As the balloting process for new cyber-security standards from the North American Electric Reliability Council (NERC) drew to a close, the industry group was gearing up for the difficult tasks ahead: ensuring rapid implementation of the new standards among NERC's members.
The new standards are scheduled for approval no later than Nov. 1, 2005, with compliance assessments to follow in 2006.
"Everybody would like to have [complied] yesterday, but the reality of it is that it's going to be a couple of years out before real compliance is there," says Dave Harries, system administrator with Pacificorp.
But first the new NERC standards, CIP-002-1 (Critical Infrastructure Protection) through CIP-009-10, need to be approved by NERC's membership-with the final balloting process scheduled shortly after press time for this article. The new standards advance and expand upon the NERC 1200 standard, adopted by NERC in August 2003, following approval by the industry in July 2003, although the timing of the approval, not too long after the Sept. 11, 2001, terrorist attacks, wasn't tied to those attacks.
"[Approval] did happen after 9/11, but it really had to do with the growing threats to our infrastructure, or the recognition of the threats, and the increasing vulnerabilities that we were facing because of the new technology that was being introduced," says NERC Chief Information Officer Lynn Constantini. "That [standard] was really just to raise awareness and bring all of the different entities within our sector that had some involvement in the bulk electric grid in reliability up to the same level playing field, minimal level of security. Once we were assured that everybody was doing at least the minimum, then we went and took the next step."
However, the industry continues working with the NERC 1200 standard while the new standards (formerly dubbed NERC 1300) remain open to "lots of comment from anybody who's interested," Constantini says. The CIP standards were, at press time, in their third round of public review and comment, while NERC tried to amend its rules to extend 1200 past its scheduled August expiration.
"We have made, I think, a demonstrable effort and significant progress toward the 1300. However, we're not done," Constantini says. "We haven't built a significant enough consensus.
"NERC believes so strongly that cyber-security standards are important for securing our infrastructure and protecting reliability that we do not want a gap in our protection. That's why we want to change the process to allow 1200 to be extended again. That's only because we have been making progress on the 1300."
Why the drawn-out process? Constantini says the new CIP standards "significantly expand" the scope of the earlier standard, "and that has people worried." She also acknowledges a lack of clarity in the language used in earlier versions of the standard. "For people to understand what it is that was going to be required of them, it's incumbent upon the drafting team to do a very good job. Definitions were vague as well, what constituted a critical asset, and from that list then what were the cyber assets that needed to be considered for protection.
"It wasn't really that the industry doesn't want cyber-security standards. It just wants to be very clear as to what they'll be expected to do. And that's the benefit of the consensus-building process. They certainly told us where we needed to be more clear."
One of those questions: the implementation timeframe for NERC members and utilities to bring their systems in line with the CIP standards.
"We're trying to get the implementation timelines into a reasonable frame," says Pacificorp's Dave Harries. "We're such a large organization that it's going to take us an extended period of time to be compliant, which is one of the reasons we've pushed back on them for the implementation schedule."
Harries dubbed NERC 1200 as "a first pass" at cyber-security, noting that the 1300 standard "started bringing in the physical side a little bit more heavily," while the CIP "basically unites the whole lump together." But he says Pacificorp is "essentially there on the cyber side; we were there to start with."
Harries' confidence is thanks, in part, to the continuing equipment upgrades Pacificorp has made to its infrastructure. The company is bringing in a new energy management system (EMS) from ABB.
"As we've acquired Utah Power and other [companies], we've collected more and more disparate systems. This [purchase] is an attempt to consolidate it all into a single platform. It's going to be a phased implementation. It's in site-acceptance test as we speak."
Last March the company purchased TECSys's ConsoleWorks software () to aid with documentation and remediation of any system problems. Indeed, such documentation is part of the CIP standards.
"One of the things [the new NERC standards do] is enforce a much higher level of documentation and tracking of responsibility of changes," Harries says. "In the past, things could be very ad-hoc.
"[Now] you have to document everything and allow for the responsible parties to be involved and take that responsibility."
But Harries does not expect a terrorist attack on his system. Rather, he sees human error as the biggest threat to system integrity.
"We don't really worry that greatly about people coming in and stealing information," he says. "We worry more about the stability of the system. Your biggest vulnerability is probably your network. I've yet to see any real malicious attempts at degradation. Generally it happens more by human error than anything else."
But it's not an organization's scale that affect future implementation. Budgetary issues also play a role.
"Various portions of the standards are going to require far more work of our members than others," said PJM Chief Security Officer Tom Bowe. "If these standards do get approved in October, many of these organizations already will have passed the budget cycle for planning for 2006. That might be a problem for some of our members."
Tom Kropp, manager, information systems at EPRI, voices a similar concern. "The 1300 standards would put the industry on a solid footing. … but it's not just a technical issue. What it comes down to is, what are people willing to pay in order to have the power system secure? There's a limited pot of money, so people are always going to have to make judgments from an economic sense, and sometimes from a political sense because regulations do carry some weight.
"That's how the industry is going to make a decision. They're going to weigh all these things and say, what are the costs if we implement this, and what are the costs if we don't implement it-just like any other business would.
"But I'm personally hoping the standards pass because it would give us a good basis for getting the industry toward a safe footing."
Bowe-also a member of NERC's Critical Infrastructure Protection Committee (CIPC)-adds that the NERC implementation schedule is just one impetus for utilities and NERC members to make the cyber-security upgrades they already should have been making.
"We need to be proactive in this," Bowe says. "We don't need standards to get us motivated to continually enhance our security."