News

As Yogi Berra used to say: “It ain’t over till it’s over.” Coal plant operators shutting down their plants should remember this phrase. Even after they throw the breakers, go off the grid, are no longer contributing to the bulk power system, and begin to take apart their plant, operators still have cyber protection obligations under the North American Electric Reliability Corporation (NERC) Reliability Standards and state and federal data security laws.

Cyber Risk

More than a decade ago, before the NERC Reliability Standards were approved, one large generator in the Northwest got into trouble when it sold 230 hard drives to a salvage company. The salvage company turned around and sold a third of the drives on eBay. One of the purchasers was a university IT director, who was able to recover grid diagrams; confidential law department data concerning lawsuits, contracts and transactions; and employee information, including Social Security numbers.

The Reliability Standards have made this kind of potential cyber catastrophe very rare. A review of NERC’s enforcement records discloses temporary loss of control of only single pieces of equipment with cyber information still intact. Still, all it takes is one error. As one of the NERC regional entities stated in an enforcement proceeding, “Failure to establish controls to dispose of Cyber Assets could allow malicious access to sensitive information related to cyber security or reliability. Such information could then be used to get access to Critical Cyber Assets essential to the operation of BPS [the bulk power system] and potentially disrupt the operation of the BPS.”

Operational Assets and Shutdown

NERC regulation of cyber assets extends beyond the time the plant is providing power to the grid. Utilities decommissioning cyber assets must “take action to prevent the unauthorized retrieval of [bulk electric system] Cyber System Information from Cyber Asset data storage media” prior to disposal or redeployment (CIP-011-2). That is, any electronic storage media (e.g., hard drives, random access memory (RAM) or read-only memory (ROM), optical storage, flash drives, or backup tapes) must be properly sanitized.

The NERC obligations extend beyond addressing the decommissioned device. Operators must also ensure that holes are not opened up in the cyber systems that remain and that documentation is appropria...