July 1, 2019

Sponsor

Ditto Urges Continued FERC Leadership on Utility Comms Issues

Utility communications systems are critically important to grid resilience, reliability, and modernization, UTC President and CEO Joy Ditto told a panel of federal energy regulators last week.

Ms. Ditto applauded the Federal Energy Regulatory Commission (FERC) for holding a discussion on utility communications issues and encouraged the Commission to continue strengthening a dialogue with the Federal Communications Commission (FCC) as the interdependencies between the energy and telecommunications industries grow deeper.

“UTC has encouraged greater interaction between this Commission and the Federal Communications Commission (FCC), and we believe this discussion is an important first step,” Ms. Ditto said. “The interdependencies between the energy and telecommunications industries are growing by the day. These interdependencies demonstrate the need for enhanced dialogue between the FERC and the FCC, particularly as decisions made by one entity—the FCC—impact the utilities regulated by this Commission.”

Ms. Ditto spoke on June 27 at FERC’s annual reliability technical conference, held each year at the agency’s Washington headquarters. FERC reserved a portion of the agenda for its day-long conference to focus on utility communications issues (Industry Intelligence, June 24, 2019).

In her remarks, Ms. Ditto noted that the FCC has historically not well understood or recognized the communications needs of utilities and other critical-infrastructure industries (CII). Utilities, along with many CII, own, build, and operate their own communications networks to make the grid stronger, safer, more robust, and more responsive to customer needs. These communications networks—often called “private networks”—rely on both wireline (copper and increasingly fiber) and wireless technologies to function.

Like any wireless network, utility networks require radio frequency spectrum to function. The allocation of commercial spectrum is overseen by the FCC. Because spectrum can be subject to interference, which can delay or degrade the delivery of wireless information, access to interference-free spectrum is vital for utility and other CII networks, Ms. Ditto said.

This is relevant to FERC, she said, because the FCC is considering a proposal which would likely increase the threat of interference in the heavily used 6 GHz band, which utilities have relied upon for more than two decades to provide mission-critical communications services along the Bulk Electric System, including day-to-day reliability  and emergency response, Ms. Ditto said.

Spectrum interference, Ms. Ditto said, can negatively impact the integrity of the data being transmitted over these networks, which can then degrade operations. Unfortunately, the FCC is proposing to open the band to an unknown number of unlicensed users, which not only raises the likelihood of spectrum interference but also makes it incredibly difficult to remediate such interference given the amount of new users expected to participate in the band, Ms. Ditto said.

The 6 GHz band to date has been a reliable communications workhorse for utility operations; if the FCC proceeds as planned, the result will be the removal of a critical tool out of a utility’s toolbox to actively monitor their infrastructure and take action in the event of problem, Ms. Ditto said.

Please contact the UTC Public Policy Team with any questions.

FERC Approves NERC Standard on Enhanced Cybersecurity Incident Reporting

The Federal Energy Regulatory Commission (FERC) late last month approved the North American Electric Reliability Corporation’s (NERC) proposed Reliability Standard CIP-008-6, “Cyber Security – Incident Reporting and Response Planning.”

The final CIP-008-6 standard does not significantly change how an incident is reported but widens the scope of what incidents must be reported. Whereas the currently enforceable CIP-008-5 requires reporting of incidents if they have “compromised or disrupted one or more reliability tasks,” the new version requires reporting of incidents “… that might facilitate subsequent efforts to harm the reliable operation of the Bulk Electric System.”

The scope change is included in the language for Requirement 1.2. In addition to Reportable Cyber Security Incidents, as defined in the NERC Glossary, utilities must also report attempts to compromise one or more systems identified as Applicable Systems. The key is the addition of the word “attempt,” whereas the currently enforceable standard only requires reporting of successful compromises. Each utility must add to its current incident reporting process a plan to identify attempts to compromise “Applicable Systems,” and this plan to identify attempted compromises will likely be reviewed during compliance audits.

Additionally, CIP-008-6 introduces a new Requirement 4, which requires each responsible entity to report incidents to the Electricity Information Sharing and Analysis Center (E-ISAC) and, if subject to the jurisdiction of the United States, to the U.S. National Cybersecurity and Communications Integration Center (NCCIC).

The revised standard also clarifies in explicit language that only high- and medium-impact cyber assets are within its scope, after several commenters had expressed to NERC a concern that the revision could be read to include low-impact assets.

FERC will next open a window for commenting on the information collection requirements, running for 60 days from the time that this order is published in the Federal Register.

Please contact UTC’s Security, Risk, and Compliance Committee Team for more information.

T&T Coverage: Thanks for a Great Week!

Can you believe that the June 17-21 Annual Telecom & Technology Conference was two weeks ago?

We had an incredible week! Thanks to all those UTC members—core and associate—who attended, and to our speakers for providing such fantastic content.

Additionally, we’d like to thank our incredible sponsors, particularly our Premier Sponsor Nokia, which also sponsored the UTC Foundation golf tournament, and our Platinum Sponsors Ondas Networks and SNC-Lavalin. Their support was invaluable to our conference.

All of our sponsors can be found here: https://utctelecom.org/

For the second year, UTC’s core utility members approved a slate of resolutions that will assist in our policy advocacy in Washington and elsewhere. This year’s resolutions are available online here: https://utc.org/policy-resolutions/.

We also held three outstanding general sessions, each designed to bring different elements and perspectives to the meeting. Our first session, which started at 7 a.m. on Wednesday, June 19, featured Shawn Rhodes, an inspiring speaker and former Marine Corps war correspondent. Mr. Rhodes discussed the potential changes impacting the utility industry and urged UTC members to be ready to pivot when necessary in order to adapt going forward.

Our second general session, 11:30 a.m.-2 p.m., featured two keynote presenters—Malia Hodges, CIO of our host utility Oncor, Joao Torres, CEO of EDP Distribuição of Portugal, and a fantastic panel discussion moderated by Oncor Vice President of Portfolio Strategy/Risk Management Michael Quinn. Mr. Quinn, a UTC Board Member, facilitated a fast-paced and forward-looking dialogue featuring Energy Storage Association CEO Kelly Speakes-Backman, Common Ground Alliance President and CEO Sarah Magruder Lyle, North American Transmission Forum CEO Tom Galloway, EPRI Director of Information, Communications, and Cybersecurity, and Smart Electric Power Alliance Vice President of Technical Services Aaron Smallwood.

Finally, our Thursday, June 20, general session featured UTC business updates, our policy resolution process, and the election of our 2019-2020 officers, culminating in CenterPoint Energy’s Greg Angst becoming the new Chair of the UTC Board (Industry Intelligence, June 24, 2019).

Thanks again to all of our attendees, sponsors, and speakers! Looking forward to seeing everyone again next May in Providence, Rhode Island!

Department of Homeland Security Warns on Increased Cyberattacks from Iran

The U.S. Department of Homeland Security (DHS) issued an alert on June 22, 2019, citing a potential imminent threat of increased cyberattacks against U.S. government agencies and industry by Iranian regime actors.

According to the alert, the most frequently witnessed techniques in this wave of attacks have been spear-phishing, password spraying, and credential stuffing. Each differs in its approach, but all have the objective of obtaining targeted users’ passwords, either through social engineering or advanced guessing techniques. The objective of the attacks appears to be to wipe data and disable key networks.

The alert recommends that companies should implement multi-factor authentication for sign-on to all systems. The first factor in authenticating users is normally a password, which the current attackers are attempting to obtain. But by adding a second factor – a one-time code texted to the user’s smart phone or a biometric modality – having a compromised password is no longer enough to gain access to a system.

UTC would like to remind its members that a common attack method is not to attack utilities directly, but rather to perform a two-stage attack, in which the attacker first compromises a utility’s business partner, then uses that compromised partner’s account to attack the utility. The DHS publicly attributed this attack method to Russia in March 2018 but it is likely to be used in this and other sequences of attacks. Regardless of the attack method, multi-factor authentication is a key risk mitigator.

Finally, should an attack be successful, current backups of data and configurations will be required for recovery. The attacks are unlikely to modify the physical attributes of any computing or telecommunications resources, but those resources may have to be restored in case of a successful attack. Current backups can limit the damage caused by a successful attack.

Please contact the UTC Cybersecurity team with any questions.

Upcoming Events

A snapshot of upcoming UTC webinars, events, and conference calls

  • Aug. 21-22, 2019: UTC Broadband Workshop, Kansas City
  • July 9: Knowledge & Learning Committee Call—for more information, contact Bob Lockhart
  • July 9: Practical Lightning Mitigation Webinar–2 p.m.; for more information, click here
  • July 16: Utilities Broadband Committee Call—For more information, contact Brett Kilbourne
  • July 17: IT/OT Committee Call—For more information, contact Bob Lockhart
  • July 18: Telecom Committee Call—For more information, contact Brett Kilbourne
  • July 18: Public Policy Division Call—For more information, contact Sharla Artz
  • July 19: Security, Risk, and Compliance Committee Call—For more information, contact Sharla Artz