WE ALL FACE DEADLINES, AND UTILITIES faced a major one in June as they were required to achieve compliance with a range of cyber security standards passed down by the North American Electric Reliability Corporation (NERC) more than two years ago.
The eight critical infrastructure protection (CIP) standards 002–009 are intended to ensure the protection and reliability of critical cyber assets within the bulk electricity system (BES) by calling for utilities to identify and document such assets and develop strategies to secure them from vulnerabilities to cyber warfare or else face fees to the tune of up to $1 million a day. Utilities have faced the prospect of security cyber asset compliance ever since a voluntary set of standards was first developed by NERC in 2003. The first set of mandatory standards was approved by the Federal Energy Regulatory Commission (FERC) in 2008.
With the June 30 deadline now behind us, Intelligent Utility spoke with two industry experts to determine how utilities have fared. Sam Brattini, executive consultant and director of compliance services at KEMA, says most are in good shape. “Even before FERC gave final approval, utilities were developing strategies to identify and document critical assets for which they were responsible,” he said. Utilities also identified and secured the physical and electronic perimeters within which critical cyber assets were located. The successful implementation of policies governing management security and access controls, permissions granted industry vendors and other external stakeholders, and personnel training in new policies and processes means many will not face significant fees.
David Baker, Director of Services at IOActive, agrees that many utilities have complied with the standards or have self-reported on existent shortcomings to demonstrate a good faith effort to acknowledge risks yet to be addressed. But he also believes the standards have been something of a ‘bitter pill’ to swallow due to a required investment of finances and time. “The people who manage the BES and who concentrate on reliability have benefited significantly from a greater awareness of corporate IT,” Baker said.
Part of the growing vulnerability of utilities to cyber risk is their increasing reliance on IP networks and the Internet. Consequently, to comply with the CIP standards, utilities have had to develop IT expertise to understand the nature of risks to their cyber assets and adequately address them. “IT specialists understand firewalls, protocols, internet security standards and other strategies to ensure the integrity of assets and systems,” Baker said.
CIP limitations apparent
But as the integration of utility operations with IP grows more complex, the limitations of the CIPs become apparent. CIP 002 now classifies specific facilities and assets deemed critical in the BES including substations, some generation resources, load-shedding systems and special protection schemes; their associated cyber security assets have been the targets of CIPs 003–009, which articulate the full breadth of processes and methodologies utilities must execute to ensure their reliability. “But CIP-002 does not provide enough specific guidance on how to classify all BES facilities or systems,” said Baker. The CIP language is not definitive enough about the types of assets to be secured. One industry blog suggests less than 5 percent of existing generation facilities are adequately classified.
“More assets should be classified,” added Brattini. “From a risk-assessment perspective, many now unclassified assets could have a medium- or high-severity impact on the BES if they are compromised by cyber breaches.”
A NERC standards drafting team has adopted proposals for two new cyber security standards (CIP 010 and 011), which are intended to replace the current ones. Like all standards, however, the language must be open to public comment, revisions considered by the drafting team and approval required from FERC. As a result, Baker said, the final shape of CIP 010 and 011 is as yet unknown. Final passage of the new CIPs may come sooner or later, depending on the nature of the comments and the length and extent of FERC’s approval process.
An ongoing process
“Utility compliance is an ongoing process more than a one-time success,” Brattini said. The scope of the new standards could be ambitious if the intent is to identify and create security processes for the large number of BES assets not classified by CIP 002. Many utilities now comply with CIPs 002–009 and have avoided hefty fees (many not in full compliance face less significant penalties). But with more stringent requirements on the horizon, the prospect of greater demands on utilities is real. It’s not simply the number of facilities that will need to be accounted for. Under CIPs 002–009, documenting compliance was sufficient. Under CIPs 010–011, a real-time demonstration of reliability may be part of the requirement. Utilities aren’t out of the woods yet.