Thursday, January 9, 2020

Toward a New Risk-Informed Approach to Cyber Security

Share this article:

EPRI Guidelines Equip Electric Power Industry to Address Growing Risks and Vulnerabilities

A More Targeted Approach to Cyber Security

EPRI has developed step-by-step guidance for utilities to assess cyber security measures at power plants, informed by risk. The methodology enables users to allot more time and resources to protect the devices most critical to operations. “We made the business case for EPRI’s methodology with our senior management,” said Brad Yeates, Southern Nuclear’s manager of cyber security for Vogtle Units 3 and 4. “We concluded that this new approach was the most direct and cost-effective one.”

In a power plant, robust cyber security depends on safeguarding control system components. One critical component is a plant’s engineering workstation.

“It’s important to protect the engineering workstation because it’s connected to the programmable logic controllers in a power plant,” said EPRI Senior Technical Leader Jeremy Lawrence. “It’s a prime target. If attackers get into it and inject malware, they could potentially compromise critical plant control functions and shut down the plant.”

The traditional “defense-in-depth” approach to protecting digital plant control components from attackers involves layering various security measures—a complex undertaking. It’s challenging to quickly determine the optimal types and number of layers.

Bulk power system operators in North America must comply with the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Standards. The NERC standards, along with cyber security regulations from the National Institute of Standards and Technology and the U.S. Nuclear Regulatory Commission, are sometimes known as the committed catalog approach because they direct the implementation of a catalog of security measures for all components. While this approach provides a degree of security, power industry stakeholders are investigating the benefits of a more targeted approach—applying security measures to specific vulnerabilities in plant control systems.

“Standards and regulations have played an essential role in establishing a baseline of cyber security protections for the electric power industry—and in bringing stakeholders to the table to discuss how to secure critical assets,” said Lawrence. “Yet, compliance with standards and regulations doesn’t equal security. Power plant operators are raising the bar on cyber security to implement more sophisticated measures above and beyond the regulatory requirements.”

This is in line with growing cyber security risks. Last year, U.S. Department of Energy (DOE) Secretary Rick Perry told lawmakers that hundreds of thousands of cyber attacks on the American energy system take place each day. According to DOE’s Multiyear Plan for Energy Sector Cybersecurity, “The frequency, scale, and sophistication of cyber threats have increased, and attacks have become easier to launch. Nation-states, criminals, and terrorists regularly probe energy systems to exploit cyber vulnerabilities in order to compromise, disrupt, or destroy energy systems.”

“The threat only goes up,” said William Vesely, a project specialist in control systems engineering at Con Edison, the utility that serves New York City and Westchester County, New York. “Critical infrastructure in the power industry is a prime target, and staying ahead of the game is challenging and requires vigilance.”

Risk-Informed Cyber Security

In collaboration with utilities, control system manufacturers, policymakers, and regulators, EPRI is developing new cyber security approaches to protect critical power plant assets.

As part of this research, EPRI has developed an advanced risk-informed methodology for utilities to assess cyber security measures. This step-by-step approach involves considering potential security breaches, their likelihood, and the consequences (such as radiological release, outages, and reputation damage) and then prioritizing mitigations.

Security standards and tools typically focus on company-level risk and may apply the same controls to every component. EPRI’s risk-informed guidance advances the state of the art through a systems engineering approach that enables users to assess specific cyber security risks at the component, system, and company levels.

“Not all components are created equal or serve the same function,” said Lawrence. “A limitation of the typical approach is that it doesn’t always differentiate among components. With our methodology, power plant operators can assess specific vulnerabilities with individual components and identify the best controls to mitigate the threats. They can spend more time protecting the devices most critical to operations—and prioritize application of standards and regulations. Standards provide the ‘what,’ and EPRI’s methodology provides the ‘how.’”

Risk-Informed Approach in Action

The first step in EPRI’s methodology involves characterizing precisely the attack surface of each component in power plant control systems. An attack surface encompasses all the points at which a component can be attacked, including physical, network, and wireless access.

The next step: Identify the possible goals of an attack (such as stealing data or altering configuration files) and the possible exploit sequences (attack strategies), which vary depending on the goals and vulnerabilities.

With a comprehensive understanding of where, why, and how an attacker might strike, the plant operator can plan the most effective defenses.

The third step of the risk-informed approach is to assess each security measure’s ability to protect against, detect, respond to, and recover from the most likely attacks.

“There are lots of potential ways to mitigate each exploit sequence, and you want to apply the most effective combinations,” said Lawrence. “An engineering workstation may have anti-virus software already installed that can effectively detect malware and alert an operator of its presence. But it might not help much with response and recovery.”

A cumulative score is calculated for each security measure based on its effectiveness and ease of implementation. “The score tells you how well protected you are against each exploit sequence,” said Lawrence. “Whether that score is acceptable to a plant operator depends on the asset’s importance and the consequences of a successful attack. Staff at each plant must determine its acceptable risk threshold.”

The risk-informed approach provides a way to map security measures to regulatory requirements and to track compliance. While the path to achieving compliance varies depending on the regulatory body, regulators generally consider a risk-informed approach acceptable if it can be demonstrated to satisfy the regulations’ intent and objectives.

“The risk-informed approach can still meet regulatory requirements,” said Lawrence. “It’s a way to comply more efficiently and effectively.”

Risk-Informed Cyber Security at Vogtle

As part of the construction of its Plant Vogtle Units 3 and 4, Southern Nuclear adopted EPRI’s systems engineering approach to cyber security while complying with security regulations.

“We made the business case for EPRI’s methodology with our senior management,” said Brad Yeates, manager of cyber security for Vogtle Units 3 and 4. “We concluded that this new approach was the most direct and cost-effective one.”

Vogtle collaborated with EPRI to develop a risk-informed cyber security plan to help protect 16,000 digital plant components from attacks.

“We’re the first utility in the world to make a commitment to this approach to cyber security assessment and mitigation,” said Yeates. “We’re carving out a path for others to follow. Everybody that follows us is going to have a much easier time.”

Yeates worked with EPRI technical staff to develop the process to analyze the 16,000 digital assets, identifying approximately 400 distinct constituent components. “This is a manageable number of constituent elements that we can focus on during our initial technology assessment,” said Yeates. “Once these 400 are assessed, they become like a bag of LEGO® bricks that can be assembled into larger digital systems and subsystems, with appropriate tailoring to their operational configurations. The technology assessment includes analysis of 89 critical systems.”

In using EPRI’s risk-informed methodology, Yeates is assessing each asset’s vulnerabilities, informing the selection of the best available protections. Yeates expects Units 3 and 4 to finalize their cyber security program by early 2020 and their assessments by the end of 2020.

“We must have the cyber program up and running in order to receive fuel,” he said. “Once we receive fuel, the units will go through a thorough testing phase before commercial operation.”

In 2019, EPRI is collaborating with vendors, manufacturers, and utilities on studies that document the implementation of EPRI’s advanced risk-informed approach and its benefits. Based on the results, these stakeholders are expected to provide EPRI with feedback, informing improvements to the approach.

Con Edison’s Vesely would like to see the electric power industry adopt this type of risk-informed cyber security approach, viewing it as a significant improvement to current practices.

The challenge for power companies is to balance the benefits of new digital technologies with security. “I think EPRI’s risk-informed approach is going to be a milestone in that direction,” he said. “I expect international standards to draw heavily on the concepts underlying EPRI’s approach.”

“EPRI has incorporated more engineering into the assessment of cyber risks in the electric power sector,” said EPRI’s Lawrence. “Our guidance equips power plant operators with the in-depth understanding of vulnerabilities they need to pinpoint the best protections and keep their facilities secure.”

Key EPRI Technical Experts:

Jeremy Lawrence
For more information, contact

Artwork by David Foster Graphics