As grid operations become increasingly automated and are connected to the internet or other computer networks incorporating two-way communication, they also become more vulnerable to cyberattacks. Smart grid architecture involves many cyber assets, some of which have been a part of the grid for some time, while others have been introduced in recent years. This highlights the need for more advanced measures to enhance cybersecurity for the transforming grid.
The US Federal Bureau of Investigation (FBI) has rated cyber attacks as the primary threat to the national grid, eclipsing the threat of physical damage that may be caused by acts of terrorism or by vagaries of nature. A large-scale cyberattack on the grid can potentially trigger multi-day blackouts across vast regions, disrupting the supply of essential services and costing billions of dollars in economic damages.
These risks become more magnified and widespread as the US grid further integrates with that of Canada. Currently, the two countries are interconnected via over 30 links. Several new high voltage, high capacity interconnections that are planned for the coming years will further improve grid connectivity.
The greater integration and dependence on technology coupled with increasing threat vectors and security vulnerabilities are prompting both the Canadian and the US governments to take necessary steps to protect their critical power infrastructures from cyberattacks.
In this regard, the Cybersecurity Action Plan recently released by Public Safety (PS), Canada, and the US Department of Homeland Security (DHS) represents one of many important efforts made by the two countries to deepen their already strong bilateral cybersecurity cooperation. The governments’ joint strategy is aimed at strengthening the security and resilience of their shared grid infrastructure. It is also in line with the objectives articulated by the outgoing US President Barack Obama and the former Canadian Prime Minister, Stephen Harper in the February 2011 declaration, “Beyond the Border: A Vision for Perimeter Security and Economic Competitiveness”. In addition, both governments have tasked regulatory agencies with establishing reliability and security standards, and working with public and private entities to ensure grid security and resilience.
Progress so far
The US government’s main strategy for cybersecurity has so far focused on prescribing mandatory standards through the North American Electric Reliability Corporation (NERC), the Federal Energy Regulatory Commission (FERC)-designated electric reliability organisation. The NERC developed the first version of Critical Infrastructure Protection (CIP) cybersecurity reliability standards in January 2008, which have since then undergone several revisions in line with the changing technological environment and the lessons learnt. The NERC’s reliability standards propose to limit the risks posed by transient devices such as flash drives to medium- and high-risk bulk electric service cybersystems only and not to low-risk cybersystems.
In November 2013, under Order 791, the FERC accepted Version 5 of the CIP standards (reliability standards CIP-002-5 through CIP-009-5, and CIP-010-1 and CIP-011-1). Further, in July 2015, the FERC proposed to accept seven CIP reliability standards and other modifications under Version 5 of the CIP standards submitted by the NERC. The aim was to address the threats to communication networks and related bulk electric system (BES) assets. In addition, the FERC directed the NERC to improve its standards by expanding their scope to include measures to protect low-risk cybersystems as well as to improve supply chain management. The highlights of the 2015 proposal include enhanced security controls for low-impact assets, protection of transient devices and protection of BES communication networks.
The US Department of Energy’s (DoE), Office of Electricity Delivery and Energy Reliability has made significant efforts to address cybersecurity challenges through several initiatives and financing plans. These initiatives include facilitating public-private partnerships, funding research and development projects to develop cybersecurity technologies, supporting the development of cybersecurity standards, sharing of threat information, advancing risk management strategies, supporting fault management, and augmenting the cybersecurity workforce within the power sector.
As a part of its funding activities, in 2013, the DoE had announced cost-sharing investment plans amounting to $20 million for the development of tools and technologies to improve the cybersecurity of the country’s energy delivery control systems. Under this, the recipients of the projects were required to collaborate with the energy sector to test the developed technologies and ensure that their design matches the requirement of the energy systems. The investment plan was a part of the DoE’s overall grid cybersecurity strategy mentioned in the “2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity” document.
New cybersecurity projects
To continue with its long-term plans of grid strengthening, in August 2016, the DoE allocated $34 million for cybersecurity projects. The funding, announced by the DoE’s Office of Electricity Delivery and Energy Reliability, will cover 12 projects involved in detecting and responding to operational threats, integrating renewables, reducing the exposure of the grid to these threats, detecting malware already in the supply chain, and identifying gaps in the cybersecurity roadmap released in 2011. Power and automation technology company ABB, Schweitzer Engineering Laboratories, General Electric (GE), the United Technologies Research Center, and Iowa State University will be developing the majority of these projects.
In this regard, ABB has been awarded funding for two projects in Cary, North Carolina, to develop technologies for protecting power systems against attacks and for securing integration of multiple microgrids during a potential cyberattack.
Schweitzer Engineering Laboratories in Pullman, Washington, will also work on two projects targeted at rerouting critical information to keep systems operational, and developing algorithms to improve the precise synchronised timing used in energy delivery.
As part of another project in Niskayuna, New York, GE will develop power plant technology, called anomaly detection and accommodation system, which will be able to automatically sense cyberattacks and help respond to them.
In addition, the United Technologies Research Center in East Hartford, Connecticut, plans to develop machine learning on an open-source, advanced cybersecurity platform to more securely integrate legacy and emerging behind-the-meter distributed energy resources. Further, Iowa State University will deve-lop a comprehensive framework that will help reduce the possibility of cyberattacks by continuously assessing and autonomously reducing the attack surface of the power grid.
US-Canada joint strategy
The electric grid shared by the US and Canada is complex and dynamic, made up of interconnected federal, territorial, municipal, cooperative and investor owned and operated utilities. Further, due to a shared geographical border, Canada and the US have a mutual interest to protect their shared grid infrastructure. Recognising this, the power ministries of the two countries released the joint Cybersecurity Action Plan.
The plan, involving both the PS and DHS, aims to enhance the cybersecurity of the US and Canada through increased integration of their respective national cybersecurity activities and improved collaboration with the private sector. The action plan aims to define a joint approach to fulfil the countries’ vision of working together to defend and protect their cyberspace.
With regard to the activities conducted by the PS and DHS, the action plan outlines three objectives pertaining to improved engagement, collaboration and information-sharing at the operational and strategic levels. It also aims to establish proper communication and identify areas for collaborative work, directed towards enhancing the cybersecurity preparedness of the two countries.
The three main objectives of the action plan are as follows:
- Enhanced cyber incident management collaboration: The Canadian Cyber Incident Response Center will work jointly with the US-based computer emergency readiness team and the industrial control systems cyber emergency response team. The aim is to increase real-time collaboration by improving communication channels, enhance information sharing, collaborate on training opportunities, coordinate on cybersecurity incident response management, as well as align and standardise cyber incident management and escalation procedures.
- Joint engagement and information sharing with the private sector: Due to the shared nature of critical infrastructure between Canada and the US, the PS and DHS intend to collaborate on cybersecurity-focused private sector engagement activities. The aim is to jointly develop conference materials and conduct sessions with the private sector, align processes for private sector engagement, as well as standardise protocols for sharing information.
- Cooperation on ongoing cybersecurity public awareness efforts: To increase public awareness on the issues of cybersecurity, PS Communications, the DHS Office of Public Affairs, and the National Protection and Programs Directorate’s Office of Cybersecurity and Communications intend to collaborate on public awareness campaigns.
Cybersecurity of the power grid has been a national concern over the past decade in the US. However, in recent times, it has also gained the attention of the Canadian authorities, leading to the release of the joint Cybersecurity Action Plan. The plan is intended to be a living document to be reviewed on a regular basis and updated as per the latest requirements that align with the plan’s key goals and objectives. It intends to support the current and future efforts, which seek to enhance bilateral cooperation on cybersecurity between both governments.
Going forward, there is a need for the two governments, especially of Canada, to create more incentives for the im-provement and adaptation of cybersecurity standards, as well as encourage companies to exceed the minimum standards and share information on cyberattack quickly.