_ad17-9.pdf (accessed February 22, 2018).

[3] Senate Report 115-12. Activities of the Committee on Homeland Security and Governmental Affairs. (115th Congress) March 28, 2017. https://www.gpo.gov/fdsys/pkg/CRPT-115srpt12/pdf/CRPT-115srpt12.pdf (accessed February 22, 2018).

[4] House Hearing before the Subcommittee on Economic Development, Public Buildings, and Emergency Management. “Blackout! Are We Prepared to Manage the Aftermath of a Cyberattack or Other Failure Of The Electrical Grid?” (114th Congress) April 14, 2016. https://www.gpo.gov/fdsys/pkg/CHRG-114hhrg99931/pdf/CHRG-114hhrg99931.pdf (accessed February 22, 2018).

[5] Executive Order 13636 Improving Critical Infrastructure Cyber Security. February 12, 2013. https://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf (accessed February 23, 2018).

[6] Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack. “Critical National Infrastructures.”  2008. https://permanent.access.gpo.gov/LPS101707/A2473-EMP_Commission-7MB.pdf  (accessed February 23, 2018).

[7] See a comprehensive listing of these federal documents here: https://michaelmabee.info/government-documents-emp-and-grid-security/ (accessed February 22, 2018).

[8] RTO Insider. Expert Sees ‘Extreme Uptick’ in Cyber Attacks on Utilities. https://www.rtoinsider.com/naruc-dragos-cybersecurity-scada-86882/ (accessed February 22, 2018).

[9] Wired magazine. ‘Crash Override’: The Malware That Took Down a Power Grid. https://www.wired.com/story/crash-override-malware/ (accessed February 22, 2018).

[10] Wired Magazine. An Unprecedented Look at Stuxnet, The World’s First Digital Weapon. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (accessed February 22, 2018).

[11] Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack. “Critical National Infrastructures.”  2008. https://permanent.access.gpo.gov/LPS101707/A2473-EMP_Commission-7MB.pdf  (accessed February 23, 2018). Page vii.


Click Here for the filed PDF copy: FERC Comment Docket RM18-2-000 (Mabee)