THE RISK LANDSCAPE HAS EXISTED FOR ELECTRIC UTILITIES-and has been well managed-for many, many years. It did not, as some would think by the buzz in the past few years surrounding the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, begin with NERC CIP.
As Patrick Miller, president and CEO of the Energy Sector Security Consortium, Inc. (EnergySec) and principal investigator of the National Electric Sector Cybersecurity Organization (NESCO) recently told the Congressional Cybersecurity Caucus: "Make no mistake. The electric industry is not waiting for regulation to secure their environments. Successfully responding to and preparing for threats and risks and rapidly restoring the grid to a safe state of operation are industry-wide responsibilities that are taken very seriously. This is evidenced by the fact that even though the North American power grid is by far the largest, most complex system built by humans, it is also the most reliable. Our utilities already respond to catastrophe with the skill and aplomb that only comes from years of experience and refined maturity. They do this every day and they do it very well."
He went on to note, "Cybersecurity is another important variable in their risk landscape, but it doesn't significantly change the overall risk management approach. Like all other risk mitigation efforts, cybersecurity protections should support the mission of delivering safe, reliable power to the consumer."
It started with a simple lunch
EnergySec is a community of information security, physical security, audit, disaster recovery and business continuity professionals from energy industry utilities established more than a decade ago as a group of professionals in these areas in the Pacific Northwest. Initially, said Stacy Bresler, vice president of outreach and operations for EnergySec and the co-principal investigator for NESCO, a small group met for lunch to discuss the security challenges they were all facing. The idea was simple: share common security practices for the purpose of learning from one another.
The E-Sec NW, as it was called then, "started with a couple of guys and a lunch," Bresler said, and grew from there. As the lunch table grew, and the group outgrew the ability to meet in a restaurant, an online forum and quarterly meetings were established. In 2005, an annual summit was added to the mix, the only meeting of its kind being held at the time, promoting open and honest dialogue, creative ideas and collaborative solutions appealing to the "boots on the ground" security practitioners within the industry.
Now, participation in EnergySec is international, including all regions throughout North America, South America, Europe, Asia and Australia. The group is now (as of 2008) a United States 501(c)(3) nonprofit organization, with the mission to support organizations within the energy sector in securing their critical technology infrastructures. "We're all about information-sharing around cybersecurity practices," Bresler said, "and we recognize compliance is one part of that. The more we can talk among ourselves, the more we will continue to refine our risk management practices."
Today, EnergySec has more than 1,000 members from over 322 unique organizations. It covers 75 percent of North American generation, 65 percent of distribution and 70 percent of transmission. "We have members in every state, and in Spain, Australia, Brazil, Canada and Great Britain," Bresler said. "It is one of the larger information-sharing organizations in the industry."
NESCO also evolved from this organically growing group. In 2010, the U.S. Department of Energy announced a funding opportunity to build NESCO, meant to be a public-private partnership focused on security-related information sharing in the electric sector, bringing together utilities, federal agencies, regulators, researchers and academics. EnergySec was awarded partial funding over three years for the project.
This group, along with domestic and international experts, developers and users help to focus cybersecurity research and development priorities, to identify and disseminate effective common practices, and organize the collection, analysis and dissemination of infrastructure vulnerabilities and threats. NESCO works to identify and support efforts to enhance cybersecurity of the electric infrastructure.
Protection vs. compliance
As a former employee of the Western Electricity Coordinating Council (WECC), where he was part of the team of NERC CIP auditors that helped establish the regional reliability audit program, Bresler has been involved in his share of NERC CIP audits.
"The WECC region did the first audit in the country of the first 13 requirements," he said. At that time, the guidance surrounding audits wasn't good, and so WECC did a full-day show on each CIP requirement in order to provide utilities with the additional information they needed to prepare for their scheduled NERC CIP audits.
"There have been quite a bit of lessons learned over the years," Bresler said, stressing that the NERC CIP guidelines continue to evolve and be refined.
Bresler also stressed that being "compliant" is different from being "protected" and both are important. Compliance, as proven by an audit, is all about documentation that supports the requirements. "When you're doing an audit, documentation is everything," he said. Most utilities understand the need for clear documentation and the need to manage it, and have created a NERC CIP compliance program manager position, but there are still utilities out there trying to determine the skill set necessary for that particular role.
Two best practices
I asked Bresler to define some best practices for utility cyber and physical security risk management, given his experience in the industry, as well as his experience as a result of leading and participating in more than 30 NERC CIP audits.
First, he said, "devote aware people to the systems you are deploying. Log management is your bread and butter, and you need people who understand that role, and the potential cybersecurity implications, and can take the information they are reviewing and be able to act upon it."
Second, "the security team isn't your security front line," he said. The key mandates of CIP-004 require the staff with access to critical cyber assets to have a true understanding of security risks, in addition to understanding effective and continual monitoring of access. The purpose of CIP-004 is to safeguard against weaknesses within utility company practices, and its primary focus is on proper training for personnel.
"With CIP-004, security training for your staff is really key," Bresler said. "One utility trained all its employees on how to protect their own data, even at home. Once you understand that, you can relate that back to work. And some utilities have taken security and made it function like a small business, then marketed it throughout the company."
NERC CIP standards still evolving
"We're seeing an ongoing maturity of NERC CIP standards," Bresler added. "Version 4 has been released, and we're moving into Version 5, and with each version, the requirements are getting clearer.
"The maturation of standards is going to continue. I think what's important, really, is that these standards have set us forward tremendously. I've seen the improvements on the front lines. I have done over 30 audits, and utilities are really trying to do the right thing. Without the NERC standards being put in place, I suspect the industry would not have improved as much as it has over the past several years."