Utilities are gearing up for compliance with the new CIP standards. NERC, however, has taken a flexible approach to implementation that leaves some companies confused. Can utilities comply by 2009...
Cyber Attack! - Defining 'Critical Assets'
ERCOT utilities approach CIP compliance from varying perspectives
Supply Manager Rick Gillean.
Greenville, Texas, with roughly 13,000 customers, has spent nearly $250,000 on physical security measures thus far. Security-card access systems and roughly 40 security cameras have been installed at the utility’s peaking plant, substations and control rooms. Distribution system relays have been upgraded to improve distribution system reliability. And security checks are now standard practice for all employees.
Further, Gillean recently brought in a consultant to begin the process of identifying cyber assets. “We could sit on our laurels but we’ve chosen not to. Right now we’re excluded from the CIP, but that could change,” Gillean says. “The biggest thing I learned from my consultant is that the cyber guidelines are basically open to interpretation. There are a lot of gray areas, so everybody’s guessing.”
Such issues are bound to occur as the asset-identification process continues to unfold. “I don’t really view [the 69-kV issue] as a loophole,” Bojorquez says. “I see it as a potential improvement we will make down the road as we learn more. These are brand-new standards. There are a lot of implementation questions and there will certainly be additional work” (see “ CIP Goes Live ”).
For large utilities with multiple divisions, the focus needs to be on getting all the businesses on the same page.
“For a large-scale utility, the challenge is getting all the right people in the room,” says Will Tang of Digital Security Consulting Inc. of Glendale, Calif. “The transmission and distribution, corporate IT, and other engineering groups share computers, servers and overlapping network infrastructure. By involving the right people early on in the planning phase, you can be sure you’ve identified all the assets that require compliance.”
Most important, this collaborative process will allow utilities to identify other areas that are vulnerable to cyber attack. “Identifying the critical cyber assets is the hard part,” Tang says. “Once you determine where to place the fence and how big it needs to be, building it is much easier. Implementing security controls is something security companies have been doing since passwords were invented.”
Regardless of the methodology, the cyber-asset identification process will be an ongoing venture—as standards evolve, network systems change and technology advances.
“Right now you have some technologies that are good, but old; some that are newer; and some that are brand new,” Martin says. “As we go forward and the old technologies are replaced, the way we view each asset will change. New technologies will bring new levels of risk and designers will have to build in protective measures to mitigate that risk. So it will be a never-ending cycle. We’ll get smarter and the hackers will get smarter.”