Local US governments are in a tough spot. Shrinking revenues, chronic underspending on cybersecurity, reduced staffing, and outdated legacy systems not keeping up with technology exacerbate a cyber threat landscape already under cyber siege. And attackers, including nation-states, are dedicating tremendous resources to how critical infrastructure systems and networks operate and to finding weaknesses they can exploit. For example, last year, a cyberattack against a Florida water treatment facility came close to poisoning the water supply of nearly two million people.
Three forces are converging on infrastructure to elevate local government risk:
- Cybersecurity preparedness is now a credit risk factor impacting infrastructure bond ratings.
- Utility regulators are targeting security standards encompassing the entire electrical grid, from distributed energy generation and renewables to battery storage.
- The digitalization and decentralization of the modern grid are creating an increase in network-connected equipment (IIoT), exposing utilities to a broad range of potential security threats.
Non-traditional technology elevates OT security risk
A key challenge in energy, utility and other OT environments is the introduction of digital technology, which has typically been found in IT and is now converging on OT environments. IP-enabled edge sensors, monitoring systems, big data analytics, artificial intelligence, and cloud-based computing are connecting utilities’ OT and IT. OT prioritizes availability over confidentiality while IT prioritizes confidentiality over availability. The differing priorities of IT and OT result in communication difficulties. This also means grid systems connectivity and data are more at risk in unpredictable ways.
Consider solar power generation. There are 491 cooperatives in 43 US states generating electricity from solar. For example, Green Power EMC Co-op produces 150.7 MW, enough electricity for over 28,000 homes in Tucker, Georgia. Underpinning this capability are utility-scale batteries needed for solar integration as they absorb excess solar generation when demand is low and then discharge it later when demand is high. Containerized batteries, or charging stations, are predominately collocated where solar generation occurs and connected to the utility’s Supervisory Control and Data Acquisition (SCADA) system. Not only does the SCADA system control devices throughout the solar generation plant, but SCADA also communicates with the utility’s central command center.
SCADA connectivity with the solar plant may involve wireless communication, and if not properly secured, cyber attackers can access the utility’s control command center and wreak havoc. Consider a situation where manipulated readings of Voltage, MW/AMPS, or Load Flow/Direction cause the control room operator to take incorrect action and potentially take the utility offline. Or where an attacker infiltrates a utility and takes substations offline. Far-fetched? Russia has a history of power grid attacks, including a 2022 attempt to take out Ukraine’s high-voltage substations using Industroyer2 malware, which communicates with industrial equipment, including protection relays used in electrical substations. The current Industroyer2 variant is a fully modular platform with payloads for multiple Industrial Control System (ICS) protocols.
Solar plants are often located in remote areas where physical intrusion is difficult to detect or physical access has not been secured. An attacker could break into a remote site and access vulnerable devices communicating with the control command center. Edge devices, such as those found enabling solar energy or other monitoring devices, serve as network entry or exit points. Many utilities are challenged to secure these devices for various reasons – budgets, lack of device insight, insufficient skills or knowledge, not enough people dedicated to fixing vulnerabilities found, etc.
The North American Electric Reliability Corporation (NERC) provides cybersecurity compliance oversight of approximately 1,900 bulk electric power system operators and owners, such as electrical generation resources, transmission lines, and interconnections with neighboring systems. NERC has the authority to exact punitive monetary fines for violations. For example, in 2019, NERC fined a public utility $10 million for non-compliance with security standards. NERC oversight applies to NERC Registered Entities, which are required by law to register with NERC and comply with NERC Critical Infrastructure Protection (CIP) standards. NERC CIP applies to some smaller electric generation facilities, such as Southwestern Electric Cooperative, servicing 23,000 customers in the Greenville, Illinois area. However, Montana’s Flathead Electric Cooperative does not fall under NERC oversight.
Cooperatives, in general, are more at risk from cyberattacks than larger utilities because of resource constraints and a lack of cybersecurity defenses. For cooperatives under NERC oversight, this also means that they are more susceptible to NERC fines involving violations for non-compliance with CIP standards. Nearly all cooperatives, even if they are not Registered Entities, receive service from the nation’s interconnected electrical system and thus have an interest in its reliability.
Outside of generation and transmission systems, which are NERC-regulated, distribution is generally regulated by the states. While NERC CIP is exacting in compliance and has monetary fines for non-compliance, it’s different for distribution facilities under state-level oversight. Even more fuzzy is compliance for distributed energy providers such as solar energy, battery storage facilities, and other distributed energy resources (collectively, “DER”). That may change as the US transitions to a digitally interconnected power grid. DER coupled with energy storage provides resilience benefits, including emergency power during grid outages. It’s not unreasonable to assume DER compliance with NERC-like standards.
Bond market emphasis on cybersecurity
Long-term debt, with a maturity of 10 and often 30 to 40 years, is commonly used to finance large capital projects such as expanding or modernizing water and wastewater treatment plants, electrical power generation infrastructure, and buildings. Generally, the more creditworthy a municipality is, the lower the interest amount on a bond the government pays to attract investors. The reverse is also true: lower creditworthiness results in higher interest payments to offset the greater credit risk assumed by investors.
Cybersecurity preparedness is now a credit risk factor impacting bond ratings. This year (2022), bond rating agency S&P added cybersecurity to its risk factors in determining credit scores and indicated it would use the NIST Cybersecurity Framework for evaluations. Rating agencies Moody’s and Fitch evaluate enterprises for cyber risk.
Bond rating agencies assess credit risks for debt financing and assign bond ratings. The higher the rating grade, such as AAA, AA, etc., the lower the interest rate and less risk to investors. Consider the impact of downgrading a AAA credit rating to AA due to weakness in cybersecurity. The spread between these two ratings on a 30-year bond can cost local government millions in additional interest payments.
With bond ratings impacting debt payments, local government leadership – finance directors, city managers and elected officials – have a vested interest in the cybersecurity resilience of their utilities, water & wastewater treatment plants, emergency response infrastructure and other critical services. Moreover, unplanned, un-budgeted major expenditures such as recovery costs from a cyberattack can also significantly impact credit ratings and future bond issuance.
Because attackers have the means and time to maximize vulnerabilities found, cybersecurity gaps in local government infrastructure have far-reaching consequences. When vulnerabilities are exploited, invariably there is financial fallout not only in remediation costs and restoring operations but also, more significantly, if bond rating agencies view events as material deficiencies and pass judgment on the creditworthiness of local government.
Notwithstanding the political ramifications, the taxpayer is left with the bill. We recommend that every local government, particularly critical infrastructure segments, establish a baseline security understanding of all network vulnerabilities. Most local governments do not have a complete picture of their security. If cyber vulnerabilities are not identified, one cannot expect to defend against them effectively. Local governments which don’t assess their security weaknesses regularly are most vulnerable.
About the Author
Mr. Mayger provides cyber security advisory services at Concord. His cybersecurity background includes Chief Information Security Officer (CISO) for global mining company Sibelco and providing cyber security services to upstream oil/gas customers. In addition to his BS in Mechanical Engineering, Mr. Mayger also holds a Master of Business Administration (MBA) from the University of Texas. His Information Security background includes designations as Certified Information Security Professional (CISSP), Certified SCADA Security Architect (CSSA), and Payment Card Industry Professional (PCIP). Mr. Mayger can be contacted at [email protected].
Concord solves the most challenging problems industry-leading companies face today through data modernization, cloud migration, digital transformation, and product engineering. https://concordusa.com/
I’d like to thank the following people for their support in reviewing and editing this article: Mark Prentice, PSC NA Principal Consultant; John Camilleri, PSC NA Operational Technologies General Manager; Rick Hudella, PSC Operational Technologies Director; Anil Jampala, PSC Operational Technologies Senior Director
 America’s Electric Cooperatives, https://www.electric.coop/wp-content/Renewables/solar.html