Like combat fought around the world, cyber war, cyber terror and cyber crime are just as real, and extremely destructive. They target all manner of operations and, by design, cannot be detected until they’ve already done their damage.
Though nobody is immune to such attacks, particularly target-rich environments include government bodies and critical power industries such as bulk electricity supply (BES). Hackers and defenders clash just outside of, at or inside an organization’s electronic security perimeter (ESP).
To counter threats, a bulk electricity solution—North American Electric Reliability Corp.’s (NERC) Critical Infrastructure Protection (CIP) standards regarding BES cybersecurity—was launched in January 2008 through Federal Energy Regulatory Commission (FERC) oversight. NERC’s CIP Version 3 suite comprises the currently effective reliability standards. Version 4 has been proposed, as has Version 5. But the former heads to the scrap heap without ever having been formally approved because NERC plans to accept its successor before Version 4’s scheduled effective date.
NERC-CIP Version 5 differs vastly from previous versions, according to Nina Vajda, Rockwell Automation’s Cleveland-based global manager, networks and security services. Differences include compliance requirements around encryptions, role-based assets, levels of compliance and new terminology. V.5 also has new cybersecurity controls and extension of the reliability standards to more systems or assets.
And though not called an asset management tool, which it is, NERC-CIP also has hair-pulling deficiencies: uncertainty and ambiguity. FERC’s concerned those could raise enforceability questions. Industry and its observers concur.
Subjective, ambiguous madness
Version 5, while a giant step in the right direction, might not have been enough. “They needed to take a giant leap,” Vajda contends. Industry now screams for a defined control set with very specific requirements that don’t permit subjective and ambiguous interpretations, she says.
“It’s not specific enough,” adds Andrew Ginter, vice president, industrial security, for Waterfall Security Solutions in Calgary, Alberta.
Eric Byres shares their frustration. “I’ve never seen such a moving target, where no one knows what version or standards they’re supposed to comply with,” says the chief technology officer and vice president of engineering for Tofino Security in Lantzville, B.C. Asking exactly what’s expected and what’s the most current version are fair questions with any standard or rule—especially since CIP daily fines could be up to $1 million.
CIP uncertainty is also top of mind for Tom Alrich, considered a NERC-CIP expert. In late September he posted to his blog, “I have come to realize that the biggest problem in the NERC-CIP universe now is the fact that there has been so much uncertainty for so long about the next CIP version.”
But who knows when or if that uncertainty will vanish. To Alrich, it seems even with FERC’s approval of Version 5, the commission still will order NERC to come back with a compliance filing to address problems to be found in V.5. That filing would be new CIP Version 6. And just as V.5 could soon do to its predecessor, V.6’s implementation would terminate V.5.
Compliance or security?
Regardless of those regulatory mechanics, NERC says proposed V.5 is a significant improvement because of 10 new or modified reliability standards. One requires identification of BES cyber systems’ assets that must be protected. Another requires owners/operators to categorize all cyber systems affecting BES as low, medium or high impact. That’s a departure from V.4’s bright-line approach that identifies only critical assets. Yet another is proposed Reliability Standard CIP-005-5, Requirement R1. It focuses on discrete electronic access points rather than the logical perimeter, which is the focus of currently effective CIP-005-3.
In proposed Version 5, NERC also included CIP-010-1, a new standard consolidating configuration change management- and vulnerability assessment-related requirements. “This is the first time,” Vajda says, emphasizing that compliance with any regulation addresses only part of the security equation. “Just because you check the boxes [on the NERC forms] doesn’t mean you’ve achieved a secure environment.” She emphasizes that organizations must ask, “What else is in my environment that is not covered in a compliance framework that I need to be worried about?” For example, is it a mobile-media flash drive that CIP doesn’t cover?
While Versions 1-4 were check-the-boxes compliance, V.5 is cybersecurity. Ginter thinks even that’s inadequate to secure a big site. “The most critical control systems in the grid are control centers—the balancing authorities that give commands to things over a broad geographic area.” These high-impact assets have bullseyes painted on them, he adds.
Not enough thinking happens about the loss of assets within them, says Michael Toecker, consultant with Digital Bond, Sunrise, Fla. And perhaps too much attention is paid to compliance and its outcome. It’s very audit-intensive, he says, with some organizations having the “get me through the audit and I’m cool” attitude. But cybersecurity requires vigilance—not a three-year audit cycle.
Toecker’s view matches Ginter’s: Not all in the industry believe a security issue exists. Thus, they view NERC-CIP as the bare minimum required. But security is doing what you have to do to protect something, while compliance is doing something someone else has ordered, whether useful or not, Ginter says. “Saying ‘I’m CIP-compliant’ is nothing to boast about.”
Bare-minimum utilities tend to put lawyers in charge of CIP programs. That troubles Ginter. It also overlaps Alrich’s similar concern about the existing uncertainty of versions and its effect on standards implementation. When FERC approves Version 5, and if it asks for Version 6, there will be sufficient information to proceed with Version 6, Alrich thinks. That’s because FERC will specify a date by which NERC has to return Version 6. But attorneys will object and restrict the organization to compliance only with V.5 or whatever is the last approved version, he believes.
Intrusion, connections, safety
Though uncertainty persists that NERC-CIP might not provide the level of protection necessary, at least one device stabilizes uncertainty’s dizziness: the unidirectional gateway for data connectivity from an industrial network to a corporate network.
How important is the device? When addressing BES organizations at a 2012 NERC conference, Tim Roxey, NERC chief cybersecurity officer, said, “When you are considering security for your control networks, you need to keep in mind innovative security technologies such as unidirectional gateways.” Later in the conference, he encouraged those organizations to embrace the technology.
Waterfall Security, headquartered in Rosh Ha’ayin, Israel, developed its core unidirectional technology in 2004. It’s used now to protect safety systems, as well as nuclear reactors and conventional electricity generators. NERC-CIP rewards those organizations that use unidirectional gateway as the only connection between outside-the-perimeter networks and protected networks, Ginter explains. “You’re off the hook for one-third of the rule for a medium-impact site, which typically is power generation.”
Encryption is another directional issue. Because most devices don’t support encryption, Ginter says, someone could walk onto a site and send commands to everything, as malware does. “Cybersecurity gurus on the IT side and some in industrial spaces ask: ‘Are you nuts? Why aren’t things encrypted?’”
V.5 calls for it. That pleases Toecker, who says, “To not use encryption should be subject to intense scrutiny, not the other way around.”
Considering how cybersecurity melds with safety systems also deserves scrutiny. Though not covered by CIP rules, those systems present other potential unwanted access. Ginter says the industry runs risk assessments on natural functions, but doesn’t understand that a fiber problem is not random.
Nor are attempted intrusions at the ESP random. Those can be stopped with network intrusion detection (NID), typically located immediately downstream of the firewall, closer to the control system, Ginter says. NID has a rule about attacks: If what it sees matches that rule, it stops the message. But it’s only required for high-impact cyber systems. “Those are too important to trust to one layer of protection,” Ginter says. “FERC required NERC to specify a second layer.” Such protection could be critical since, as he notes, CIP allows direct connection to the Internet with only a firewall. “That’s because CIP does not look outside the perimeter.”
Serial communications cannot be overlooked, either. Toecker says that, ideally, NERC would conclude that those need certain protections. NERC should also not dismiss those linkages, but require them to be inventoried for risks they pose—and then describe how they’ll be mitigated, he says. “Practically, though, I don’t think that’s going to get addressed now.”
Based on NERC-CIP’s history and process, Toecker’s issue could be addressed through a new version. But is there a limitation of the reliability standards and their process if people rely on there always being a next version? Yes. For example, Ginter asked someone in the industry where in that process a provision is to protect against the type of cyber attacks launched by the Chinese intelligence agency. He heard, “You can’t hack the power grid. It’s redundant. It’s complex.” Not so, he says—and he finds nothing in the standards to protect against such an attack.
That assessment should propel regulators and their targets to more specific and urgent action. However, having regulations like NERC-CIP only establishes an operating floor, Toecker says. And though there’s a lot of trust given, there’s not much verification, he adds. That instills a paper-chase mentality in the regulated industry—and that compliance mentality replaces risk reduction. The result he dreads is insufficient thinking about how the loss of critical assets, including the non-regulatory-affected ones, impacts operations.
At least cyber threats and security compete for everyone’s attention. Recently, at late-September meetings in Denver of the CIP Commission (CIPC) and at EnergySec’s 9th Annual Security Summit, the buzz was still cyber. The CIPC meetings spoke to NERC-CIP being part of the larger effort to protect BES physical and cyber assets. EnergySec’s gathering was all about the electricity industry.
But does regulatory-industrial thinking go beyond power supply? Not yet, it appears. However, Ginter says some water utilities are using NERC-CIP because they don’t have similar standards. Byres indicates that non-utilities view NERC-CIP as an example of how to not write a standard. And the standards might make an industry like oil and gas less secure, he says. “They would have to do things about compliance, not improve security.”
Nevertheless, onward to the next version the process goes. Toecker and Byres foresee new V.6. Alrich predicts it by mid- to late 2014. “You won’t ever have to comply with Version 5, any more than you will with Version 4,” he says. “Your next CIP compliance version will be 6.” Of course, there’s uncertainty in his prediction. It wouldn’t be the CIP reliability standards process without it.