Grid Security News is a curated summary of recent key stories related to the Electric Grid, produced weekly by Protect Our Power ( Headlines appear in the first section, followed by complete summaries.

For your email security, we no longer provide embedded hyperlinks in our feed. Instead, we provide unembedded links that you may copy and paste into your browser to view the entire article. We instituted this change to ensure your cyber safety. We hope this causes no inconvenience, but in today's environment, we must all be vigilant.

Note: Email on MacOS (AppleMail, iPhones) will probably reinsert the hyperlink. Only click on hyperlinks from trusted sources!

For daily updates, follow us on Twitter: @gridprotection 

To subscribe to Grid Security News:


Utility Dive: FERC expands cybersecurity supply chain standards to low-impact assets

EE Power: White House Pushes for More Grid Cybersecurity

Government Technology: The Threats to and Importance of Our Electrical Grid

Utility Dive: Extreme weather events are expanding — the US power grid is not

Washington Post/Cybersecurity 202: U.S. government provides cyber budget specifics

SC Media: Critical infrastructure cyber requirements pushed by presidential council

Tom Alrich's Blog: What would you like to do with/to the NVD?


Utility Dive: FERC expands cybersecurity supply chain standards to low-impact assets

“To not protect these [bulk electric system] assets against one of the most frequent attack scenarios — supply chain — would be a big mistake,” Willie Phillips, FERC acting chairman, said.

The Federal Energy Regulatory Commission Thursday approved a new cybersecurity standard extending supply chain risk management requirements to “low-impact” bulk electric system cyber systems.

A coordinated attack on multiple low-impact assets with remote electronic access connectivity could have an interconnection-wide effect on the bulk power system, according to a 2019 supply chain risk assessment by the North American Electric Reliability Corp., FERC said in its decision.

“The vast majority of [bulk electric system] assets today are considered low-impact and that number is only expected to grow,” FERC Acting Chairman Willie Phillips said in a statement. “To not protect these [bulk electric system] assets against one of the most frequent attack scenarios — supply chain — would be a big mistake.”

The standard requires owners, operators and users of the bulk power system to include the topic of “vendor electronic remote access security controls” in their cybersecurity policies. The standard also requires that they can disable vendor electronic remote access and can detect malicious communications through a vendor’s remote access.

As part of its cybersecurity standards, NERC requires “responsible entities” to characterize their assets, such as control centers, power plants and transmission facilities, as being of high-, medium- and low-impact.

The standard takes effect April 1, 2026.

The three-year delay in the start date reflects “consideration that there are a large number of low impact [bulk electric system] cyber systems and that responsible entities need time to procure and install equipment that may be subject to delays given high demand,” FERC said.

FERC and NERC have been tackling supply chain risks since 2016, Phillips said during the agency’s monthly meeting Thursday.

“This order is the latest product of our joint cybersecurity efforts with NERC and stakeholders in support of the reliable operation of the bulk power system,” he said. “We must continue to focus on cybersecurity, physical security, extreme weather events, and the rapidly changing resource mix.”

(March 16)

EE Power: White House Pushes for More Grid Cybersecurity

Through its new “National Cybersecurity Strategy,” the White House lays out its priorities for securing the country’s critical infrastructure. 

Amid increasing attacks on critical domestic infrastructure, the White House recently unveiled a “National Cybersecurity Strategy” to beef up the United States’ defense against cyberattacks and other emerging threats. The strategy comes as the federal government works with private companies and state/local, tribal, and territorial governments to build a connected network of electric vehicle chargers, alternative fueling infrastructure, and electric transit fleets. 


While the new plan aims to close cybersecurity gaps across several areas of the American defense landscape, its fourth pillar explicitly focuses on securing the power grid throughout the ongoing transition to renewable energy resources. 

The energy transition brings new threats and opportunities as a fresh generation of interconnected hardware and software systems comes online. With cybersecurity defenses built in from conception, these new systems could strengthen grid resilience. In its 35-page National Cybersecurity Strategy document, the Biden administration cited examples of distributed energy resourcessmart energy generationstorage devices, advanced grid management platforms running on cloud software, and transmission and distribution networks built for high-capacity controllable loads—all far more advanced and automated than incumbent technologies. 


Engineering New Tech With Built-in Cybersecurity Measures

As the federal government invests billions of dollars into the energy transition via grants and tax incentives, the Biden administration wants to implement a congressionally-directed “Cyber-Informed Engineering Strategy” (or CIE) to get ahead of the latest threats before and while utility-connected devices are deployed at mainstream scale. 

The DOE first unveiled the CIE program in June 2022 as an emerging framework to integrate cybersecurity considerations into designing, developing, and operating any physical system that connects, monitors, or controls energy infrastructure digitally. As the DOE puts it, the goal is to “engineer out” cyber risks in new devices/systems across the development cycle, starting in the early design phases. Part of that effort involves working with universities to teach engineering students to factor security solutions into critical infrastructure technologies. 

(March 13)

Government Technology: The Threats to and Importance of Our Electrical Grid

My boss asked me to write up something about the importance of our electrical grid and how there are multiple vulnerabilities to its functioning. I’m doing a “twofer” and sharing it with you below.

Importance and Vulnerability of Our Electrical Grid

The provision of electrical energy is likely the most important critical infrastructure here in the 21st century. Everything and everyone — individuals, governments, businesses — require the support of a robust electrical grid that is functioning 24/7/365 year after year. Electricity reliability is a huge factor in our ability to function as a society.

The electrical grid is a complex network of providers and systems. There are energy generators, transmission of that energy and finally, a more complex distribution system of that energy to homes and buildings. When any portion of that system fails, the entire enterprise becomes nonfunctional.

We are seeing increasing pressures put upon our electrical grid. These pressures come from many different factors. One key measure is the impacts of climate change. This comes in the form of a higher frequency of severe weather events that either damage or destroy electrical components, or as we have seen in recent years, increasing drought and heat events. One challenges the ability to generate electrical power and the other places extreme peak demands during heat emergencies.

Alternatively, we are experiencing a huge growth in the demand for electrical power as the nation moves away from fossil fuels and adopts an “electricity first” choice for energy. It appears that at this point in time, the posture and readiness of all aspects of our electrical grid are not prepared to meet an imminent need for even more power due to the increasing electrification of our energy needs.

All of this needs to be taken into context that besides the above pressures, we have the threat of human-made hazards. One being the potential for physical attacks on the transmission and distribution portions of the grid that have played out in recent unsophisticated, but still destructive, attacks on substations. We live in an open society and attacks on components of the electrical grid are not only possible, but probable.

(March 14)

Utility Dive: Extreme weather events are expanding — the US power grid is not

FERC, governors, state regulators and utilities should focus their efforts on interregional transmission development by encouraging investments that will yield significant long-term benefits.

A Michigan utility recently pledged to strengthen its grid after an ice storm shut off the lights for hundreds of thousands in a days-long outage. In late 2022, grid operators in the Mid-Atlantic and South asked residents to conserve power, and some even conducted rolling blackouts because of the harsh weather. And, perhaps most egregious of all, a deadly winter storm wreaked absolute havoc on the Texas power grid in February 2021.

It’s undeniable: extreme weather is increasing in frequency and intensity, and the U.S. power grid remains ill-equipped to handle it.

Extreme weather — hot and cold — has tested every source of electricity generation the last several years, leading to unexpected plant outages. But there was a lesson to learn during Winter Storm Uri: grid operators with strong connections to neighboring regions were able to keep their lights on, and Texas, with its isolated grid, could not provide heat or electricity for millions over a days-long outage.

Why? States in the Great Plains and Midwest imported power from unaffected regions through interregional transmission lines, while the Texas grid operator was forced to institute rolling blackouts across its system. During the storm, the grid operators in those regions were able to import more than 15 times as much electricity as the Texas grid operator.

This helped keep the lights on for thousands of homes and delivered significant cost savings for electricity customers in those states. The Lone Star State could have saved nearly $1 billion and powered 200,000 homes with just one additional gigawatt of transmission capacity between Texas and the Southeast, according to an analysis we produced with Grid Strategies. Moreover, consumers in the Great Plains and Gulf Coast each could have saved roughly $100 million for each additional GW of transmission ties.

Additional transmission capacity would have also protected consumers from rolling blackouts and surging power prices during the recent Winter Storm Elliott, allowing regions to import and export more power as the storm traveled across the country. Recent research found expanding interregional transmission capacity by a GW between various pairs of systems could have delivered anywhere from $6 million to $95 million in benefits.

(March 16)

Washington Post/Cybersecurity 202: U.S. government provides cyber budget specifics

The Biden administration is asking for $26.2 billion from Congress in cyber funding in fiscal 2024, according to documents the administration released Monday.

That’s a big increase from the past, and the development came on the same day an FBI report attracted attention for saying it had seen a large increase in cybercrime losses reported to the bureau in the past year.

The budget documents released Monday give a better collective sense of the Biden administration’s cyber budget proposal than the initial batch of documents last week and provide more details on specific agency cyber budget requests.

And the FBI’s report on cybercrime gave a partial picture of how what cybercrime is costing Americans amid the push for more resources to combat it and other cyber malfeasance.

The budget figures

The budget request for all civilian federal agencies — those outside the Defense Department — totaled $12.7 billion, the administration said. That’s a 13 percent increase above the amount Congress gave civilian agencies in fiscal 2023, according to one budget document.

The funding will pay for improving cybersecurity at federal agencies, among other tasks, the document states.

“Agencies are implementing higher levels of encryption, using the best methods in the industry to verify legitimate users, and utilizing toolsets that create constant vigilance within Federal systems,” it reads. “These efforts to adopt technologies and practices that enhance cybersecurity defenses and ensuring the human capital to maintain these endeavors will and must continue.”

A budget document for the Justice Department points to the need to protect its systems.

“Several highly publicized breaches of systems and data, including a cyber incident involving one of the FBI’s own systems as recently as February 2023, have exposed cybersecurity vulnerabilities in government networks and information systems,” it states.

(March 14)

SC Media: Critical infrastructure cyber requirements pushed by presidential council

CyberScoop reports that mounting cybersecurity threats against critical infrastructure entities have prompted the National Infrastructure Advisory Council to advance mandatory cybersecurity standards not only for the organizations but also for tech vendors providing their systems.

"For example, it is not effective to place cybersecurity compliance standards on providers of critical infrastructure without applying the same standards up the chain to those who provide operating systems providers depend upon," said the NIAC in a report, which also noted that industry input should accompany the development of standards.

Aside from recommending standards consolidation within the federal government, the report has also pushed for stronger information sharing across industries and improved analysis of critical infrastructure supply chain vulnerabilities.

Possible intersectoral collaborations have also been explored by NIAC, noting that the oil and natural gas and electric sectors could perform joint cyber exercises similar to the GridEx grid security exercise that involves a simulation of a major North American electric grid attack.

(March 15)

Tom Alrich's Blog: What would you like to do with/to the NVD?

Almost anybody who has been involved with software vulnerabilities in any way (even hackers!) has a love/hate relationship with the National Vulnerability Database (NVD). On the plus side, it’s by far the largest and best-supported vulnerability database in the world. But on the minus side, there are many problems that make it hard to use the NVD, and in many cases make it impossible to find vulnerability information which almost certainly is in the database somewhere or other.

A little less than a year ago, I convened an informal group of “SBOM industry” leaders to discuss why it is that SBOMs are grossly underperforming, at least when it comes to distribution to and use by organizations whose primary business isn’t software development.[i] The goal of the group was not just to discuss those issues, but to figure out how they can be addressed, and do what we can to set them on the road to being resolved. We call ourselves the SBOM Forum, and we meet weekly on Zoom.

We decided that, while there are a lot of issues that are inhibiting SBOM distribution and use, we would focus on the show-stopper issues; I personally think there are no more than three or four of these. We didn’t have a formal discussion of which issue we would address first, but within two meetings we had found it: the naming problem.

However, even we weren’t stupid enough to try to take on the entire naming problem, which has many aspects and is found to some degree in every software or vulnerability database in the world. We focused right away on the Big Daddy of vulnerability databases, which was the one we all had experience with. The NVD uses “CPE names” to identify products, and those are the source of a lot of problems; we described those problems in pages 4-6 of the proposal we published on the OWASP site last September. Our proposal described how to fix (or at least greatly remediate) the problems with CPE, although this required involvement of a few other federal government and private sector organizations.

That proposal was meant to address the bulk of the naming problems in the NVD, and we’re hoping it can be completely implemented in 2-3 years (which of course is close to light speed when you’re dealing with the federal government). The appropriate agencies in the federal government started considering our proposal, and we were fairly sure it was on the road to implementation in our time frame.

After publishing our proposal, we had discussions on other topics and were settling in on VEX as our next topic. In my opinion, VEX and the naming problem are the two biggest show-stopper problems preventing SBOMs from being distributed and used by non-developers.

However, recently we became aware of a reason why implementation of our proposal might be delayed significantly longer than three years. We had a meeting to discuss this problem. While we received some assurances then that our immediate fears might be overblown, we ended up having a more wide-ranging discussion of the NVD, at which other issues came up. At the end of that hour-long meeting, we decided we wanted to focus on the NVD itself next, and not limit ourselves to discussing just the naming problem within the NVD.

We have representatives of some very big software and intelligent device suppliers in the SBOM Forum (as well as a number of smaller tool vendors and a few consulting firms. We only have a few end user organizations and we’d like to have more), who were surprised to hear what was said about some NVD problems that have nothing to do with naming. They wanted to hear about all the problems the other members of our group had run into.

Even more importantly, we started to have a discussion about what the NVD could be if it were allowed to move out of the narrow box it finds itself in now. For example, given that people all over the world use the NVD, yet the entire physical infrastructure is housed in the US, what might happen if the NVD could place infrastructure (perhaps through content delivery networks) on other continents – while at the same time getting support from private and public sector organizations on those other continents?

Note that I don’t for a minute blame any individuals, or even government agencies, for the NVD’s problems. Any organization that’s grown very rapidly, yet has to fulfill the obligations of being a government-controlled entity, will probably find itself in a similar box sooner or later. In fact, there’s a great example of a similar organization that was incubated in the NTIA, the same federal agency that “incubated” the Software Component Transparency Initiative, also known as “Allan’s Army”. That organization found itself in an overly box much quicker than the NVD has, and now it’s a very effective private sector organization, that gets some help from governments.

Has anyone heard of DNS? Let me put that another way: Is there anyone who uses DNS fewer than perhaps 5,000 times a day (almost always without even thinking about it, of course)? Our lives would be very different if, instead of being able to find any web site we want through a single DNS query, we had to first obtain from the operators of the site (perhaps by calling them – do you remember phone calls?) their 31-hex character IPv6 address, then enter it by hand in our browser. And woe betide you if you got one of those characters wrong; you’d have to re-enter it until you did it perfectly.

Without going into a lot of detail, the NTIA saved you from that fate by picking up an idea developed by an academic named Paul Mockapetris and turning it into a real service. In fact, NTIA itself was the first domain name registrar. But, as you can imagine, business grew very rapidly, and since the NTIA (and the federal government in general) doesn’t want to go into business doing something the private sector could probably do better and certainly less expensively, they looked for a private sector organization to take over this role.

The NTIA first made a false start when they chose a network consulting firm to handle domain registrations. After a couple years of performing well, they one day decided it would be a great idea to email organizations that requested domain names to see if they’d like some of their other services; that email set off a firestorm, and the NTIA looked for a different organization to take over domain registrations. Finally, they turned the business over to the Internet Assigned Numbers Authority (IANA), which remains in charge of assigning domain names to this day.[ii]

Our group is now in the process of enumerating both problems with the NVD as it exists today and opportunities it could have in the future, whether or not it remains a part of the US government and whether or not it retains the NVD name. We have some ideas already, but we’re looking for others. If you have anything you would like to contribute to this discussion, either with a comment or by suggesting a text edit or addition, please go here. You can contribute either using your email address or anonymously. We would prefer the former, but we want most to hear what you have to say, no matter how you say it.

Once we have our list of problems and opportunities together, we’ll make that publicly available. We’ll also start discussing how those problems and opportunities can be addressed, both in the short term and the long term. You’ll be welcome to participate in that as well.

(March 17)

Jim Gold | Operations Director

O: 212.235.0251 M: 347.968.2912 @gridprotection