State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Attack! CIP Goes Live
Utilities are gearing up for cyber security compliance. Will the standards prove worthy?
least in a local area. Do those folks need to think about infrastructure protection and cyber security? They probably do, but we have jurisdiction issues today.”
The most obvious omissions from the CIP standards result from NERC’s focus on regional-grid reliability, rather than local distribution. Plus EPAct authorizes the ERO and FERC to regulate the bulk-electric system and nothing else.
“The NERC CIP standards point to interdependency issues with regard to coordination with other areas, such as fuel supply,” says Joseph H. McClelland, director of FERC’s Office of Electric Reliability. “The Commission’s authority under Section 215 of the Federal Power Act, however, does not extend to other infrastructure outside of the bulk-power system.”
Beyond those reasons, however, the administrative structure of NERC—as an industry-financed and industry-governed association—seems to have affected the way the standards evolved.
Several sources, speaking to Fortnightly on condition of anonymity, observed the NERC CIP standards were developed in a way that allows utilities to develop security strategies based on implementation cost and business implications, rather than an empirical risk threshold.
“The cyber-asset standard is loosely written,” says one utility manager. “NERC did that to get membership buy-in.”
Most notably, the standards repeatedly state that entities should use their “reasonable business judgment” in compliance. This leeway makes a certain amount of sense, because it helps ensure security requirements don’t cause unintended consequences, or result in unjustifiable investments. But it also results in an ill-defined and weak standard.
FERC noted as much in its July 20, 2007 NOPR: “The Commission acknowledges that cost can be a valid consideration in implementing the CIP reliability standards. However … it is unreasonable to allow each user, owner or operator to determine compliance with the CIP reliability standards based on its own ‘business interests.’ Business convenience cannot excuse compliance with mandatory reliability standards.”
The FERC NOPR directs NERC to remove the “business judgment” language from the CIP standards, and FERC’s comments in general suggest the standards will get tougher in the future. “FERC can throw back standards that aren’t good enough, as they already have done,” Silverstein says. “That forces NERC to rise above the lowest of its members’ interests, and write tougher standards.”
Nevertheless, to the degree the NERC administrative structure tolerates weak standards, it could leave the grid more exposed than it should be.
“NERC is in a weird position, with two conflicting masters—the regulator and the regulated,” Peterson says. “Now FERC is asking them to modify the standards, and NERC rules require a consensus of members. That’s backwards; regulated people don’t get to say, ‘Let us decide if this is acceptable.’ They will continue to have this problem until they structurally separate the ERO from the bulk-electric system.”
Given NERC’s jurisdictional limitations and potential conflicts, many industry analysts question whether the organization is the right agency for promulgating and enforcing security standards for the industry. (NERC officials declined to comment for this story, given the organization’s policy on ex-parte communications.)
“The NERC CIP standards are really just a starting point,” says Joe Bucciero, senior vice president with