Dive Brief:
- The U.S. Nuclear Regulatory Commission (NRC) is developing new guidance for how plant operators can comply with cybersecurity requirements, updating an eight-year-old document to reflect a new kind of threat faced by the nation's power sector, E&E News reports.
- A draft of the guidance recommends careful examination of peripheral devices as possible entry points for hackers, warning that these can be used "as staging points for collecting sensitive information."
- Cybersecurity has been a top concern in the utility sector for the last two years, though there have been no major intrusions or impacts on reliability. A warning from the Department of Homeland Security (DHS) last month, however, claimed Russian hackers have the "ability to throw switches" and cause potential blackouts.
Dive Insight:
There's a bit of a debate over how vulnerable the United States' electric grid is right now. DHS's report paints a precarious picture, but other experts say the the agency's description of imminent danger is overwrought. No one disputes, however, that the threat is real.
What DHS described "is incredibly concerning but images of imminent blackouts are not representative of what happened," Robert Lee, CEO of cybersecurity firm Dragos, told Utility Dive in an emailed statement.
Hackers are likely gathering information and attempting to locate weaknesses, which makes the NRC's guidance update particularly on point. It's been eight years since the agency's cybersecurity rule was finalized, but when it comes to cyber threats it's like dog years, or maybe light years. Eight years is a long time on the internet.
The draft guidance warns that "often overlooked devices" such as scanners, copiers, and printers that are connected to critical digital assets (CDA) or operate on the same network as the CDAs should also be examined for multiple vulnerabilities.
"These overlooked devices often have functions, ports, protocols, and services that are unneeded and/or contain firmware that are not kept up-to-date and are vulnerable to compromise," the agency warns. "Once compromised, the attackers can use these devices as staging points for collecting sensitive information, to set up a persistent presence for later attacks against other CDAs, or to penetrate deeper into the defensive architecture."
NRC's draft also notes, "the final major element of maintaining an effective cybersecurity program is to conduct periodic security program reviews."
The North American Electric Reliability Corp. has been performing something of a biennial review with its GridEx event, a simulated attack that invites utilities and a wide range of other industry stakeholders to participate in an effort to boost coordination and run through response procedures.
Now, the Department of Energy is developing a test of its own, to gauge the grid's ability to recover from outages caused by cyberattacks. The exercise this fall on New York's Plumb Island will focus on the intersection between the natural gas and electric utility sectors and the grid's ability tor recover from a widespread outage.
