security

US grid rules preclude reliability, security benefits of cloud … – Utility Dive


Cloud technologies could provide significant cost, security and reliability benefits to the U.S. electric grid but critical infrastructure rules do not allow them to be used for certain larger assets, multiple speakers said Thursday at the Federal Energy Regulatory Commission’s annual reliability conference.

The Critical Infrastructure Protection rules, or CIP, are managed by the North American Electric Reliability Corp. and currently require grid asset owners to have certain control or knowledge of the devices operating their software. Cloud computing makes that difficult or impossible, experts agreed, in particular for what are known as high- or medium-impact grid assets.

Current NERC standards “do not provide clear guidance” on how regulated entities can implement new technologies that may not have been envisioned by the current CIP rules, Joseph Mosher, portfolio manager at EDF Renewables, told the commission. “Attempts to incorporate newer technology into the NERC CIP standards can be painful and time consuming,” he said.

Experts expressed concerns over the outdated CIP rules, at a time when grid officials say they face growing threats.

“One can definitely make the argument that the grid is less secure today than it would be” if cloud computing solutions were allowed, “and that gap is growing every day,” security consultant Tom Alrich said. “This is the biggest problem with NERC CIP today.”

A related problem — that important information about those systems can’t today be stored in the cloud — will be fixed beginning next year when two revised CIP standards come into effect, he said.

A sector under attack

The cyber threat to the electric power sector is growing, and grid officials say they must utilize new tools to counter it.

Readers Also Like:  Professor named Jefferson Science Fellow for climate security - FIU News

“The electricity sector is under constant attack by nation states and organized criminals. We see billions of attempts a day to survey our networks, identify vulnerabilities or gaps in protection, steal credentials or data, or exact a ransom,” Manny Cancel, senior vice president and CEO of the Electricity Information Sharing and Analysis Center, told regulators Thursday. The E-ISAC is operated by NERC.

China is the biggest cyber threat to the U.S. grid, Cancel said, followed by Russia.

“China will continue to target critical infrastructure here in the U.S., to grow their knowledge and identify access points for future use,” he said. Hackers are constantly looking to exploit vulnerabilities in enterprise software platforms “that are used pervasively across the electricity industry,” he added.

The database of cyber vulnerabilities maintained by the National Institutes of Standards and Technology is on pace to report over 27,000 vulnerabilities in 2023, Cancel said, representing a 25% increase over 2022, and “many of them are critical.”

Those vulnerabilities can combine with the rapid expansion of grid-connected assets to create a threat-rich environment, experts agreed.

The rate at which smaller generators, such as solar, wind and batteries, are connecting to the grid is multiplying not only the number of generators but also the vendors necessary to support the infrastructure, Mosher added. “In many cases” these new vendors may not fully support on-premise solutions “and instead require a full or partial cloud implementation, potentially making the generator owner noncompliant with NERC CIP,” he said.

‘These tools cannot be used’

Some of ISO New England’s most robust security tools are not allowed to protect certain electric system assets because they use cloud technology, said Rudolf Pawul, vice president of information and cyber security services for the grid operator.

Readers Also Like:  Introducing CrowdStrike Falcon Complete XDR: Solving the ... - CrowdStrike

“Traditional log monitoring and malware detection is insufficient in the face of modern threats,” Pawul said. The ISO “has augmented its traditional security tools with learning-enabled endpoint detection, backed by world class threat hunters, and similar tools for application performance monitoring that aids with anomaly detection. Unfortunately, these tools cannot be used for several ISO New England systems, including some of the most important ones.”



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.