In addition to ensuring continuing manufacturing and production, the electric power grid performs a key role in helping developed countries maintain the standard of living its citizens enjoy. The U.S. terrorist events of Sept. 11, 2001 followed by the massive Northeast United States blackout in 2003 raised the U.S. government’s awareness of the critical nature—and the vulnerability—of the grid. Eventually responsibility for the grid was vested upon the North American Electric Reliability Corp. (NERC). Its stated mission is to ensure the reliability of the North American bulk power system. The series of rules and recommendations NERC is creating affects every power generating plant in the U.S., and is influencing industrial network security initiatives in all industries. But its decisions are not without controversy.

NERC is the electric reliability organization (ERO) certified by the Federal Energy Regulatory Commission (FERC) to establish and enforce reliability standards for the bulk-power system. NERC develops and enforces reliability standards; assesses adequacy annually via a 10-year forecast, and summer and winter forecasts; monitors the bulk power system; and educates, trains and certifies industry personnel.

One problem cited by many is that this organization is composed largely of the companies that it regulates. This leads to charges that it will incorporate change slowly or try to define regulations in such a way that they don’t apply to the companies. Other charges are that those in charge do not realized the critical role played by control assets such as distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), control networks and other devices.

NERC is charged with developing standards for compliance. Over the past eight years or so , it has developed a set of standards relative to this discussion dubbed Critical Infrastructure Protection or CIP. The set of standards are often referred to as NERC/CIP. The crux of the work thus far has been to define what is a “critical infrastructure.”

One problem with a standard is whether adherence to it will solve the problem—or create others. Rick Kaun, head of Matrikon’s Industrial Security and Compliance group now part of Honeywell Process Solutions, the Phoenix-based automation systems supplier, nails the situation: “Will everyone focus on compliance and lose focus that this is supposed to give better security? Many feel it’s less secure to be compliant. But according to the standard now, if you’re doing something more stringent, then you have to continue. So, if you slip internally but still are doing more than the standard, you’d be out of compliance.”

A timeline of the development of the standard is provided in the accompanying sidebar. Following the events of 9/11, heightened awareness of the possibility of terrorist attack on U.S. critical infrastructure led to NERC issuing Urgent Advisory 1200. This was followed by UA 1300 and then CIP standards 002 through 009.

Andrew Ginter, chief security officer for security firm Abterra in Calgary, Canada (he also writes the Findings from the Field blog at www.findingsfromthefield.com), provides insight into development of the standards. “NERC version 1 was approved and immediately panned due to perceived weaknesses in wording. A NERC manager wrote a memo saying that large numbers of entities reported they had almost no critical assets, and that can’t be right. Subsequent big changes have had to do with firming language, especially over just what critical assets are. They now have a bright-line rule that sets firm criteria for saying your asset is in or out of coverage by the standard. But criticism continues in a different direction. Instead of allowing companies to define their critical assets, they have set a bar that many say is too high, such that it excludes too many assets. Implementation is being delayed while FERC evaluates it.”

Who is affected?

Kaun, writing on his “Insecurity” blog ( insecurity.matrikon.com), says, “If you have been following the events around CIP versions 1, 2, 3 and the proposed version 4, you are certainly aware that v4 is an attempt to remove the subjective component of CIP 002 and replace it with ‘bright-line criteria,’ which is intended to clarify which components of the grid need to be considered high impact. To date, NERC has submitted v4 to FERC and the general consensus has been that FERC was going to approve the version in Q1 or Q2 of this year and then the fun would begin as newly identified facilities would need to come up to speed on complying with NERC CIP 003-009.

“Well, I have recently discovered a potential diversion from ...