IEEE Power & Energy Magazine - September/October 2016 - 51

schemes and potentially impact system reliability and reduce
the overall security program's effectiveness.
How realistic is an electric grid cyberincident scenario?
In a recent Associated Press article published 1 March 2016,
Duke Energy CEO Lynn Good discussed just how real this
threat is and was quoted as saying, "If I were to share with
you the number of attacks that come into the Duke network
every day, you would be astounded, and it's not from people
working out of their garage; it's from nation-states that are
trying to penetrate [Duke] systems."
In fact, there have been almost 800 total ICS cyberincidents globally that have been documented since the 1980s.
More than 250 of these cyberattacks occurred in 2013 with
over 50% of them within the North American electric industry, double the number of incidents in 2012 according to a
Reuters 2014 article. It is believed that reported numbers
understate the actual cyberattack attempts and cyberincidents, due primarily to inconsistent and voluntary ICS
cyberincident tracking and reporting. In addition, because
many of these incidents were not categorized as cyber
related, they were never publicized in the public domain.
The grid as we know it today is subject to natural disasters such as earthquakes, floods, and major storms that cause
outages of seconds, hours or even several weeks, as was the
case with Hurricane Sandy. Accordingly, if the worst cyberincident caused only a two-week outage, then nothing would
seem to be too concerning. What would be concerning, however, is an event causing a much longer service disruption,
requiring greater efforts to repair, with potentially fartherreaching impacts. It has been demonstrated in some cyberincidents that ICSs and other smart devices including protective
relays can be remotely manipulated to cause physical destruction of critical equipment. One example of this scenario is
the well-documented Stuxnet intrusion in Iran. This cyberintrusion resulted in a nuclear centrifuge incident whereby
computer systems, software, and PLCs were infiltrated and
subsequently manipulated to cause damage to the fast-spinning centrifuges by changing centrifuge operating conditions,
essentially tearing the equipment apart. Another example is
the Aurora vulnerability demonstrated at the Idaho National
Laboratory in 2007, where substation circuit breakers were
manipulated to create out-of-phase synchronization of the
generator to the grid resulting in serious equipment damage
as the generator experienced large induced forces damaging
the generator internals. These examples, along with others
highlighted in this article, demonstrate that vulnerabilities in
control systems can be exploited to potentially inflict physical damage. Consequently, enterprise risk management in the
utility sector should now put greater focus on the material
risk of damage to long-lead capital equipment whose damage
could result in broad electrical outages of extended duration.
Electric grid operational cyberattack scenarios are not
entirely new for the electric utility industry. Awareness has
increased since the 2003 U.S. Northeast blackout where
50 million customers within eight U.S. states and one Canaseptember/october 2016

dian province experienced electrical outages for up to four
days, with an estimated total cost between US$4 billion and
US$10 billion, as detailed in the "U.S.-Canada Power System Outage Task Force Report." The blackout was initiated as
foliage contacted a power line, along with a software bug in
the energy management system (EMS) that caused a failure of
the alarm system. The lack of alarms left operators unaware
of the need to redistribute power, and cascading events further
distressed the electric grid, causing multiple outages across the
system as more than 100 power plants shut down. The lesson
learned, in part, was that the interconnected electric systems
that were viewed as highly reliable and protected were actually and unexpectedly vulnerable. Of significant note, the
U.S.-Canada Power System Outage Task Force studying the
2003 blackout determined that approximately 25% of the recommendations in the "Final Report on the August 14, 2003
Blackout in the United States and Canada: Causes and Recommendation" were cyber related.
As a result of that blackout and the subsequent Energy
Policy Act of 2005, the Federal Energy Regulatory Commission (FERC) tasked the North American Electric
Reliability Corporation (NERC) to develop cybersecurity requirements for the bulk electric system (BES). The
requirements are known as the critical infrastructure protection (CIP) standards that apply to both physical and
cyberprotection. These current standards provide a layer
of protection for the BES by creating a common industry
platform of rules with respect to security management (both
physical and cyber), documentation of processes and procedures, as well as the development of recovery plans for
critical cyberassets that must follow established business
continuity and disaster recovery techniques and practices.
However, the CIP standards provide only a small step in
what should be a more comprehensive enterprise-wide protection plan that should include all essential assets. Essential assets should be determined by performing a detailed
risk/impact analysis of the enterprise's entire equipment
inventory to quantify and prioritize asset criticality according to company risk policy. The evaluations require assessment and quantification of key asset attributes such as cost
of replacement, risk of consequential damage, criticality to
business continuity and safety of operations.

Cybersecurity Case Studies
The following ICS cyber case studies represent recent cyber
impacts to the electric grid.

Arizona Public Service Outage (2007)
An outage occurred in the Tempe, Arizona, area in June 2007
that lasted 46 min and affected nearly 100,000 customers and
400 MW of load. The outage was caused by the unexplained
activation of the Salt River Project's distribution load shedding program within its SCADA/EMS. The cause of the
outage was an unauthorized modification to the SCADA
software introduced by an employee of the software vendor.
ieee power & energy magazine

51



Table of Contents for the Digital Edition of IEEE Power & Energy Magazine - September/October 2016

IEEE Power & Energy Magazine - September/October 2016 - Cover1
IEEE Power & Energy Magazine - September/October 2016 - Cover2
IEEE Power & Energy Magazine - September/October 2016 - 1
IEEE Power & Energy Magazine - September/October 2016 - 2
IEEE Power & Energy Magazine - September/October 2016 - 3
IEEE Power & Energy Magazine - September/October 2016 - 4
IEEE Power & Energy Magazine - September/October 2016 - 5
IEEE Power & Energy Magazine - September/October 2016 - 6
IEEE Power & Energy Magazine - September/October 2016 - 7
IEEE Power & Energy Magazine - September/October 2016 - 8
IEEE Power & Energy Magazine - September/October 2016 - 9
IEEE Power & Energy Magazine - September/October 2016 - 10
IEEE Power & Energy Magazine - September/October 2016 - 11
IEEE Power & Energy Magazine - September/October 2016 - 12
IEEE Power & Energy Magazine - September/October 2016 - 13
IEEE Power & Energy Magazine - September/October 2016 - 14
IEEE Power & Energy Magazine - September/October 2016 - 15
IEEE Power & Energy Magazine - September/October 2016 - 16
IEEE Power & Energy Magazine - September/October 2016 - 17
IEEE Power & Energy Magazine - September/October 2016 - 18
IEEE Power & Energy Magazine - September/October 2016 - 19
IEEE Power & Energy Magazine - September/October 2016 - 20
IEEE Power & Energy Magazine - September/October 2016 - 21
IEEE Power & Energy Magazine - September/October 2016 - 22
IEEE Power & Energy Magazine - September/October 2016 - 23
IEEE Power & Energy Magazine - September/October 2016 - 24
IEEE Power & Energy Magazine - September/October 2016 - 25
IEEE Power & Energy Magazine - September/October 2016 - 26
IEEE Power & Energy Magazine - September/October 2016 - 27
IEEE Power & Energy Magazine - September/October 2016 - 28
IEEE Power & Energy Magazine - September/October 2016 - 29
IEEE Power & Energy Magazine - September/October 2016 - 30
IEEE Power & Energy Magazine - September/October 2016 - 31
IEEE Power & Energy Magazine - September/October 2016 - 32
IEEE Power & Energy Magazine - September/October 2016 - 33
IEEE Power & Energy Magazine - September/October 2016 - 34
IEEE Power & Energy Magazine - September/October 2016 - 35
IEEE Power & Energy Magazine - September/October 2016 - 36
IEEE Power & Energy Magazine - September/October 2016 - 37
IEEE Power & Energy Magazine - September/October 2016 - 38
IEEE Power & Energy Magazine - September/October 2016 - 39
IEEE Power & Energy Magazine - September/October 2016 - 40
IEEE Power & Energy Magazine - September/October 2016 - 41
IEEE Power & Energy Magazine - September/October 2016 - 42
IEEE Power & Energy Magazine - September/October 2016 - 43
IEEE Power & Energy Magazine - September/October 2016 - 44
IEEE Power & Energy Magazine - September/October 2016 - 45
IEEE Power & Energy Magazine - September/October 2016 - 46
IEEE Power & Energy Magazine - September/October 2016 - 47
IEEE Power & Energy Magazine - September/October 2016 - 48
IEEE Power & Energy Magazine - September/October 2016 - 49
IEEE Power & Energy Magazine - September/October 2016 - 50
IEEE Power & Energy Magazine - September/October 2016 - 51
IEEE Power & Energy Magazine - September/October 2016 - 52
IEEE Power & Energy Magazine - September/October 2016 - 53
IEEE Power & Energy Magazine - September/October 2016 - 54
IEEE Power & Energy Magazine - September/October 2016 - 55
IEEE Power & Energy Magazine - September/October 2016 - 56
IEEE Power & Energy Magazine - September/October 2016 - 57
IEEE Power & Energy Magazine - September/October 2016 - 58
IEEE Power & Energy Magazine - September/October 2016 - 59
IEEE Power & Energy Magazine - September/October 2016 - 60
IEEE Power & Energy Magazine - September/October 2016 - 61
IEEE Power & Energy Magazine - September/October 2016 - 62
IEEE Power & Energy Magazine - September/October 2016 - 63
IEEE Power & Energy Magazine - September/October 2016 - 64
IEEE Power & Energy Magazine - September/October 2016 - 65
IEEE Power & Energy Magazine - September/October 2016 - 66
IEEE Power & Energy Magazine - September/October 2016 - 67
IEEE Power & Energy Magazine - September/October 2016 - 68
IEEE Power & Energy Magazine - September/October 2016 - 69
IEEE Power & Energy Magazine - September/October 2016 - 70
IEEE Power & Energy Magazine - September/October 2016 - 71
IEEE Power & Energy Magazine - September/October 2016 - 72
IEEE Power & Energy Magazine - September/October 2016 - 73
IEEE Power & Energy Magazine - September/October 2016 - 74
IEEE Power & Energy Magazine - September/October 2016 - 75
IEEE Power & Energy Magazine - September/October 2016 - 76
IEEE Power & Energy Magazine - September/October 2016 - 77
IEEE Power & Energy Magazine - September/October 2016 - 78
IEEE Power & Energy Magazine - September/October 2016 - 79
IEEE Power & Energy Magazine - September/October 2016 - 80
IEEE Power & Energy Magazine - September/October 2016 - 81
IEEE Power & Energy Magazine - September/October 2016 - 82
IEEE Power & Energy Magazine - September/October 2016 - 83
IEEE Power & Energy Magazine - September/October 2016 - 84
IEEE Power & Energy Magazine - September/October 2016 - 85
IEEE Power & Energy Magazine - September/October 2016 - 86
IEEE Power & Energy Magazine - September/October 2016 - 87
IEEE Power & Energy Magazine - September/October 2016 - 88
IEEE Power & Energy Magazine - September/October 2016 - 89
IEEE Power & Energy Magazine - September/October 2016 - 90
IEEE Power & Energy Magazine - September/October 2016 - 91
IEEE Power & Energy Magazine - September/October 2016 - 92
IEEE Power & Energy Magazine - September/October 2016 - Cover3
IEEE Power & Energy Magazine - September/October 2016 - Cover4
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091020
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070820
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050620
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030420
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010220
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091019
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070819
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050619
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030419
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091018
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070818
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050618
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030418
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091017
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070817
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050617
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030417
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091016
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070816
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050616
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030416
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010216
https://www.nxtbook.com/nxtbooks/ieee/powerenergy_010216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091015
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070815
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050615
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030415
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111214
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091014
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070814
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050614
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030414
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010214
https://www.nxtbookmedia.com