During a New Orleans cyber security conference last January, a Central
Intelligence Agency (CIA) analyst revealed that cyber attacks on
utilities have caused at least one power outage affecting multiple
cities outside the United States. At another security confab two months
ago in San Francisco, a security
consultant declared that it took his team less than a day to hack into
the control network of a utility company that had hired the team to do
penetration testing.

There’s no doubt that cyber security is more on the minds of the nation’s electric utility owners and operators these days—if not because of these reports, then certainly because of a new set of federal standards that recently took effect covering cyber security in the power industry. “The consequences for not being compliant with these standards are pretty severe—with penalties up to a million dollars a day. So there’s a pretty big stick out there,” observes Tom Flowers, manager, control systems division, for CenterPoint Energy Inc., an electric transmission and distribution utility that serves the Houston metropolitan area.

No choice

Flowers’ reference is to the Critical Infrastructure Protection (CIP) reliability standards, which became mandatory and enforceable in April, following approval early this year by the Federal Energy Regulatory Commission (FERC). Previously voluntary, the CIP standards were developed by the North American Electric Reliability Corp. (NERC) to protect the nation’s bulk power system against potential disruptions from cyber security breaches. In line with the U.S. Energy Policy Act of 2005, FERC designated NERC as the electric reliability organization (ERO), charged with enforcement of the standards.

The multi-year NERC CIP implementation schedule requires that most responsible entities be “auditably compliant” by the end of the second quarter of 2010, or by Dec. 31, 2010, depending on the responsible entity’s classification. But because the standards require a full 12 calendar months of auditable data and documentation at the time of auditable compliance, most utilities must achieve compliance in 2009. For some utilities, this timing could be tight, says industry sources.

While other U.S. “critical infrastructure” industry segments are coming under increasing federal pressure to improve their cyber security, initiatives aimed at the power industry are in some ways the furthest advanced. “If you look at the chemical and the water industries now, they have standards, but the fines and fees are not really declared, the timetables are kind of loose, and there’s not as much teeth to them as you see on the electric energy side,” observes Jonathan Pollet, Houston-based vice president of North American operations for Industrial Defender Inc., an industrial cyber security services and consulting firm based in Mansfield, Mass.

Still, the NERC CIP standards have been criticized for being too ambiguous, providing too little guidance, and leaving too many loopholes for utilities that wish to skirt the rules. And some contend that even total compliance with the standards will do little to actually improve a utility’s cyber security.

“If you go read the [CIP] document, you see that it’s mostly about procedure. It just says that if you go off and enumerate all this stuff and document it, then you’ve done your due diligence. There’s nothing prescriptive that tells people how to do things,” says Bryan Singer, vice president of professional services at Wurldtech Security Technologies Inc., a Vancouver, British Columbia, Canada, provider of industrial cyber security solutions. “It’s a great first step; don’t get me wrong,” adds Singer. “It creates awareness, and it gets people looking at cyber security as an issue. But it doesn’t do anything to actually improve security, especially from a technical perspective.”

Paper pushing

One of the most outspoken critics of the CIP standards is Joe Weiss, an electric industry cyber security consultant and managing partner at Applied Control Solutions LLC, in Cupertino, Calif. Weiss agrees that the CIP standards are inadequate to ensure the cyber security of the North American electric power grid, making compliance nothing more than a “paperwork exercise,” he says. But perhaps the biggest shortfall, according to Weiss and others who find fault with the standards, is that the determination of which assets are “critical”—and therefore must be protected—is left up to asset owners themselves. This allows too much wiggle room, critics believe.

There are eight CIP standards—CIP-002 through CIP-009. The first standard, CIP-002, requires asset owners and operators to use a “risk-based assessment” methodology to identify and document which assets are critical to reliable operation of the bulk electric system. Asset owners then must identify network-computing control system components that are associated with those critical assets. These become “critical cyber ...