When FERC opened wholesale power markets to competition a decade ago in Order No. 888, it codified a system for awarding grid access known as the pro forma Open-Access Transmission Tariff (OATT),...
Setting the Standard
NERC’s new cyber security rules may minimize cost of compliance, but they leave utilities guessing on how to identify risks.
standards already developed by the National Institute for Standards and Technology (NIST). After all, federal and quasi-federal entities such as Bonneville Power and the Tennessee Valley Authority already must comply with the NIST rules. (See NIST SP 800-53, at http://csrc.nist.gov/publications/PubsSPs.html.)
The industry objects that the NIST standards were developed for government information systems, and so might prove too costly for the private sector, or not mesh well with industrial control systems (ICS). Two recent developments suggest otherwise, however.
First, a recent report from the MITRE Corporation found NIST SP 800-53 could comport satisfactorily with NERC CIP cyber standards. (See, https://www.pcsforum.org/library/files/1158350129-Apply_SP_800-53_to_ICS_ final.doc .)
Second, on July 13, four days before FERC issued its NOPR, NIST released an updated augmented version of its SP 800-53 cyber standards, designed for application to industrial control systems (ICS). The public comment period on the augmented NIST standards closed August 31.
As NIST senior research scientist Stuart Katzke explained in comments filed with FERC on October 5, “we have received no ‘show-stopping’ comments concerning the effectiveness of the NIST standards.” Katzke said the updated ICS version would become final by the end of calendar 2007.
The Risk Profile
Arizona Public Service leans toward the expansive view that the NERC cyber rules require a look at infrastructure and socio-economic vulnerabilities.
In written comments filed at FERC October 5 by Pauline Foley, senior regulatory attorney for Pinnacle West Capital Corp. (the holding company), APS proposed a multi-step risk-based process for determining which physical and cyber assets should qualify as critical. According to APS, the risk assessment should consider such factors as the number of customers affected by a loss of generating capacity, and whether an outage would affect “major customers,” or “other critical infrastructure.” (See “ Identifying Critical Cyber Assets: The APS Model ”)
Some small co-ops and municipal utilities anticipate trouble in judging how asset failures might affect the entire grid. FERC appears sympathetic. It suggests a “voluntary exchange of information” on cyber security, plus a formal procedure for NERC or its various regional reliability organizations (RROs) to provide external oversight of third-party decisions that identify critical assets, in order to assure a “wide-area view.” (See NOPR, ¶¶s 112, 113.) The majority of the industry disagrees, however, with some suggesting RROs would find the task overwhelming, as it would require particular knowledge of the capabilities of thousands of individual assets, plus minute details concerning software types, vendors, and vintages of equipment.
Meanwhile, NERC declines to include explicit guidance within the standards themselves to explain how to conduct a risk-based assessment to identify critical physical or cyber assets. “If ‘how’ language were included,” says NERC, “it would de facto become the only acceptable method. This would … potentially introduce common vulnerabilities … [and] could lead to other problems such as separate specific requirements for each manufacturer … as well as each model within a manufacturer’s product line.” (See, Comments of NERC, FERC Docket No. RM06-22, pp. 13-14, filed Oct. 5, 2007.)
NERC would prefer to draft a separate set of informal how-to “guidelines,” contained outside the standards proper. That