Cyber Terrorism is a Critical Concern in the World, and it is Paramount that Utilities protect themselves from cyber-terrorist attacks. In January 2008, the Federal Energy Regulatory Commission (FERC) acted on a congressional mandate and approved eight new mandatory requirements to safeguard the North American bulk power system from cyber-security attacks that could potentially cause disruptions. As a result, the North American Electric Reliability Corp.'s (NERC) new Critical Infrastructure Protection (CIP) standards have transformed the fairly intangible topic of cyber security into a very tangible issue for all utilities to deal with now and be accountable for in the future.

Power reliability is a key concern to the U.S. national security and economy, because losing electrical service could cause severe financial implications. These NERC CIP standards offer an impactful means to strengthen North American utilities. Failure of utilities to comply with the standards could result in penalties ranging from US$1000 to $1 million a day.

CRITICAL ASSETS, A STARTING POINT

The CIP standards represent eight unique yet interrelated components to protect the cyber security of the entire bulk power system. The initial key steps toward attaining cyber security are identifying critical assets and critical cyber assets. Critical assets are generally assets on the bulk power system, such as power plants and transmission lines. Although individual owners of power-related assets determine the criticality of each of their assets, other entities along the grid have input. The cyber components along the grid that control and protect the physical critical assets and meet specific cyber conditions are considered critical cyber assets.

The new standards have raised utilities' awareness of cyber security significantly and have brought together different functions within the industry to address emerging threats. Utilities find themselves at varying levels of progress in their efforts toward compliance. To help with this sizable endeavor, many utilities have hired outside consultants to initiate the discussion regarding CIP compliance or to assist their internal utility staff in developing a successful compliance program.

Regardless of who does the work, the effort should start with a discussion about risk-based methodologies to identify what constitutes a critical asset. Field work typically follows to identify what physical- and cyber-security measures exist to protect the utility's critical cyber assets, whether they be associated with generators, substations, energy management systems or the controls guarding these assets.

This phase of the project also represents the time in which policies and procedures are reviewed against the substantial requirements of the CIP standards. After this assessment, the consultant can work with the utility to develop a "gap analysis," which focuses on unprotected critical assets and the necessary adjustments.

With the compliance gap defined, the next step is developing a cost estimate of the engineering, equipment and policy changes needed to provide compliant cyber protection. After an agreement has been reached on the proposed solution, the project can proceed with detailed engineering, equipment procurement and implementation of any required modifications.

Consultants offer utilities solutions to assist with asset identification and all of the other CIP standards. Consultants or other third parties can identify a utility's vulnerabilities and design remedies to solve the problem. Given that today's cyber-security issues are more mature than in the past, utilities should seek complete cyber-security services from a suite of services for its telecommunications (SCADA and control systems) sector, including physical security, a dedicated cyber-security practice and protection for power-plant distributed control systems, construction and project management.

KNOWING OPERATIONS INSIDE OUT

Effective cyber security involves a holistic approach. Different departments within utilities that may seldom interact now need to know each other's business and how it applies to cyber security. Field personnel, who are generally more familiar with the physical aspect of security, will need to know how the cyber network operates and then go step by step to understand the protection of the network. Utility managers will need to become familiar with their own information technology (IT) departments, which may represent a significant departure from traditional arm's-length relationships. In essence, it is crucial to help employees in each area of the utility understand how their area will be impacted by the new CIP standards, and how other areas of the company will influence their interactions with the enterprise network.

Utility managers will have to understand how vulnerable their current networks are to hacking. In a poorly protected utility network, any employee who can log on to the network for e-mail or billing can potentially put the power network at risk for a cyber attack. Even a new consumer-friendly service such as automated meter reading with thermostat control could be hacked, and thus offer the potential for bringing down the grid or a substantial part of it.

The NERC CIP standards also address the physical access of critical cyber assets by employees at facilities. Potential threats from internal sources are even greater than from outside the utility network. Only qualified and authorized employees should have access to these kinds of assets. Card readers can control physical access of authorized personnel and provide data for log reports. Once an authorized employee leaves the company, all physical- and cyber-access controls for that person must be removed. Employee background checks are a CIP requirement, which may become an issue given existing bargaining agreements.

All of this work — identifying critical assets, protecting networks and other topics — requires the development of compliant processes, policies and procedures that must be consistently followed. The utility must determine a corporate lead or representative who becomes the point person on all cyber-security matters. Utilities must conduct personnel training and update training materials regularly. Further, utilities must put in place documentation and reporting processes to demonstrate compliance with the CIP standards to satisfy a NERC audit.