State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Waiting on NERC: What's Next for Cyber-Security?
As NERC’s CIP standards advance, utilities move ahead, haltingly, with implementation.
will be subject to fines. “Those fines can be fairly substantial,” Johnson says. “Depending on the nature of the violation and whether it’s a first violation or repeat violation, the severity of the fines escalate and can be in the six-, even seven-figure range.”
Implementation schedules will depend, in part, on whether a company has been telling NERC that it’s been in compliance with the voluntary 1200 standards. “The 1200 series required companies to do self-audits, and self-verification, so if they’ve been telling us all along that ‘Yup, [they’ve] been doing what they should do,’ and ‘Yup, [they’re] compliant,’ what this new series says is, that’s good news: Now you’re going to have to prove it to us.”
Too-Long a Timeline?
Threats of fines aside, not everyone in the industry is as excited about the potential of NERC’s new standards to prevent cyber attacks. With worms and viruses constantly morphing, many utilities say their networks are vulnerable to threats from without, or sabotage from within, with each passing day.
KEMA’s Joe Weiss continues to sound the alarm about network vulnerabilities. Working at the SCADA Test Bed at the Idaho National Engineering and Environmental Lab, he sees the pitfalls of various control systems day in and day out. An implementation timeline going out nearly four years is little comfort against cyber attacks, Weiss says, and that lack of urgency will fail to persuade utilities not already on board to come around to NERC’s way of thinking.
“If cyber is real, how on God’s green earth are we sitting around doing nothing?” Weiss asks. “And if cyber isn’t real, why are we doing anything? A number of utilities feel that if they are not within NERC scope, they won’t do anything. Another group feels this is important to their business and will do it anyway.”
Weiss’ concerns aren’t limited to vulnerable SCADA systems. They apply to the other pieces of utility infrastructure, because, Weiss says, as far as utility security goes, “a utility is only as strong as its weakest link.” NERC, however, is mandated to focus only on the bulk electricity grid. That’s not enough to shore up cyber-security, according to Weiss.
“The positive development [with NERC’s new standard] is, you’ve now got a standard. The negative is, in a funny sense, you now have a standard.
“We’re starting to find cases where the NERC standard would not have precluded [the incidents], but could have camouflaged them. Some of these have happened over the past six months. …
“I think there are people who think this standard covers a whole lot more than it does. … Part of why this is difficult, and wrong from the beginning, is we’re talking cyber, electronic communication.”
Reliability traditionally has referred to what size plant or substation could go down without affecting the reliability of the grid, but the electronic connections involved with cyber make size irrelevant, Weiss says.
“A very small substation or power plant, if it’s electronically connected, can affect the whole grid. … As written now, these units are outside the purview of the