From: Deepak Maragal Sent: Thursday, April 29, 2021 1:40 AM To: ElectricSystemEO Subject: [EXTERNAL] Response to "RFI on Ensuring the Continued Security of the United States Critical Electric Infrastructure" 1. What technical assistance would States, Indian Tribes, or units of local government need to enhance their security efforts relative to the electric system? While cyber security can be addressed in many spheres, the best known document putting all these together is PURDUE model and MITRE attack framework on ICS https://collaborate.mitre.org/attackics/index.php/Main_Page. The existing NERC-CIP regulations address & ensure cyber security in several domains but these regulations are primarily applicable for bulk-power system. They do not apply to lower voltages where there exists risks for wider coordinated attacks. Further, several smaller Electric Utilities lack the resources (manpower & equipment) to address cyber security at mid-lower voltage levels and IPP generators. While it is not feasible to ask every Utility/Electric system to comply with existing NERC-CIP requirements, Government (FERC) can improve the regulations: • FERC to issue order clearly identifying set of critical Electric Equipment at different voltage levels that would be of cyber risk so that there is uniform & clear perception by all: Ex: Microprocessor Protection Relays, RTUs, Operation Control centers with PCs/Servers..... • Require all utilities (at all voltage levels) to mitigate the risk either by implementing Cyber controls or eliminating them: o Implementing controls as mentioned in NERC-CIP guidelines o Eliminating the risks can be done by disconnecting the specific devices at risk from all possible threats, except during troubleshooting by secure one-to-one access. Regulations to also clearly indicate "How To". • The current regulations stop at being only performance requirements. What is needed to ensure better implementation of cyber security is further development of regulations to indicate the acceptable technology options & alternatives in each sector. This will immensely help all end-users to implement the requirements very clearly and also OEM to develop the required solutions. 2. What specific additional actions could be taken by regulators to address the security of critical electric infrastructure and the incorporation of criteria for evaluating foreign ownership, control, and influence into supply chain risk management, and how can the Department of Energy best inform those actions? While foreign ownership is definitely of concern, but, it is not easy for an adversary to hack through different layers of security if built-in just by supply-chain compromise of one component. The risks can exists even with domestic owned equipment as the software/firmware can be compromised as with recent intrusion involving DoD... • What is needed in regulation is the clear definition & direction to everyone on network architecture & controls to ensure that even a compromised system can have a limited isolated attack and prevent wider attack with connected systems. • Physical isolation/segregation of critical networks, systems, confidential data in MUST at all voltage levels to prevent wide-scale coordinated attack. • Off-premise cloud technologies to be completely avoided for critical systems. If one moves everything to cloud and implement all cyber security-monitoring-controls, any vulnerability/compromise can expose lot more - control systems, confidential data....This is where the current regulations & controls severely lack the direction, especially when larger OEM firms forcing everything to cloud technology providing no alternate viable options. • Diversity of manufacturer with critical systems should be mandated at all levels to avoid single-point-of-failure / compromise / vulnerability. 3. What actions can the Department take to facilitate responsible and effective procurement practices by the private sector? What are the potential costs and benefits of those actions? • Procurement of critical systems can be wetted through government labs that have far more sophistication to understand the risks & ensure these systems do not have vulnerability in any nature. • Subject Matter Experts from industry & utilities, OEM, and government (& labs) can work on framework to develop such a wetting process based on technological possibilities that end-users can directly adopt. It is not all that effective to put all burden on end-users to figure out & protect. Cyber security needs coordinated effort from OEM, end-users, regulators. 4. Are there particular criteria the Department could issue to inform utility procurement policies, state requirements, or FERC mandatory reliability standards to mitigate foreign ownership, control, and influence risks? • Compromise/Intrusion from foreign sophisticated entities with malicious intent is a major risk. Generally, these entities have far more sophistication than normal people. Supply chain related cyber attack is one way for a sophisticated actor to penetrate. There exists far more bigger threats with cyber security intrusion from these sophisticated entities than just procurement related. It is best that the government take a holistic approach in addressing the cyber security keeping in regard the possible attack vectors and not merely emphasize on procurement related issues which need to be addressed as-well as part of holistic approach. I hope government take in consideration "What is possible to attack & at risk" vs "What is Ideal/Theoretical" and take the most practical approach with actual possibility as opposed to hypothesis. Otherwise, complexity gets blown to 100X leading to overregulation with no value & only burden. I could be available for discussing sector-specific & domain-specific risks in Utility sector which have direct bearing to the way the utilities are setup & operate. Respectfully, Deepak Maragal, PhD, PE President & CEO Eureka Power Solutions, LLC 29 Rugby Rd, Yonkers, NY, 10710 C: 908-202-9656 | Deepak.Maragal@PowerEureka.com www.PowerEureka.com