NERC's Critical Infrastructure Protection standards take center stage
Cyber Terrorism is a Critical Concern in the World, and it is Paramount that Utilities protect themselves from cyber-terrorist attacks. In January 2008, the Federal Energy Regulatory Commission (FERC) acted on a congressional mandate and approved eight new mandatory requirements to safeguard the North American bulk power system from cyber-security attacks that could potentially cause disruptions. As a result, the North American Electric Reliability Corp.'s (NERC) new Critical Infrastructure Protection (CIP) standards have transformed the fairly intangible topic of cyber security into a very tangible issue for all utilities to deal with now and be accountable for in the future.
Power reliability is a key concern to the U.S. national security and economy, because losing electrical service could cause severe financial implications. These NERC CIP standards offer an impactful means to strengthen North American utilities. Failure of utilities to comply with the standards could result in penalties ranging from US$1000 to $1 million a day.
CRITICAL ASSETS, A STARTING POINT
The CIP standards represent eight unique yet interrelated components to protect the cyber security of the entire bulk power system. The initial key steps toward attaining cyber security are identifying critical assets and critical cyber assets. Critical assets are generally assets on the bulk power system, such as power plants and transmission lines. Although individual owners of power-related assets determine the criticality of each of their assets, other entities along the grid have input. The cyber components along the grid that control and protect the physical critical assets and meet specific cyber conditions are considered critical cyber assets.
The new standards have raised utilities' awareness of cyber security significantly and have brought together different functions within the industry to address emerging threats. Utilities find themselves at varying levels of progress in their efforts toward compliance. To help with this sizable endeavor, many utilities have hired outside consultants to initiate the discussion regarding CIP compliance or to assist their internal utility staff in developing a successful compliance program.
Regardless of who does the work, the effort should start with a discussion about risk-based methodologies to identify what constitutes a critical asset. Field work typically follows to identify what physical- and cyber-security measures exist to protect the utility's critical cyber assets, whether they be associated with generators, substations, energy management systems or the controls guarding these assets.
This phase of the project also represents the time in which policies and procedures are reviewed against the substantial requirements of the CIP standards. After this assessment, the consultant can work with the utility to develop a "gap analysis," which focuses on unprotected critical assets and the necessary adjustments.
With the compliance gap defined, the next step is developing a cost estimate of the engineering, equipment and policy changes needed to provide compliant cyber protection. After an agreement has been reached on the proposed solution, the project can proceed with detailed engineering, equipment procurement and implementation of any required modifications.
Consultants offer utilities solutions to assist with asset identification and all of the other CIP standards. Consultants or other third parties can identify a utility's vulnerabilities and design remedies to solve the problem. Given that today's cyber-security issues are more mature than in the past, utilities should seek complete cyber-security services from a suite of services for its telecommunications (SCADA and control systems) sector, including physical security, a dedicated cyber-security practice and protection for power-plant distributed control systems, construction and project management.
KNOWING OPERATIONS INSIDE OUT
Effective cyber security involves a holistic approach. Different departments within utilities that may seldom interact now need to know each other's business and how it applies to cyber security. Field personnel, who are generally more familiar with the physical aspect of security, will need to know how the cyber network operates and then go step by step to understand the protection of the network. Utility managers will need to become familiar with their own information technology (IT) departments, which may represent a significant departure from traditional arm's-length relationships. In essence, it is crucial to help employees in each area of the utility understand how their area will be impacted by the new CIP standards, and how other areas of the company will influence their interactions with the enterprise network.
Utility managers will have to understand how vulnerable their current networks are to hacking. In a poorly protected utility network, any employee who can log on to the network for e-mail or billing can potentially put the power network at risk for a cyber attack. Even a new consumer-friendly service such as automated meter reading with thermostat control could be hacked, and thus offer the potential for bringing down the grid or a substantial part of it.
The NERC CIP standards also address the physical access of critical cyber assets by employees at facilities. Potential threats from internal sources are even greater than from outside the utility network. Only qualified and authorized employees should have access to these kinds of assets. Card readers can control physical access of authorized personnel and provide data for log reports. Once an authorized employee leaves the company, all physical- and cyber-access controls for that person must be removed. Employee background checks are a CIP requirement, which may become an issue given existing bargaining agreements.
All of this work — identifying critical assets, protecting networks and other topics — requires the development of compliant processes, policies and procedures that must be consistently followed. The utility must determine a corporate lead or representative who becomes the point person on all cyber-security matters. Utilities must conduct personnel training and update training materials regularly. Further, utilities must put in place documentation and reporting processes to demonstrate compliance with the CIP standards to satisfy a NERC audit.
LAYERED AND PROTECTED SECURITY
Even before the NERC CIP standards became mandatory, physical- and cyber-security concerns were common within utilities, with most having some internal measures in place. But these security measures occurred only in a few places and were not always part of a larger program focused on multiple dimensions of the critical assets.
In a sense, coordinating the multiple layers of physical and cyber security at a utility resembles designing a Russian nesting doll: the smallest part must be fully encased and protected by the next larger part, the initial pair then fits into a still larger part and so on until it is fully assembled as a single, coordinated unit that has enclosed and protected its smaller components.
NERC CIP sets out to remedy the lack of security coordination and — to use the Russian nesting doll example — make sure that all of the dolls (the physical- and cyber-security layers or measures) are aligned and mesh as one. In that vein, critical cyber assets need to be protected in the proverbial "six-walled container." Besides the typical physical components of such a container — the actual walls, a door, a ceiling and a floor, the building in which it is housed and the fence with a secure gate around that building — are less obvious security items that may include monitored cameras along with limited access to the room that is logged and monitored.
A utility needs to test its cyber- and physical-security pre- and post-NERC actions. The first test will determine what vulnerabilities exist. The second test will check how well the utility addressed those system vulnerabilities. To better understand the threats to their systems and how the NERC CIP standards address cyber protection, some utility leaders have even recently attended classes on cyber hacking.
Utilities also should work to standardize control systems within their own organizations. This will simplify cyber security through uniformity.
From a physical-security standpoint, utilities need to review the condition of security perimeters, be it a room, floor, building or fence line. Getting out in the field and enforcing physical security will take effort, but it will be time well spent. Physical security does not require people to be at a site (such as a remote substation) at all times. Rather, equipment can secure and monitor a site as long as the utility or appropriate entity can respond in the event of a security breach.
Policies must be in place when cyber security is breached. That way, utility managers will know whether to call local law enforcement in such an instance. These policies will also determine who views the surveillance video, reviews the log-in records and checks the site for missing items or equipment that may have been tampered with. The CIP requirement regarding incident reporting and response planning addresses such questions on a larger, more-complete scale.
SMALLER UTILITY CONCERNS
Utilities, particularly smaller utilities and municipalities, face a lot of work to achieve NERC CIP-compliant cyber security. The interconnected nature of the utility system, where what happens in Florida affects New England, makes it so. Therefore, smaller utilities aren't given a bye this time and doing nothing is no longer an option.
Some smaller utilities may even need to add staff or install new equipment to deal with the NERC CIP standards. Doing so will not be easy, because the industry as a whole deals with an aging workforce nearing retirement and a fairly tight job market. The cost of these new employees and equipment is another factor.
Smaller utilities are also likely to learn a lot about what they don't know regarding the CIP standards. For example, one small utility discovered that it was responsible for critical assets it had not known were critical, at a substation located in a critical transmission path connecting to other utilities' critical assets.
Still, solutions to cyber security can be crafted specifically to fit the individual situation, whatever the size of the utility enterprise.
Identifying physical and cyber assets, and enacting processes and improved security plans are important steps in NERC compliance. The problem is that the NERC CIP standards are considered quite vague throughout the transmission and distribution industry. Phrases such as "reasonable business judgment," "where technically feasible" and "should" appear throughout the standards. These words can be interpreted subjectively, assuming a variety of meanings and interpretations according to the reader's perspective.
Ambiguity exists not just from process to process, but also with regard to implementation. The standards allow utilities to document a noncompliant situation in the organization if it is either "technically" or "operationally unfeasible" to correct. As utilities address cyber security, the NERC CIP standards require them to become "substantially" compliant by Dec. 31, 2008. The word substantially, though, is not defined in this context, at least not substantially.
A simple explanation is that utilities should be well on their way to becoming compliant. As this yet-to-be spelled out, evolving level of compliance is achieved, utilities must then move their efforts to becoming fully compliant (another amorphous term) by Dec. 31, 2009, and then attain "auditably" compliance by Dec. 31, 2010. Auditably is defined as having accumulated one year's worth of data, documents, documentation, logs and records that can be audited. This demonstrates that compliance is as much about processes, documentation and reporting as it is about protecting bits and bytes of data.
It is important for utilities to ask many questions of consultants and NERC representatives to effectively address the standards. FERC has ordered NERC, as keeper of the standards, to remove the vague phrases from the standards. In the meantime, utilities must continue to work toward compliance, even though compliance is arguably something of a moving target today given the lack of concrete definitions. And there is no universal agreement across the industry today on what the final standards should be. Depending with whom you've talked in the industry, the NERC standards are either inadequate or too much.
Regardless, utilities must keep moving forward on NERC CIP compliance. NERC is working on sharpening the standards and making them more precise. But no utility can afford to wait to initiate action on cyber security. The risk and possible damage are simply too great, and the threat of penalties for noncompliance is real. Here in 2008, the future is now for cyber security.
Martin G. Travers is president of Black & Veatch's Telecommunications Division. He has an extensive background in the engineering and construction of infrastructure facilities. With more than 25 years experience in projects such as electric power-generating stations, transmission lines, substations and telecommunications networks, he thoroughly understands the key issues that influence successful project development deployment and performance.
NERC Compliance Overview
|CIP-002||Critical cyber assets||1. Critical assets |
2. Critical cyber assets
3. Annual review
4. Annual approval
|CIP-003||Security management controls||1. Cyber-security policy |
4. Information protection
5. Access control
6. Change control
|CIP-004||Personnel and training||1. Awareness |
3. Personnel risk assessment
|CIP-005||Electronic security||1. Electronic security perimeter |
2. Electronic access controls
3. Monitoring electronic access
4. Cyber-vulnerability assessment
|CIP-006||Physical security||1. Plan |
2. Physical-access controls
3. Monitoring physical access
4. Logging physical access
5. Access log retention
6. Maintenance and testing
|CIP-007||System security management||1. Test procedures |
2. Ports and services
3. Security patch management
4. Malicious software prevention
5. Account management
6. Security status monitoring
7. Disposal or redeployment
8. Cyber-vulnerability assessment
|CIP-008||Incident reporting and response planning||1. Cyber-security incident response plan |
|CIP-009||Recovery plans for CCA||1. Recovery plans |
3. Change control
4. Backup and restore
5. Testing backup media