NERC’s reliability oversight is bogged down on two fronts—standard-setting and compliance oversight. Progress depends on improving unwieldy process.
Cyber Attack! - Defining 'Critical Assets'
ERCOT utilities approach CIP compliance from varying perspectives
As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related cyber systems.
This approach allows great flexibility for utilities to apply the CIP standards to their particular situations. This will help ensure that their efforts focus on securing critical assets, rather than on complying with an overly prescriptive set of mandates that might or might not yield a secure grid.
The same flexibility, however, is creating an unnerving level of uncertainty among utilities facing a looming compliance deadline.
“You’ve got every organization under the sun taking their own guess about what should and shouldn’t be considered a critical cyber asset,” says Darren Highfill, CISSP and utility communications security architect for EnerNex Corp., an engineering and consulting firm based in Knoxville, Tenn. “Until the standards are finalized and NERC starts doing audits, we’re speculating about where the line will be drawn.”
Under the current schedule, the new standards will become legally enforceable in 2009. Between now and then, however, the standards might evolve. In a recent Notice of Proposed Rulemaking (NOPR), FERC asked NERC to provide further guidance on how utilities should focus their “risk-based methodology” (see “ Setting the Standard ”).
“The regulated entity determines whether it has critical physical assets and assocated critical cyber assets,” says Joseph McClelland, director of FERC’s Office of Electric Reliability. “That discretion could lead to inconsistencies, and those inconsistencies could lead to vulnerability on the system. We’d like to see modifications to the standards and process to address those potential problems.”
Utilities can’t afford to wait for a refined set of standards. To ensure they are compliant when the standards become enforceable, utilities are working to define their critical assets today—even as they watch to see how their definitions might need to change tomorrow.
Oncor On Track
Since it’s up to each entity to develop its own way of identifying critical assets, their methodologies run the proverbial gamut.
“There are differences in what people consider critical and the strategies being applied,” says Bill Bojorquez, vice president of system planning at ERCOT, which has formed a CIP Advisory Board to provide guidance to its membership. “Substation duty in Houston will be viewed differently from a similar sized substation in a rural area. Some utilities are more in tune with the process of developing their methodologies than others. Our goal is to help their program engineers understand and meet their compliance requirements.”
Those requirements vary substantially within ERCOT, because of differences among various utilities, large and small.
Oncor, for example, is the largest electricity delivery company in Texas, providing power to more than 3 million customers and operating more than 115,000 miles of transmission and distribution lines. To identify its most