State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Attack! CIP Goes Live
Utilities are gearing up for cyber security compliance. Will the standards prove worthy?
and the industry have made remarkable progress, and their efforts deserve accolades.
“I’ve been very impressed by NERC’s leadership in this domain,” says Darren Highfill, utility communications security architect with EnerNex Corp. in Knoxville, Tenn. “From an organizational standpoint and within the scope of NERC’s charter, I think they’ve done a very good job. The CIP standards are procedural and not prescriptive. They cover all the bases and they are pretty well constructed.”
But as a first effort, the standards are destined for refinement, strengthening and possibly expansion as the industry discovers weak links in the regulatory fence.
For example, the standards give regulated entities the task of identifying which of their assets will be subject to regulation, with little specific guidance about how they should conduct the process. In effect, this means utilities decide what systems CIP-compliance auditors will examine if they come a-calling (see “ Defining ‘Critical Assets ’”).
Additionally, the standards exempt many assets common sense suggests should be included in any logical definition of “critical infrastructure.” Speaking on condition of anonymity, a manager for a major T&D utility told Public Utilities Fortnightly , “We operate the largest transmission system in our state and we may end up with the smallest number of critical cyber assets. That’s because most of our substations are not IP (Internet Protocol) or dial-up accessible.”
The CIP cyber standards govern only systems using IP communications, while many utilities’ control systems use serial or point-to-point connectivity (See “ Aurora Attack ”). “That’s a weakness in the standards,” the manager says. “They don’t require us to protect those assets.”
Additionally, the standards exclude assets regulated by the Nuclear Regulatory Commission (NRC)—which means some of the largest power plants on the grid, with the highest-profile safety issues, are exempted. (The NRC imposes its own security requirements on nuclear licensees.)
Also, the standards apply only to NERC-registered entities and others with assets that are critical to the bulk-electric grid—a term NERC defines in fairly general terms. NERC and most of its control areas consider 100 kilovolts the working threshold between distribution and bulk-power assets, but even that definition falls short.
“There is no universally accepted definition of bulk power,” says Tobias Whitney, compliance and infrastructure-protection practice leader at Burns & McDonnell in St. Louis. “In practical terms, utilities generally consider it anything that could contribute to a cascading blackout like what happened in the Northeast. But there’s a gap between the definition and what’s practically considered the bulk-electric system.”
This gap could represent a dangerous loophole. To the degree utilities are uncertain about their compliance requirements, that uncertainty might expose the entire bulk grid to security risks. Further, the CIP standards don’t apply to interdependent infrastructure, such as pipelines and telecommunications networks, or to most municipal utility systems—even large ones with hundreds of thousands of customers.
“Some distribution systems are almost bulk systems,” says Larry Bugh, chief security officer at Reliability First, the NERC regional entity covering PJM. “Some distribution systems are operated in a fashion that could impact the reliable operation of the grid, at