[BETA] Fortnightly

In a world where streetlights can be used as a weapon, controlling local utility networks becomes more than just a matter of public convenience and necessity. It becomes a matter of public safety and even national security. And in that world, the idea of an inter-networked, automated distribution grid poses troubling questions about cybersecurity vulnerabilities.

A simulated attack, named the Aurora Generator Test, took place in March 2007 by researchers investigating supervisory control and data acquisition (SCADA) system vulnerabilities at utility companies. The experiment involved hackers invading the plant’s control system to change the operating cycle of the generator.

As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related cyber systems. This approach allows great flexibility for utilities to apply the CIP standards to their particular situations. This will help ensure that their efforts focus on securing critical assets, rather than on complying with an overly prescriptive set of mandates that might or might not yield a secure grid.

The NERC CIP standards represent an historic achievement. They include the first mandatory cyber security requirements of their kind to be imposed on a U.S. private-sector industry. Considering the scope and sensitivity of the grid-security issue, developing a set of enforceable standards inevitably would entail a complex and contentious process. From that perspective, NERC, FERC and the industry have made remarkable progress, and their efforts deserve accolades.

Utilities are gearing up for compliance with the new CIP standards. NERC, however, has taken a flexible approach to implementation that leaves some companies confused. Can utilities comply by 2009, and will their measures be effective in securing the grid?

Before the hearings started, I felt the number of critical cyber assets for a medium size utility would be on the order of several thousand, not 20 as some major utilities are identifying under the CIP standards. This should be a red flag for the industry.

The word “security” no longer means what it used to mean. Now, “security” means gates, guards and guns. It means protecting critical assets with a multi-layered cyber and physical perimeter. It means exercising vigilance and caution, and accepting inconvenience as a matter of routine.

We’ve heard it all before, but the issue isn’t going away: Reliability of power, from generation to distribution, remains a primary concern of the utility industry. But the current verdict is mixed, depending upon which experts you talk to. Aging equipment is a ticking time bomb—except when it isn’t. NERC CIP standards are driving reliability improvements—except when they aren’t. Maintenance is key—except where monitoring and automation are more important. And regulators should stand aside and let the market drive reliability improvements—but economic incentives wouldn’t hurt.

Cyber standards proposed by the North American Electric Reliability Corp. are in limbo this summer, although the Federal Energy Regulatory Commission anticipates taking action on them soon. Once approved, however, how will the two organizations work together to enforce compliance?

Operations personnel at many energy companies feel the pressure of achieving compliance with the NERC CIP standards. Some worry that they are not aware of the problems and security incidents that have occurred within their critical infrastructures. Some know that they do not have the procedures in place to maintain CIP compliance.