Attacks on our electrical grid aren’t just the stuff of doomsday movies and war games. Hackers dreaming of taking down our economy and national security know that few offensives could be more devastating than pulling our collective plug. And the grid’s risk factor just keeps climbing as the number of Internet of Things (IoT) devices in the grid keeps growing, presenting an ever-expanding selection of potential doorways.
To protect this centerpiece of national security, the power industry and the government are creating new teams and regulations to step up security. In December 2020, the Department of Energy announced the creation of a new subcommittee focused on grid security.
The North American Electric Reliability Corporation (NERC) implemented new standards on July 1, 2020, establishing revised guidelines for companies throughout the electrical system’s supply chain. NERC, in case you don’t recognize the acronym, is a non-profit regulatory authority that issues reliability standards to protect the bulk power system in the United States, Canada and part of Mexico. While you may not think of your company as part of the power supply industry, NERC’s guidelines may impact you more than you think. If your company provides parts, materials, or services anywhere in an energy company’s supply chain, NERC guidelines and other standards probably apply to you. Two recent developments may affect how you do business—and provide resources you need to improve security:
In 2020, President Trump issued an executive order for the bulk power system (BPS), which applies to any company or equipment that generates or distributes major power within the United States. That order restricted the use of foreign components in order to reduce the risk of “built-in” entry points. Think of it as an “offensive” order. On the “defensive” side, NERC CIP-013 standard focuses on the supply chain risk within the BPS' electric components (known as the BES). The goal is to reduce overall risk in the supply chain and NERC has provided a document that describes how CIP-013-1 should be implemented.
The NERC update defines affected companies (“responsible entities”) as those with medium to high risk, according to the CIP-002-5 categorization process. The key takeaway is that NERC guidelines affect companies well beyond those that actually supply energy. If you have contracts anywhere within the energy supply chain, renewing them may depend on your compliance with CIP-013. Energy companies will be enforcing the standards on all of their suppliers because NERC slaps a “high risk” label on any energy company with 10-15% of their BES assets failing to meet the requirements.
In late 2020, NERC also announced the expansion of CRISP, which is dedicated to sharing data on system traffic and cyber threats among energy sector stakeholders. CRISP, which started in 2014, is a voluntary program managed by a division of NERC: The Electricity Information Sharing and Analysis Center (E-ISAC). This expansion is a massive step in the cybersecurity/energy intersection as CRISP is now partnering with the U.S. Department of Energy to grow awareness of grid safety in the coming years.
CRISP’s partnership with DOE aims to use operational technology to identify potential threats to the grid. Two newly announced pilot steps will use sensor systems already installed across the United States to recognize any risks. DOE will use operational and information technology data to identify patterns and understand the grid state and then share that with CRISP participants.
The CRISP expansion closes the information-sharing gap between private companies and federal US intelligence. Participating companies will use information gained from the program to better defend the grid against hackers. Membership is free, and members receive insightful resources, like reports of cyberattacks or guidance on the latest CIP updates.
Although the core concept behind NERC has a strong bipartisan history, a new presidential administration could obviously create changes. Some observers believe that while the Trump administration focused on targeting foreign countries with aggressive orders, such as limiting foreign components for the BPS, Biden’s team may issue more system regulations like CIP-013, especially in the private sector.
For help understanding exactly how the current regulatory environment affects your business and how you can comply efficiently, contact a Pratum advisor.
Internet of Things (IoT) devices get a lot of press, as you’d expect from a category planning to put about 41 billion devices in play within the next few years. For most of us, the face of IoT is consumer devices such as Internet-enabled smartwatches, security systems, doorbells, fridges, etc. But the smart power grid may present IoT’s most game-changing application—and industry regulators are scrambling to keep up.
As our blog post on “The Security Challenges of IoT” describes, the things that make IoT devices effective (they’re highly connected, inexpensive and pervasive) frequently make them a security problem. To recap, IoT includes anything that collects, processes, and shares data via the Internet. Innovations such as RFID tags, expanded broadband access and cheap, low-power processors have all led to a mindset that “anything that can be connected will be connected.” The wide rollout of 5G will only accelerate the trend.
America’s electrical system has raced into this space. Utilities companies are the world’s largest users of IoT devices, thanks largely to smart electrical meters attached to homes. That’s bad news for the world’s remaining meter readers, but a boon for companies and consumers wanting constant, instant information about power usage. Gartner estimates that utility companies have 1.37 billion IoT devices in service right now, well ahead of the second-place physical security industry’s total of 1.09 billion devices.
Further up the electrical supply chain, IoT is proving just as valuable. With data constantly flowing in from every corner of the industry generating and transmitting electricity, a smart grid will:
For one example of IoT’s potential, consider how a smart grid can mitigate the impact of a power outage. IoT devices can detect the source of the outage, isolate the problem and reroute power to places with the greatest need, such as hospitals or telephone lines. Massive amounts of real-time data will also carry advantages such as making it easier to store and transport renewable energy, decreasing our carbon footprint and reliance on fossil fuels.
Of course, the good guys aren’t the only ones who can take advantage of an electrical grid connected to everything. In the pre-IoT world, compromising the grid required physical access. To hack anything, you would need to physically access a power plant, substation or transformer to plug into the controlling systems. If you simply wanted to wreak some old-school havoc, you just needed to get close enough to destroy a transformer or other equipment. From an information security standpoint, most of the grid was effectively air-gapped and isolated from the next component in the process.
Billions of new IoT devices, however, create a seemingly infinite attack surface. Any IoT device can become an entry point a hacker uses to pivot into a larger system. And with most IoT devices carrying notoriously weak, outdated security measures, that’s a legitimate everyday threat.
The smart grid creates issues in the following areas:
1. Access Points – IoT devices create millions of doorways that hackers could use to, at least in theory, access the entire U.S. grid.
2. Trust – The companies and products used throughout the grid will need to prove their dependability and certify that they are as secure as they say.
3. Communication – Internet communications within the grid must be protected from interception.
4. Privacy – Regulations must control how companies and the government use the vast amounts of information collected through IoT devices.
With an industry moving as fast as IoT, the industry and government are forever playing catch-up with regulations that keep America’s grid secure. In part 2 of this blog series, you can read about the latest regulatory guidelines issued to protect the grid.
The new regulations are significant enough that some of Pratum’s clients are restructuring their operations specifically to better manage new compliance factors. For example, one electrical company that manufactures electrical relay products decided to spin off the relay operations into a standalone company so that the larger company wouldn’t have to manage extensive new rules affecting that category.
The best way to understand your exposure and legal obligations in this space is to bring in a security consultant to evaluate your specific situation. Pratum’s risk assessment, penetration testing and vulnerability scanning services identify exactly what openings may exist in your systems. Our consultants also specialize in helping companies understand how government standards apply to them and prepare their compliance strategy. Many of our clients have learned that taking a leadership position in cybersecurity gives them a competitive advantage.
Large customers (including the government itself) increasingly award contracts to companies who can prove their cybersecurity strategy is up to date right now. Contact Pratum for help in understanding the rapidly evolving world of electrical IoT and planning your next steps.
For a preview of future privacy law in the United States, keep a close eye on The Golden State. On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. When the CCPA passed, industry observers considered it a landmark piece of consumer privacy rights legislation, as it requires certain businesses to disclose whatever personal data they have about a consumer whenever that person requests it.
California voters raised the stakes in November 2020 by passing the California Privacy Rights Acts (CPRA), which extends the CCPA’s scope and gives it new enforcement bite. Under CPRA, which takes effect January 1, 2023, the newly created California Privacy Protection Agency (CalPPA) can enforce the CCPA through steps such as auditing businesses’ privacy practices and ordering regular risk assessments as deemed necessary. (Click here for a deep dive into all of the CPRA’s implications.)
So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills. California’s pioneering laws will certainly help shape what other states do. (Click here for a quick reference to where privacy legislation stands in each state.)
Plus, some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just those living in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.
While much remains unclear about the California law’s exact impact on business, it does set certain rights in place for consumers’ data:
While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.
These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.
The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.
We may see this sort of universal legislation in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.
This possibility of federal privacy laws resembling the CCPA or GDRP is growing. Several senators have worked together to propose bills like the SAFE DATA act, which place stricter limitations on algorithmic decision-making, biometric data, and data minimization.
The move toward federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, it’s worth noting that even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.
As with any significant change, there are concerns over the stricter privacy laws. One case out of Germany shows why they may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.
That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.
A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling.In short, the business wanted more private data to release the customer’s private data. It appears to be a cybersecurity cycle that organizations are still trying to figure out.
With so much new legislation, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers. (For an overview of how privacy laws impact businesses and compare to overall security, click here.)
Even if you’re not interested in giving your business a boost with proactive privacy, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.
Here are a few steps your business should be taking now to get ready:
1. Designate a privacy officer, someone in charge of organizing the process to become compliant.
2. Be externally compliant. Update your privacy notice on your company website.
3. Think about data inventory. Know where information is located within your system.
4. Figure out how you will be able to obtain and report customer information when requested.
5. Decide on a verification process to ensure the data your giving out is to the correct person.
Figuring this all out may not be easy, but getting to work on it early could save you a lot of issues and headaches later. Regardless of whether it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.
If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process. For assistance, please contact us today.Editor's Note: This post was originally published in January 2020 and has been updated to reflect new legal developments.