February 24, 2020

Sponsor

Preliminary T&T Agenda Now Online! Register Now!

Sessions on spectrum, broadband deployment, security, pole attachments, infrastructure and much more are all set for the May 18-22 annual Telecom & Technology meeting being held in Providence, RI.

Our agenda is coming together fast! Check out the latest on speakers, sessions, summits, and much more here: https://utctelecom.org/program-information/.

Registration is now open! Act now to receive early bird rates!

New speakers and sessions are being added regularly. Check back often for the latest!

We look forward to seeing you in Providence!

FERC Launches Look into Virtualization, Cloud Services for Power Grid Operations

The Federal Energy Regulatory Commission (FERC, the Commission) is seeking comments on the potential benefits and risks associated with the use of virtualization and cloud computing services in the operation of the nation’s bulk electric system.

In a Notice of Inquiry (NOI) approved at its Feb. 20 open meeting, the Commission asks whether its Critical Infrastructure Protection (CIP) Reliability Standards should allow for these technology advancements and balance the innovations with security requirements.

According to FERC, it will use the NOI to decide whether to direct the North American Electric Reliability Corporation (NERC) to develop modifications to the CIP reliability standards to facilitate the use of virtualization and cloud computing by grid users and operators. The NOI is an outgrowth of discussions at the Commission’s June 2019 technical conference on reliability and the March 2019 joint technical conference with the Department of Energy on security investments for energy infrastructure.

“We want to create an environment that allows and encourages innovation and new technologies to flourish,” said Chairman Neil Chatterjee. “At the same time, our cybersecurity standards must clearly address new technologies and help define when and where they could be used.”

The Commission describes virtualization as the process of creating virtual versions of computer hardware to minimize the amount of physical computer hardware resources needed to perform various functions. It is considered necessary if the functions of grid cyber systems are to be moved to a cloud computing environment. While some entities might use the cloud simply for data storage, others may rely on virtualization and cloud storage in tandem to operate systems that control one or more core functions of the power grid.

The NOI poses questions on four general topics: the scope of potential use of virtualization or cloud computing, their associated benefits and risks, possible impediments to their implementation, and potential new and emerging technologies beyond virtualization and cloud computing that responsible entities may be interested in adopting.

Comments are due 60 days after publication of the NOI in the Federal Register. Reply comments are due 30 days later.

In conjunction with last week’s NOI issuance, the Commission directed NERC to make an informational filing, to be followed by quarterly updates, describing work on two draft CIP standards pertaining to virtualization and cloud computing services. The initial filing is due within 30 days, with additional updates required on a quarterly basis.

Please contact the UTC Public Policy Team with any questions.

NERC Publishes CIP-013-1 Frequently Asked Questions

The North American Electric Reliability Corporation (NERC) recently published a list of frequently asked questions (FAQs) regarding compliance with NERC’s supply chain risk management standards.

The affected reliaiblity standards are the new standard NERC CIP-013-1, plus updated standards NERC CIP-005-6 and NERC CIP-010-3. Compliance will become enforceable on July 1, 2020.

The FAQs summarize the most commonly recurring themes from NERC’s recently completed small group advisory meetings with registered entities, Standards Developers, and Regional Entities. Some of the key topics include:

  • Supply Chain Risk Management for open source software
  • Evidence of compliance for acquired hardware that has third-party software installed
  • Which BES Cyber Systems are grandfathered out of compliance with NERC CIP-013-1, and how does that affect compliance with CIP-005-6 and CIP-010-3?
  • What to do when vendors refuse to comply with CIP-013-1 requirements?

The questions and answers are presented in somewhat less formal language than is used in the requirements themselves, making the information more easily digestible for the reader. NERC’s responses do approach and appreciate the complexity of supply chain risk management.

The supply chain risk managment FAQs are available on the NERC website.

CISA Details Ransomware Attack on Pipeline Operator

A Department of Homeland Security division last week released details of a ransomware cyberattack that forced a pipeline operator to shut down a compressor station for two days.

The Cybersecurity and Infrastructure Security Agency (CISA), in a public statement, said it has responded to the incident, marking the first time a federal agency has publicly acknowledged such an event on U.S. energy infrastructure, according to media reports.

As a result of the attack, the pipeline operator shut down a compressor station for two days.

CISA did not name the impacted pipeline operator.

It said the company fell victim to a “spearphishing” attack, allowing the cyber perpetrator to obtain access to the company’s IT and OT networks. From there the perpetrator deployed a ransomware program. Importantly, CISA reported that the perpetrator did not gain access to programmatic logic controls nor did the company lose control of its operations.

“At no time did the threat actor obtain the ability to control or manipulate operations,” CISA said. “The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.

In terms of lessons learned, CISA the had not implemented “robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”

Additionally, CISA said the company “existing emergency response plan focused on threats to physical safety and not cyber incidents.”

Going forward, CISA urged companies across all sectors to adopt a series planning and mitigation measures, including:

  • Ensuring the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue
  • Exercising the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks; and,
  • Allowing employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks.

UTC’s Security, Risk, and Compliance Committee (SRCC) discusses these and related cybersecurity issues. Please contact the SRCC team with any questions.

UTC CALENDAR OF EVENTS

Calendar of UTC committee/division conference calls

Committee/Division calls

  • Feb. 25: WEBINAR! Improving Grid Reliability with Utility Grade Broadband Architecture—For more information, click here
  • Feb. 25: Utilities Broadband Committee Call—For more information, contact Brett Kilbourne
  • March 10: UTC Training Webinar: RF Safety for Utilities—For more information, click here
  • March 18: IT/OT Committee Call—For more information, contact Bob Lockhart
  • March 19: Public Policy Division Call—For more information, contact Rob Thormeyer
  • March 19: Telecom Committee Call—For more information, contact Brett Kilbourne
  • March 20: Security, Risk, and Compliance Committee Call—For more information, contact Bob Lockhart