The electricity system in the United States received renewed attention after the August 2003 blackout that affected more than 50 million customers across the Northeast United States and caused...
Deadline Looms for New Cyber-Security Standard
NERC's proposal has the industry scrambling.
well, what constituted a critical asset, and from that list then what were the cyber assets that needed to be considered for protection.
"It wasn't really that the industry doesn't want cyber-security standards. It just wants to be very clear as to what they'll be expected to do. And that's the benefit of the consensus-building process. They certainly told us where we needed to be more clear."
One of those questions: the implementation timeframe for NERC members and utilities to bring their systems in line with the CIP standards.
"We're trying to get the implementation timelines into a reasonable frame," says Pacificorp's Dave Harries. "We're such a large organization that it's going to take us an extended period of time to be compliant, which is one of the reasons we've pushed back on them for the implementation schedule."
Harries dubbed NERC 1200 as "a first pass" at cyber-security, noting that the 1300 standard "started bringing in the physical side a little bit more heavily," while the CIP "basically unites the whole lump together." But he says Pacificorp is "essentially there on the cyber side; we were there to start with."
Documentation, Degradation, and Intrusion
Harries' confidence is thanks, in part, to the continuing equipment upgrades Pacificorp has made to its infrastructure. The company is bringing in a new energy management system (EMS) from ABB.
"As we've acquired Utah Power and other [companies], we've collected more and more disparate systems. This [purchase] is an attempt to consolidate it all into a single platform. It's going to be a phased implementation. It's in site-acceptance test as we speak."
Last March the company purchased TECSys's ConsoleWorks software () to aid with documentation and remediation of any system problems. Indeed, such documentation is part of the CIP standards.
"One of the things [the new NERC standards do] is enforce a much higher level of documentation and tracking of responsibility of changes," Harries says. "In the past, things could be very ad-hoc.
"[Now] you have to document everything and allow for the responsible parties to be involved and take that responsibility."
But Harries does not expect a terrorist attack on his system. Rather, he sees human error as the biggest threat to system integrity.
"We don't really worry that greatly about people coming in and stealing information," he says. "We worry more about the stability of the system. Your biggest vulnerability is probably your network. I've yet to see any real malicious attempts at degradation. Generally it happens more by human error than anything else."
Down to Dollars?
But it's not an organization's scale that affect future implementation. Budgetary issues also play a role.
"Various portions of the standards are going to require far more work of our members than others," said PJM Chief Security Officer Tom Bowe. "If these standards do get approved in October, many of these organizations already will have passed the budget cycle for planning for 2006. That might be a problem for some of our members."
Tom Kropp, manager, information systems at EPRI, voices a similar concern. "The 1300 standards would put