Drones: Potential Threat Vectors in the Power Industry
Recently I had a conversation with NERC regarding drones as a threat vector in the power industry. Having determined that there is not a particular CIP requirement that covers drones, good or bad, I was directed to look at CIP-014 closer as NERC and regional auditors are starting to address drones in their audits of this requirement.
For those of you not familiar with CIP-014, the purpose of CIP-014 is “to identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading within an interconnection.” Keep in mind that you should read this with a very interpretive mindset in place. This requirement is not for those threats that will cause problems but rather for those threats that could cause problems.
Responsibilities as a Transmission Owner
The first thing you are required to do as a transmission owner is to perform an initial risk assessment of your transmission stations and transmission substations. These two facilities are defined as those currently existing as well as those that will be in service within 2 years (24 months). When you are planning the analyses, they need to be designed in such a manner that they identify the transmission station(s) and transmission substation(s) that if rendered inoperable or damaged could (not that they would) result in instability, uncontrolled separation, or cascading within an interconnection.
Verifying Risk Assessments
NERC wants you, as a transmission owner, to have an unaffiliated third party verify the risk assessment performed under Requirement R1. The verification may occur concurrent with or after the risk assessment performed under Requirement R1. NERC is very specific in the standard when it comes to who can/will perform the risk analysis. As a transmission owner, you must select an unaffiliated verifying entity (they can’t be a division, sister company etc.) that is either a registered Planning Coordinator, Transmission Planner or Reliability Coordinator; or an entity that has transmission planning or analysis experience. If you don’t use a NERC-registered Planning Coordinator, Transmission Planner or Reliability Coordinator, be prepared to provide evidence to the auditor(s) proving that the unaffiliated entity has transmission planning or analysis experience. In this case, a Letter of Attestation (LOA) will not be sufficient evidence. You will need to name their experience along with the entities staff who performed the analysis.
Now that you have chosen who your third party unaffiliated entity is going to be, you will need to make sure that the unaffiliated third party verification verifies that your risk assessment was performed properly according to Requirement R1, which may include recommendations for the addition or deletion of a transmission station(s) or transmission substation(s). Now, as the transmission owner, you must make sure that the verification is completed within 90 calendar days following the completion of the risk assessment.
As the transmission owner, you will now need to implement procedures, such as the use of nondisclosure agreements (NDA), for protecting sensitive or confidential information made available to your unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to CIP-014 from public disclosure. As an auditor, I would use this section to question how you shared information and/or data with the unaffiliated third party verifier. Remember that when performing the task(s) required under CIP-014, you still have to adhere to the other CIP requirements. In this case, all data while in motion and at rest, must be protected. An NDA does little, if anything, to protect data; therefore be prepared to demonstrate how you used encrypted flash drives, tunneled VPN’s etc. to communicate and transfer/transmit data.
NOTE: If you use encrypted flash drives that use a software based encryption methodology rather than a firmware based solution, be prepared to prove to the auditor that you performed security attacks such as penetration tests, “hack-attacks” etc. and were able to successfully thwart all attacks.
Physical Security Programs
As a transmission owner, you will need to:
- Ensure your physical security program has resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4
- Have law enforcement contact and coordination information
- Have a timeline for executing the physical security enhancements and modifications specified in the physical security plan
- Provide provisions to evaluate evolving physical threats, and their corresponding security measures to the transmission station(s), transmission substation(s), or primary control center(s).
Your law enforcement contact information can’t list the police contact number as 911. You must also prove to the auditor(s) that you have a coordination program with law enforcement in place by listing what the coordination is, who the contact(s) are and how the program works, as well any training that has been given.
NOTE: A security program is not one or two pieces of paper with some writing on it. A security program is a well thought out program that includes, among other things, a training and evaluation segment, emergency procedures, response guidelines, property movement, gate control etc.
Reviewing Security Programs
Now that you have your physical security program in place and you are satisfied with it, you are required to have an unaffiliated party, just like before, review the security plan(s) developed under Requirement R5. The review may occur concurrently or after completion of the evaluation performed under Requirement R4 and the security plan development under Requirement R5.
The selected unaffiliated third party reviewer must be:
- Either an entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification
- An entity or organization approved by the ERO
- A governmental agency with physical security expertise, an entity, or organization with demonstrated law enforcement, government, or military physical security expertise
Now that we have reviewed CIP-014 thoroughly and everyone has a good understanding of what they need to do, let me show/demonstrate to you how drones are a threat to the power industry.
Security Issues Drones Present to Facilities
In my conversation with NERC, it was agreed that a drone flying over a transmission station or a transmission substation is not in itself a threat because the possible data it records could be gathered from Google Earth and other readily available sources. Where there could be a physical threat in the case of a drone flying over a transmission station or transmission substation, is if the drone is used to crash into an element of the station or substation, resulting in damage and thus an interruption of service. Another scenario is if the drone is carrying an IED or chemical that is used to render the station or substation inoperable.
Another threat vector is that if a person is walking through restricted areas within a building and the drone is accidently or even deliberately recording everything it passes by. An example of this is if a drone is hacked by an unknown actor sitting in the parking lot and they activate the recording device(s) on the drone. They could transmit all the data back to their location and be gone before anyone knew the drone was recording and transmitting information.
During your audit, you will need to be prepared to discuss how you handle these issues and more. To learn more about drones and how they can be used against your facilities, feel free to contact Doble Engineering.
Learn More: Read relevant NERC CIP requirements around securing field device data.
Download eBook: Field Testing in a Cyber Insecure World