Spies on the grid (updated)

The Wall Street Journal reports today that there have been a number of incidents in recent years that appear to be efforts by Chinese and Russian operatives to map out the U.S. power grid to find vulnerabilities.
This isn’t just turning off a few lights or a couple of power stations. It’s the threat of remotely manipulating the software used to manage the transmission and distribution systems, which is becoming increasingly digitized.
A spokeswoman for the Electric Reliability Council of Texas, which manages the power grid for about 80 percent of Texas, deferred comment to the The North American Electric Reliability Corporation, which was recently empowered to set standards and enforce electric grid reliability and security throughout the U.S., said in a statement today:

“Cyber security is an area of concern for the electric grid. Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of. NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyber threats. There is definitely more to be done, and we look forward to continuing our work with the electric industry and our partners in U.S. and Canadian government to improve reliability standards, ensure appropriate emergency authority is in place to address imminent and specific cyber security threats, and ultimately ensure a safe, secure, and reliable energy future for North America.”

Bob Kahn, CEO of the Electric Reliability Council of Texas, which manages the power grid for about 80 percent of Texas, said cyber security and critical infrastructure protection “are top priorities for the ERCOT ISO.”

“We are committed to keeping our control systems safe and secure by meeting or exceeding accepted industry security best practices. ERCOT does not publicly comment on how potential security issues discussed in the press may or may not affect the ERCOT ISO’s security. Obviously, this is a matter that all members of ERCOT and the electricity industry take very seriously. ERCOT ISO uses a defense-in-depth security model to protect and monitor our systems; we are constantly modifying and upgrading our protections as technology advances, business requirements change and new threats emerge.”

In a letter sent out just this week regarding a survey assessing systems vulnerable to cyber attack, NERC Chief Security Officer Michael Assante warns that some grid operators may not be addressing the threat properly and are relying on outdated ways of thinking about system vulnerabilities:

“The data submitted to us through the survey suggests entities may not have taken such a comprehensive approach in all cases, and instead relied on an “add in” approach, starting with an assumption that no assets are critical. A “rule out” approach (assuming every asset is a CA until demonstrated otherwise) may be better suited to this identification process.