2022 NERC report identifies 6 key cybersecurity challenges and how to address them

August 4, 2022
nerc north american electric reliability corporation

NERC’s 2022 State of Reliability report flags serious challenges to cybersecurity threat landscape in 2021

The NERC (North American Electric Reliability Corporation) released Wednesday its 2022 State of Reliability report, highlighting the interconnected system’s health and the effectiveness of reliability risk mitigation activities. Amongst the various findings, the NERC report said that the cybersecurity threat landscape presented serious obstacles to the electricity industry in 2021, primarily led by geopolitical events, new vulnerabilities, technological changes, and increasingly bold cyber criminals and hacktivists.

Based on data and information collected on grid performance last year, NERC identified six key findings and is taking action to address them. The report of NERC’s review of BES (bulk electric system) reliability is prepared to inform regulators, policymakers, and industry leaders of significant reliability risks and performance trends, actions being taken to address them, and the effectiveness of past actions.

Last November, the Federal Energy Regulatory Commission (FERC), NERC, and the affected Regional Entities issued a report confirming that the industry had not sufficiently implemented voluntary recommendations from similar events first identified in 2011. Based on these findings, the 2022 State of Reliability report considers the 28 recommendations from the FERC, NERC, and Regional Entity Staff Report, including several mandatory cold weather preparedness Reliability Standards.

The 2022 State of Reliability report said that throughout 2021, the North American electricity industry continued to weather cyber and physical attacks of varying degrees of sophistication and severity. “Although the reliability of the BES was maintained, nation-state adversaries and organized cyber criminals have demonstrated that they have the ability and willingness to disrupt critical infrastructure. Notably, cyber-attacks routinely targeted the digital supply chain. In addition, reports of suspicious cyber incidents (including vulnerability exposure, phishing, malware, denial of service, and other cyber-related reports) increased significantly. While 2021 saw a moderate increase in the overall number of physical security incidents, the most serious types of incidents declined,” it added.

The industry must continue integrating cyber and physical security considerations with conventional power system planning, operations, design, and restoration practices, according to the 2022 State of Reliability report. “The E-ISAC is contributing to these efforts with a two-pronged approach: active response to specific events and specialized trend analysis to suit the operational and information technology environments of member and partner organizations,” it added.

Directly addressing cyber and physical security issues, the NERC report said, “In 2021, NERC’s E-ISAC and the electricity industry faced a security threat landscape that was both unprecedented and relentless.” These threats cover supply chain, geopolitical threats, ransomware, domestic extremists, drones, and COVID-19. The E-ISAC provided its members and partners with the resources, insights, and leadership to safeguard their cyber and physical infrastructure.

Throughout 2021, the North American electricity industry weathered supply chain attacks, such as SolarWinds, Microsoft Exchange, Pulse Secure, and Kaseya. “While the reliability of the BPS remained intact, the sophistication and boldness of these attacks demonstrate that nation-state adversaries and organized cyber criminals with demonstrated capability have the ability and increasing willingness to disrupt critical infrastructure,” the report said.

In addition to the attacks on the supply chain, reports of suspicious cyber incidents including vulnerabilities, phishing, malware, denial of service, and other cyber-related reports increased significantly, the NERC report said. “Recognizing that proactive trend analysis and early warnings are essential to collective defense, the E-ISAC also developed resources throughout the year to help members and partners identify cyber trends and threats and began conducting threat hunts through available data sets, including the Cybersecurity Risk Information Sharing Program,” it added.

NERC’s 2022 State of Reliability report also said that throughout 2021, the E-ISAC observed potential threats to critical infrastructure across North America from sophisticated adversaries, such as China, Iran, North Korea, and Russia.

In 2021, the Biden administration launched a 100-day plan to safeguard U.S. critical infrastructure and improve the visibility of persistent and strategic threats to operational technology environments, according to the NERC report.

“In recognition of the importance of this effort, the E-ISAC leveraged its advanced analytical tools—including the Cybersecurity Risk Information Sharing Program and its access to Neighborhood Keeper—to support the 100-day plan by increasing the visibility on critical industrial control systems in the electricity industry,” the report said. “The E-ISAC also communicated the necessity of securing these systems to its members and partners, encouraging them to share what they detected on their own networks,” it added.

The NERC also reported that the escalation of cyberattacks perpetrated by ransomware-as-a-service (RaaS) gangs represented a significant threat to critical infrastructure in 2021. “Electricity utilities saw an increase of ransomware attacks on utility corporate systems. However, this did not lead to power outages even as the attacks grew in sophistication and boldness throughout the year,” it added.

The E-ISAC leveraged its cyber tools and partnerships to monitor ransomware attacks and to inform members and partners of specific threats to utilities, the 2022 State of Reliability report said. For instance, the E-ISAC released an all-points bulletin in December that offered an overview of utilities affected by Conti ransomware activity. In addition, working with the impacted utilities, the E-ISAC developed valuable data on the characteristics of ransomware attacks, such as that attacks predominantly occur on Friday evening or Saturday morning, it added.

Automated tools and systems that use digital information and microprocessor-driven devices to manage the electricity grid are increasing. New technology must be implemented in a reliable, timely, and secure manner. NERC’s BPS security and grid transformation department has engaged partners from the industry to address the implementation of new technologies and practices that leverage tools, such as cloud technology, DERs, DER aggregators, and zero-trust network architectures.

The 2022 State of Reliability report said that while the electricity industry experienced a moderate increase in the overall number of physical security incidents in 2021, the most severe incidents declined. However, the ongoing threat of domestic extremist groups to the electricity industry persisted, as did the use of unauthorized aircraft or drones.

The E-ISAC kept a close watch on the various activities of domestic extremist groups throughout 2021 and added to the knowledge base for members and partners to help them protect their infrastructure from damage. For example, the E-ISAC’s physical security analysts compiled and shared information on threats against the grid. Member and partner organizations also contributed to overall awareness with timely posts on the E-ISAC portal, reinforcing the value of bidirectional information sharing for both the E-ISAC and industry.

The use of unauthorized and unmanned aircraft, or drones, provided another potential security concern for critical infrastructures, such as power lines and power generation facilities, the 2022 State of Reliability report said. As a result, the E-ISAC kept members and partners apprised of unauthorized drone activity around critical infrastructure and offered guidance for mitigation.

The COVID-19 pandemic continued through 2021 as the extended remote operating environment presented an extra layer of cyber security concerns, the 2022 State of Reliability report said. “The E-ISAC innovated along with the rest of the industry to what has become a ‘new normal’ operating environment with additional virtual product offerings and flexibility in the remote work environment.”

To address these cybersecurity concerns, the 2022 State of Reliability report said that the industry is developing security-informed institutional practices that leverage security frameworks and activities to protect and secure the operational and organizational environment to mitigate and prepare for the security risks that threaten reliability. In addition, supply chain requirements and guidance are being drafted by NERC and the technical committees to reduce vulnerabilities and better protect industrial systems and infrastructure.