The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Cybersecurity and the Bulk Electric System – A New Approach May Be Needed

image credit: Forbes
JC Culberson's picture
Manager of Operations Certrec Corporation

A proven industry leader in energy system operations, planning, compliance, and wholesale energy market structure, I have developed NERC compliance programs for entities ranging from ISO/RTO...

  • Member since 2020
  • 18 items added with 6,477 views
  • Dec 21, 2020

The recent cyberattack, believed to be conducted by Russian threat actors, highlights the seemingly impossible task of guarding against adversaries with more resources to attack, than we can deploy for defense. The SolarWinds attack proved to be far more sophisticated than anything we’ve experienced recently, possibly ever. The extent of the damage is yet to be seen, we don’t even know all the attack vectors yet, so, how do we guard against a nation-sponsored threat with the limited resources at our disposal? The adversaries we’re contemplating are not the financially motivated hackers that use phishing attacks to gain personal information that they can then use to extract funds for themselves. These are highly trained experts focused on damaging public faith in governmental processes, attacking critical infrastructure assets, and generally sowing civil unrest in other nations. As a nation, we’ve been under this type of attack for years, but now our Bulk Electric System (BES) is potentially compromised. As a former intelligence operator, I can honestly state that this sort of patient, sophisticated attack bears the markings of the more advanced, ambitious group of hackers. The fact that this attack went virtually unnoticed for the better part of a year tells me the operation has likely yielded incredible results, and we will likely be dealing with the aftermath in the near future. In any intelligence gathering operation, sources and methods are kept secret for as long as possible, offering perpetrators the sustained ability to continue operations. As of now, the methods have since been discovered, and their sources are coming to light. SolarWinds was huge, but they are likely not the only compromised company. CISA is suggesting that there are other attack vectors that may not point back to SolarWinds, indicating there are likely other compromised entities.


So, what does this mean to us, in the energy industry? It seems logical that any attacker who is insistent on causing damage to our country would naturally target the BES. We all know what would happen in the event of a sustained, large-scale blackout; supply chains would collapse, our financial institutions would suffer greatly, and quality of life would change in a very short amount of time. It is literally the perfect target. Now, we do not know that this was the intention of this attack, but if these hackers can infiltrate the CIA, DOD, DOE, and countless Fortune 500 companies, it is certainly something that we need to discuss. NERC’s CIP standards go a long way toward correcting cyber and physical vulnerabilities of the BES by establishing standards and requirements geared toward protecting critical cyber systems and assets used to operate and secure BES facilities. In October, Reliability Standard CIP-013 was made mandatory, addressing supply chain vulnerabilities, which is thought to be how the SolarWinds attack was carried out. The truth is, though, we are in the business of producing, transmitting, and distributing energy, and may not always have the resources to match a state-sponsored cyber-criminal organization who is determined to infiltrate our systems. We take every precaution possible, but how do we know we are truly protected from such a well-resourced group of attackers? The answer is that we need help from those groups that deal with these threats every day. There must be better communication and cooperation between the entities that own and operate BES facilities and the governmental agencies that strive to protect our nation’s greatest assets. The BES was arguably one of the country’s most important achievements of the twentieth century, and serves to support nearly every aspect of our daily lives, today. We would literally suffer untold tragedy should the BES suffer a catastrophic failure. We must, as a nation, commit the same resources to protecting the BES that we employ to protect international intelligence operations, the military, and all other critical infrastructure.


What happens next? The answer to that may not be dependent on us, as the attackers have some amount (it is yet unconfirmed how much they got away with) of information about a LOT of different critical, important industries. Since they hold the cards, we must anticipate what could come next and determine the likelihood of those actions. This is where we could really use some expertise that extends beyond the level that we, as an industry, currently possess. After a compromise, a good intelligence analyst identifies as many risk vectors as possible, while also analyzing the likelihood of those risks becoming reality, based on a number of dynamic details. This is where we need to coordinate with those entities that deal directly with these threats and attackers. The truth is, we are not equipped for that type of analysis, and it would serve to help us develop contingencies in the event of a greater attack on the BES, one that could produce blackouts or damage equipment. The uncomfortable truth is this – we have to get it right every time an attacker attempts to compromise our systems, the attackers only have to get it right once. To be clear, I am not writing this as some sort of doomsday prophecy, I believe we can negotiate this new obstacle course of malicious cyberattacks, but we need to enlist all the resources we have at our disposal and even contact some resources that we may not be used to dealing with. Perhaps this  is the time when we need to think beyond the confines of what we thought we were doing right, and take the steps to truly understand the cyberthreats we are facing and how to successfully protect the most reliable energy production, transmission, and delivery system in the world.

Mark  Damm's picture
Mark Damm on Dec 22, 2020

"we have to get it right every time an attacker attempts to compromise our systems, the attackers only have to get it right once." 

Great point!

JC Culberson's picture
JC Culberson on Dec 22, 2020

Thanks! I think it’s too easy to be critical of a company when they’re attacked and the attack ends up being successful, as is the case with SolarWinds. The point is that we must not fall into that trap and find constructive ways to combat the threats, especially ones as sophisticated as this particular hack. Thanks again for the comment!

JC Culberson's picture
Thank JC for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »