Cyber Security
About this risk area
The North American Bulk Electric System (BES) is highly automated, with computers and cyber assets controlling most functions of the planning and operations of the grid. As a critical infrastructure, essential for day-to-day life, our sector must remain vigilant to prevent cyber attacks in an ever-changing threat environment and must maintain a robust response capability in case of a successful cyber attack.
New technologies also present new cyber security risks, as the operational and technological environment is evolving significantly, increasing the risk and complexity of the cyber landscape. As an example, distributed energy resources place computer-controlled inverters in fields and other open areas. Similarly, dynamic line rating sensors are located on the span of transmission lines to provide accurate, real-time data on the ability of the line to carry power. In both cases, devices can be physically accessed, creating an additional vulnerability.
Cyber security risks are addressed through the North American Electric Reliability Corporation (NERC) CIP Standards with oversight from our audit and enforcement teams. NERC is considering additional updates to these standards to address emerging risks like cloud computing. We strive to learn from other industries regarding risks and threats they have experienced, and we work collaboratively with industry to encourage not just good cyber hygiene, but also best practices for classifying and protecting their cyber assets.
Within the NERC CIP Standards, the “low impact” asset class is rapidly becoming a larger part of the BES. The NERC Board of Trustees ordered a study of the low impact criteria, which has triggered an update of the low impact CIP requirements under Project 2023-04. NERC has an initiative underway to register additional generation entities, which will likely be subject to the CIP Standards as well. In recognition of this, ReliabilityFirst (RF) has begun publishing an informational series, “Low Impact from the Ground Up” to assist new and existing entities in complying with these standards.
RF has experienced cybersecurity experts that consult with industry to mitigate this risk. We tackle cyber security topics in newsletter articles such as The Lighthouse, workshops, webinars, and our committee work. We can also help answer questions and provide training on supply chain management, recovery, digital forensics, information protection, patch management, access controls, and more. If you are interested in working with us on identifying and mitigating cyber security threats to the grid, consider joining our Critical Infrastructure Protection Committee (CIPC).
We periodically publish a CIP Themes Report, highlighting the themes we have seen through self-reports and audit findings with the goal of sharing mitigations to address these risks. The 2024 CIP Themes Report addresses these themes:
- Latent vulnerabilities: The importance of internal detective controls
- Insufficient commitment to low impact CIP programs: The need to revisit approaches to CIP-003 R2
- Shortages of labor and skillsets: Challenges in workforce and succession planning
- Performance drift: Physical security issues as markers of performance drift and apathy
The 2018 CIP Themes Report is still available and discusses different topics that are still relevant today.
Explore additional cyber security resources below.
- RF Regional Risk Assessment 2023-24
- NARUC – Cybersecurity baselines for electric distribution systems and distributed energy resources
- NERC – Project 2023-09 Risk Management for Third-Party Cloud Services
- Reliability Issues Steering Committee – 2023 ERO Reliability Risk Priorities Report
- NERC 2024 State of Reliability
- SERC 2024 Regional Risk Report
- NIST SP 800-82 – Guide to Operational Technology (OT) Security