Making Cyber Security Mandatory

The newly approved NERC CIP standards covering cyber security in the electric power industry may be controversial, but there are big fines for lack of compliance.

During a New Orleans cyber security conference last January, a Central Intelligence Agency (CIA) analyst revealed that cyber attacks on utilities have caused at least one power outage affecting multiple cities outside the United States. At another security confab two months ago in San Francisco, a security consultant declared that it took his team less than a day to hack into the control network of a utility company that had hired the team to do penetration testing.

There’s no doubt that cyber security is more on the minds of the nation’s electric utility owners and operators these days—if not because of these reports, then certainly because of a new set of federal standards that recently took effect covering cyber security in the power industry. “The consequences for not being compliant with these standards are pretty severe—with penalties up to a million dollars a day. So there’s a pretty big stick out there,” observes Tom Flowers, manager, control systems division, for CenterPoint Energy Inc., an electric transmission and distribution utility that serves the Houston metropolitan area.

No choice

Flowers’ reference is to the Critical Infrastructure Protection (CIP) reliability standards, which became mandatory and enforceable in April, following approval early this year by the Federal Energy Regulatory Commission (FERC). Previously voluntary, the CIP standards were developed by the North American Electric Reliability Corp. (NERC) to protect the nation’s bulk power system against potential disruptions from cyber security breaches. In line with the U.S. Energy Policy Act of 2005, FERC designated NERC as the electric reliability organization (ERO), charged with enforcement of the standards.

The multi-year NERC CIP implementation schedule requires that most responsible entities be “auditably compliant” by the end of the second quarter of 2010, or by Dec. 31, 2010, depending on the responsible entity’s classification. But because the standards require a full 12 calendar months of auditable data and documentation at the time of auditable compliance, most utilities must achieve compliance in 2009. For some utilities, this timing could be tight, says industry sources.

While other U.S. “critical infrastructure” industry segments are coming under increasing federal pressure to improve their cyber security, initiatives aimed at the power industry are in some ways the furthest advanced. “If you look at the chemical and the water industries now, they have standards, but the fines and fees are not really declared, the timetables are kind of loose, and there’s not as much teeth to them as you see on the electric energy side,” observes Jonathan Pollet, Houston-based vice president of North American operations for Industrial Defender Inc., an industrial cyber security services and consulting firm based in Mansfield, Mass.

Still, the NERC CIP standards have been criticized for being too ambiguous, providing too little guidance, and leaving too many loopholes for utilities that wish to skirt the rules. And some contend that even total compliance with the standards will do little to actually improve a utility’s cyber security.

“If you go read the [CIP] document, you see that it’s mostly about procedure. It just says that if you go off and enumerate all this stuff and document it, then you’ve done your due diligence. There’s nothing prescriptive that tells people how to do things,” says Bryan Singer, vice president of professional services at Wurldtech Security Technologies Inc., a Vancouver, British Columbia, Canada, provider of industrial cyber security solutions. “It’s a great first step; don’t get me wrong,” adds Singer. “It creates awareness, and it gets people looking at cyber security as an issue. But it doesn’t do anything to actually improve security, especially from a technical perspective.”

Paper pushing

One of the most outspoken critics of the CIP standards is Joe Weiss, an electric industry cyber security consultant and managing partner at Applied Control Solutions LLC, in Cupertino, Calif. Weiss agrees that the CIP standards are inadequate to ensure the cyber security of the North American electric power grid, making compliance nothing more than a “paperwork exercise,” he says. But perhaps the biggest shortfall, according to Weiss and others who find fault with the standards, is that the determination of which assets are “critical”—and therefore must be protected—is left up to asset owners themselves. This allows too much wiggle room, critics believe.

There are eight CIP standards—CIP-002 through CIP-009. The first standard, CIP-002, requires asset owners and operators to use a “risk-based assessment” methodology to identify and document which assets are critical to reliable operation of the bulk electric system. Asset owners then must identify network-computing control system components that are associated with those critical assets. These become “critical cyber assets” that must be protected through compliance with CIP-003 through CIP-009. These cover a range of requirements, including establishment of policies, plans and procedures to safeguard physical and electronic access to critical control systems, training of personnel on security matters, and reporting of security incidents, among other things.

If an asset is not determined to be “critical,” however, its associated control systems are not subject to CIP-003 through CIP-009. Utilities that have no critical assets defined under CIP-002 can disregard the last seven regulations.

The problem, says Weiss, is that the CIP standards don’t define the “risk-based assessment” methodology to be used for identifying critical assets. This means that utilities that want to avoid compliance requirements can do so simply by developing a risk-based assessment methodology that finds assets not to be critical, Weiss complains. A better solution to protect the cyber assets of the electric power industry would be the application of NIST SP 800-53, a security standard currently being developed by the National Institute of Standards and Technology, Weiss believes. Unlike the NERC CIP standards, “it doesn’t have any exclusions,” he says. “It simply tells you to do a complete job.”

Do you care?

Some utility industry representatives chaff at the criticism, however. “One of the quirks of human nature these days is that we assume you don’t care; we assume you’re not doing what you need to be doing, and that’s a false assumption,” says Centerpoint’s Flowers, in reference to suggestions that asset owners might fail to designate assets as critical, as a way to avoid CIP compliance requirements. “You can’t provide the level of service to everybody in the United State on a consistent basis the way this industry has—despite hurricanes, floods, tornados, snow and wind—without caring,” says Flowers. “That’s no accident.”

More than 80 percent of all electric power assets are owned by the private sector, points out Flowers, who was a member of the NERC drafting committee that developed the NERC CIP standards. “These folks feel like they have the best handle on what’s critical and what’s not.”

Barry Lawson, manager, power delivery, for the National Rural Electric Cooperative Association (NRECA), in Arlington, Va., believes that criticism based on NERC CIP’s self-determination-of-critical assets provision is premature. “There are no grounds to criticize utilities right now,” he says. “Let’s allow the utilities to do their work in determining whether of not they own critical assets or critical cyber assets as defined by the standard. They’re working on taking care of that right now, so let’s allow the process to work.”

About 150 out of around 930 NRECA member co-ops are subject to the CIP standards, by virtue of being listed in the NERC compliance registry, Lawson indicates. Many of these co-ops have already completed their CIP-002 risk-based assessments, while others have the process underway, he notes. Lawson adds that the CIP standards are having a positive impact generally on the industry. “The standards are causing utilities to look very closely at their cyber security issues, and entities including our [NRECA] members are taking security steps that are not even in these standards, just because they’ve determined that it’s a good thing to do,” Lawson says.

Playing loose

Nonetheless, there is anecdotal evidence that some utility asset owners are, in fact, playing loose with the rules in an effort to avoid CIP compliance requirements.

“I think NERC left things too open. If you just write up your procedures and document things, you’re going to be compliant,” says one engineer at a major utility who asked not to be named. “I think they really should have come back and said there are certain steps that you have to do, because there are utilities out there that are trying to be as secure as they can, and they interpret it one way, while you have other utilities out there that don’t want to spend the money to become compliant, so they interpret it a different way,” this engineer says. “Some just want to check the CIP boxes and move on.”

“We definitely see both types,” says Industrial Defender’s Pollet, whose company does NERC CIP compliance consulting. “We see some utilities that are very aggressive at meeting requirements and are well on their way to becoming compliant, and they think it makes good business sense to have a secure operation,” he observes. “But on the other hand, we see some utilities, and I’d say more so with the municipalities and rural co-ops, where there’s more of a lax attitude.

“And we’ve seen some pretty unscrupulous things out there,” Pollet continues. While the CIP standards provide no guidance on how to determine which assets are “critical,” there are some general rules
of thumb drawn from various industry sources that specify particular output or load thresholds for generation facilities that can be used to determine which assets can be considered “critical,” Pollet says. He cites an example of a utility with one generating facility that is producing “well beyond those thresholds.” But the utility moved to avoid defining the whole plant as critical under the CIP standards by subdividing it into its four separate generating units, none of which by itself exceeds the thresholds, Pollet says.

The utility justified the move, he notes, by saying that “each unit has its own control system that can kind of be separately run, even if the other units aren’t running.” But Pollet labels this kind of thinking as “just insane,” given that without CIP-mandated physical protection for the facility, someone could walk into the facility uncontested, and “just press the emergency shutdown button,” affecting all four plant units.

Modifications needed

FERC, in its Jan. 17 final ruling approving the NERC CIP standards, agreed that modifications are needed in the standards. Among other things, the Commission directed NERC to develop additional guidance on the development of a risk-based assessment methodology to identify critical assets—to be provided either as a separate document, as a modification to the standards, or a combination of the two. The Commission also directed NERC to remove language from the standards that allows variable implementation of the standards based on “reasonable business judgment,” and required a new framework of accountability surrounding exceptions based on technical feasibility.

Further, FERC directed NERC to monitor the development and implementation of NIST cyber security standards “to determine if they contain provisions that will protect the bulk-power system better than the CIP Reliability Standards.” But FERC did not direct NERC to adopt the NIST standards, it said, “because that could lead to possible delays in putting into place any mandatory and enforceable standards.”

As a result, even though a new round of CIP standards are in the works based on the FERC-required modifications, utilities must today comply with the current NERC CIP standards. And that is certain to present challenges for a number of utilities, say industry sources, ranging from cost and manpower to the ambiguity of the standards themselves.

Not surprisingly, since the CIP standards were first submitted by NERC for approval by FERC in mid-2006, the number of companies now purporting to offer NERC CIP compliance consulting has exploded. A Google search on “NERC CIP services” returns more than 40,000 results. This means that utilities must in cautious in selecting third parties who are qualified to help them achieve CIP compliance.

“My recommendation is to look for consultants who have both experience and reference customers,” says Gary Sevounts, Newton, Mass.-based senior director, power & energy industry solutions, for Symantec, the Cupertino, Calif., cyber security solutions provider. “Because NERC CIP is new, it’s hard to find a lot of consultants who have actually done assessments or worked in NERC CIP specifically. But it’s very important to look for people who have both cyber security and process control experience.”

For most utilities, the cost of an initial NERC CIP gap analysis by Industrial Defender—including identification of critical assets—will range from $25,000 to $50,000, says Pollet. And while costs will vary widely, subsequent work involving vulnerability assessments and all the steps needed to bring an average-sized utility with say, 10 critical sites, into NERC CIP compliance might run between $1 million and $2 million, he indicates.

Reluctant management

At some utilities, achieving top-management support for cyber security has until now proven to be a challenge, says Symantec’s Sevounts. The oil and gas industry has been more proactive on cyber security spending, he says. “On the power industry side, we have seen a lack of investment and buy-in from the executive perspective. But with NERC CIP, that actually is getting fixed, because now companies are being forced to invest in security,” Sevounts observes.

Among other things, Sevounts attributes top management reluctance to thin margins, and in an industry that has generated power for decades without the need for cyber security controls, a lack of realization of the importance of the issue in a more interconnected world. In addition, “because there haven’t been a lot of publicized incidents with blackouts or bad things happening because of cyber security incidents, it has been really hard for executives to put their mind around it,” he adds.

Despite the criticism by some, many industry sources believe that NERC CIP is certain have a positive impact on the cyber security of the nation’s electric power grid. “I do consider the CIP standards to be far too loosely defined,” says Eric Byres, chief technology officer at Byres Security Inc., a cyber security product provider based in Lantzville, British Columbia, Canada. “That said, however, NERC CIP is still a heck of a lot better than anything we had before,” Byres adds. “Darn it, people are at least waking up now and doing something.”

To view the accompanying article to this story,"The CIP Standards", visit www.automationworld.com/feature-4256


 

More in Control