The smart grid needs a smarter cyber strategy

A new executive order asks: Do you use equipment produced by companies owned by foreign adversaries? The industry would be hard-pressed to answer.

The cyber landscape for utilities

Despite daily attempts to attack the US electric grid, a cyber attack has yet to cause a power outage in the United States. But such attempts have been successful in other countries, according to a 2019 report from the Government Accountability Office (GAO).

Cyber attacks have grown in number and sophistication over the past 15 years. In January 2019, in a worldwide threat assessment, then-Director of National Intelligence Daniel R. Coats warned that nation-states have the capabilities to launch a cyber attack on the US electric grid. The FBI and Department of Homeland Security jointly issued an alert in 2018 about foreign government actions targeting the US energy sector.

In May 2020, the White House elevated the security of the US bulk-power system to a national emergency in an Executive Order. The EO bans the acquisition, importation, transfer or installation of bulk-power system electricity equipment from companies under foreign adversary control. Six countries have been expressly listed by the Department of Energy (DOE) as “foreign adversaries.”

The EO covers equipment used in the interconnected energy transmission and power generation needed to maintain transmission reliability (69kv or more).This equipment includes control centers and the software used to manage flows of electricity, protective relays, voltage regulators, transformers and automatic circuit reclosers.

  • The Executive Order (EO) issued on May 1 declared threats to the US bulk-power system a national emergency, forbidding purchase or use of equipment from foreign adversaries. Implementing rules or regulations are to be developed by a task force by the 150-day deadline — Sept. 28, 2020.
  • The EO is the wake-up call to industry executives to address interrelated vulnerabilities that cyber experts have long identified. Laggard utility companies should modernize supply chain risk management, asset and inventory management, and overall security of critical infrastructure systems.
  • The EO demands increased visibility into and accountability for contractors and subcontractors, suppliers, other third parties in the ecosystem, relationships, assets and inventories. It essentially expands on the standards mandated by NERC CIP-013, which utilities must comply with by Oct. 1, 2020.

Some 85% of new high-voltage utility transformer orders have come from abroad in the past decade.

Source: E&E News

How prepared is the industry to comply with the EO?

Do you have an accurate inventory of vendors?

Supply chain and third-party risk has been a focus for utilities for a while. But utilities don’t have the level of visibility into and accountability for the players and elements — contractors and sub-contractors, suppliers, other third parties in the ecosystem, relationships, assets, and inventories — that the EO demands. Utilities may not be prepared to address these vectors of risk.

A task force led by the Energy Secretary will publish criteria for prequalifying particular equipment and vendors in the bulk-power system electric equipment market for future transactions. It will also identify which equipment needs to be removed from the grid. The task force needs to identify the equipment affected by the EO “as soon as practicable” and publish rules or regulations implementing the EO within 150 days of its issuance (or by Sept. 28, 2020).

Most will struggle with answering the questions the EO poses:

  • Who are your vendors?
  • How well can they answer the questions about the security of their products and services?
  • What systems and assets do they have access to?
  • What controls are in place to protect systems?
  • How do you coordinate contractors coming in to do maintenance?
  • Where is there reliance on a subcontractor, secondary or tertiary provider?
  • How good is their cybersecurity posture?
  • Where are assets coming from, and if they are coming from adversary states, is malware embedded in them?

Will complying with NERC CIP-013 satisfy the EO requirements?

No. The EO scrutinizes the country of origin for vendor products and services, which NERC CIP-013 doesn’t. With the new EO, more systems are in scope, and additional supply chain information must be captured, including sources of materials.

However, complying with NERC CIP-013 by the Oct. 1, 2020, deadline will go a long way. The existing NERC CIP-013-1 Supply Chain Security requires utilities (generators, transmission operators, etc.) to establish a plan to assess the risk presented by vendors and products that have access to assets, as well as the overall procurement process

 

Don’t be tempted to respond to the EO with a point solution

Utility technologies are typically multi-decade investments that allow for investments to amortize, while avoiding downtime and keeping a working state undisturbed. A successful malicious actor would most likely be motivated to establish a presence and lurk in the system for months or, more likely, years, waiting until the most opportune time to launch an attack with maximum impact. 

Also, while utilities may have taken steps to harden their external walls against potential attacks and disruptions, their external environments (third parties, assets and external relationships) may not have received the same level of enhancement and protections. Hackers frequently use a back door to attack a  supply chain — involving hundreds of contractors and subcontractors — and then work their way to the utilities.

In a smart grid, a smarter cyber strategy secures the web of connections — relationships, assets, devices, networks and communications. “Virtually every device now has a chip in it. [If] you are getting your chip from overseas, [what] if there's anything in there that makes us vulnerable?” asks Bernard McNamee, commissioner of the Federal Energy Regulatory Commission (FERC). Not surprisingly, the restrictions in the EO on bulk power mirror those for the US information and communication technology and services industry in EO 13873 signed in May 2019.

Ironically, for all the advanced technologies in the smart grid, governance around third-party risk management (TPRM) and the asset-inventory process in utilities have lagged behind other industries. The utilities industry historically has had a manual and paper-based system for tracking assets. 

According to our Digital Trust Insights study on resilience, 38% of the EU&M (Energy, Utilities and Mining) sector respondents said that they don’t have a full inventory of assets. Only 37% conducted an inventory of key processes and assets in 2019. About 60% last conducted an inventory of key business processes and assets in the last five years; 3% did so within the last six to 10 years. In comparison, across all industries, 91% of the high-resilience-quotient respondents (high-RQ) maintain an accurate inventory, which is refreshed as needed. (High-RQ respondents are the top 25% of scorers on three measures of resilience.)

Of course, the utilities industry realizes the need to improve its cyber posture. According to PwC’s Digital Trust Insights study on business-driven cyber, 67% of the 136 industry executives said their cyber team is “significantly” transforming to meet the needs of the business, and another 12.5% said their cyber team is “very significantly” transforming.


Utilities need to catch up to leaders to better protect critical infrastructure


High-Resilience Quotient
The rest

Have a full inventory of assets and refresh as needed
%
%
Applied automation to inventory core processes and assets
%
%
Applied automation to map dependencies
%
%

Q: Has your organization obtained a full inventory of its assets in the last five years?
Q: To what extent have you conducted the following activities for the entire enterprise? Inventorying key business processes and assets, and Mapping dependencies
Base: 886 high-RQ; 2,646 others
Source: PwC, Digital Trust Insights, September 2019


Focus of transformation initiatives by utilities industry


Increase spending on and investments in cybersecurity
%
Create a digital strategy that takes into account potential changes in business models in the future
%
Increase business acumen of the cybersecurity professionals
%
Improve threat intelligence
%
Understand the regulatory landscape holistically and integrate controls
%
Focus on operational technology security
%
Understand the data footprint across the ecosystem--internally and with external parties
%
Report more frequently on cyber risks to the C-Suite
%


Q: If your cybersecurity team is ‘significantly or ‘very significantly’ transforming to meet the needs of the business, in what specific ways is your cybersecurity team transforming? Rank top 5.
Total of 136 survey respondents (Energy, Utilities, and Mining business and IT/security executives)
Source: PwC, Digital Trust Insights on business-driven cybersecurity, May 2019.

Take these six steps to move toward a smarter cyber strategy

The heightened focus on the components of critical infrastructure is expected to increase over time, eventually affecting not only purchasing activities, but full life-cycle accountability, including more robust device impact analysis, industry pooling of high-value spares, trusted maintenance, and more detailed continuity planning and exercises. Boards and regulators will ask questions about a company’s critical elements and where they originate.

Now’s the time for utilities companies to begin formalizing improvements in supply chain risk management, asset management and third-party risk management. It’s also time to double down on broader security controls for the systems running the electric grid.

Here are some essential steps:

Build an inventory of assets and relationships

Replace manual tracking with a digital inventory of your assets and current external relationships (including third parties), with descriptions of their services and assets. Risk-rank your organization’s exposure to these relationships (based on functionality of component). And plan for a continual refresh of the inventory.

Ask about your assets and relationships:

  • What are a company’s critical elements (both grid and back-office)?
  • Are they IoT-connected (i.e., have IP address, microprocessors, etc.?)
  • How were they procured? Who are the suppliers? Where do they come from?
  • How are they managed for maintenance?
  • Where is there reliance on a partner or third-party service provider?
  • Does an asset have  functionality  that’s unknown by a utility, posing further risk to the organization?

Size up the risks from external relationships

Establish policies, procedures, requirements, and governance on how the organization will identify, assess, monitor, and manage risks. Develop a risk-based, decision-making approach to profile and prioritize relationships.

You’ll likely have to educate and raise awareness within the risk, cyber, and IT functions in your organization. Only 17% of the 77 EU&M industry execs  in our Digital Trust Insights study “strongly agree” that their cybersecurity team takes a risk-based approach — rather than a transactional approach — in securing their ecosystem.. Only 19% of the 136 business and security execs prioritized strengthening third-party risk management as an area for significant transformation.

Prepare to vet your vendors

Consider engaging vendor certification services to identify existing relationships with any organizations that may not meet the task force’s criteria for permitted suppliers. Focus on specific locations and affirm that no existing assets are on the non-permitted list. The sites could then be monitored for prohibited transactions, an approach allowing for compliance without having to maintain a fully accurate inventory.

The EO is “a real wakeup callfor vendors. They’ll need to understand and fairly represent the country of origin of their products and components of those products. While they may not be directly regulated by the EO, they could be affected if they are listed as a prohibited vendor or are unable to effectively attest to the origin of their products. Vendors should expect increased auditing and certifications — scrutiny that’s faced by suppliers of military and defense equipment and services today. It would be good to get their house in order and establish their own third-party risk management program.

Formalize your relationship management system

Develop management activities and steps to manage each relationship, from request through termination. Establish a plan for integrating new requirements into existing contracts. For net new contracts, ensure enhanced contract language is integrated into all relevant future contracts.

Plan for termination and exit strategies to discontinue existing relationships that don’t pass the criteria or don’t get on the prequalified vendors list for future transactions. The EO refers to remediation activities such as isolation, monitoring or replacement. Rules and regs will provide guidance when an existing component is prohibited. 

Refocus on overall security

Supply chain security, while absolutely necessary, is only one aspect of securing the electric grid. Utilities should continue to manage the overall security of their operational systems to enhance grid reliability. A comprehensive program which encompasses all aspects of cybersecurity — from asset identification to vulnerability management and comprehensive monitoring — is fundamental to protecting this critical infrastructure.

Fund the improvements

While the EO doesn’t address the cost of replacing vulnerable systems, state utility commissions have generally been supportive of utilities recovering the costs incurred to improve the security of electric transmission and distribution systems. Also, FERC is considering implementation of a Cybersecurity Incentives Policy which will allow utilities to earn an increased return on equity for investments in cybersecurity improvements. However, to obtain recovery, utilities will have to demonstrate actual risk reduction.

Just as importantly, power and utilities companies should look for opportunities to fund improvements from cost savings in other areas through the consolidation of technology and processes, rationalization of tools, and security orchestration automation and response.

Contact us

Michael (Casey) A. Herman

Michael (Casey) A. Herman

Energy, Utilities & Mining Co-leader; US Power & Utilities Leader, PwC US

Brad  Bauch

Brad Bauch

Principal, US Power and Utilities Cybersecurity and Privacy Leader, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide