Waiting on NERC: What's Next for Cyber-Security?

Deck: 

As NERC’s CIP standards advance, utilities move ahead, haltingly, with implementation.

Fortnightly Magazine - August 2006

Price and supply issues dominate the discussion in the electric industry in the summer of 2006, but it wasn’t long ago that another issue—security—captured the industry’s attention. Now, it’s back again.

In the aftermath of Sept. 11, 2001, physical security issues came to the fore. How could plants be protected against terrorist attacks? After the 2003 Northeast Blackout, cyber-security concerns, never far from the front burner, began to predominate.

“[Security is] a major issue with our members,” says Edison Electric Institute spokesman Jim Owen. “Security, both physical and cyber, very much remains on the radar screen of our senior management.”

While the North American Electric Reliability Council (NERC) has put together standards addressing both areas of security—physical and cyber (see sidebar “Fox, Deer, and Pranksters”)—it’s the organization’s proposed cyber-security efforts that passed another milestone in June, with the passage of Critical Infrastructure Protection (CIP) standards.

Refinements to the standard are still to come. At press time, the newly passed standards had been assessed by the Federal Energy Regulatory Commission (FERC), and the comment period had just closed for utility-industry participants affected by the standards. The commission would not officially comment about ongoing proceedings.

As the government turns its focus to cyber-security, investor-owned utilities are anticipating their next move to ensure reliability.

Tied to ERO Approval

NERC’s efforts to standardize cyber-security across the utilities industry have been ongoing, but only recently have the standards moved toward becoming mandatory. Previous cyber-security rules, including NERC’s 1200 standard, were voluntary.

“The 1200 standards were ‘urgent action standards’ put into place in 2004, with the plan that they would be replaced by the 1300 series in 2005,” says NERC’s Stan Johnson, manager of Situation Awareness and Infrastructure Security. “The 1300 series never officially saw the light of day. The 2005 date was not met. The [Critical Infrastructure Protection] standards … are the replacement for the 1200s, which are now null and void. They’re gone.”

NERC has applied to FERC to be the new Electric Reliability Organization, mandated by the Energy Policy Act of 2005. If FERC approves NERC as the ERO, the newly passed cyber-security standards—CIPs 002-009—will become enforceable.

“For the next year, there are no teeth [to the standards],” says Robert Ayoub, an analyst at Frost & Sullivan. “In the future, fines might be ... significant.”

According to Johnson at NERC, the recently passed cyber-security standards will be “mandatory as much as any NERC standards are mandatory, as soon as we are declared the ERO.”

Beyond that date, the timeline for implementation spreads out several years, with threatened fines for those not in compliance. “Certain parts of the standards go into effect at different points, spread out over a three-and-a-half-year period,” Johnson says (see “NERC Reliability Standards: The Good, the Bad, and the Fill-in-the-Blanks”).

As for potential fines, Johnson says that if NERC is designated as the ERO and authorized to conduct company audits, any company “found to be deficient” will be subject to fines. “Those fines can be fairly substantial,” Johnson says. “Depending on the nature of the violation and whether it’s a first violation or repeat violation, the severity of the fines escalate and can be in the six-, even seven-figure range.”

Implementation schedules will depend, in part, on whether a company has been telling NERC that it’s been in compliance with the voluntary 1200 standards. “The 1200 series required companies to do self-audits, and self-verification, so if they’ve been telling us all along that ‘Yup, [they’ve] been doing what they should do,’ and ‘Yup, [they’re] compliant,’ what this new series says is, that’s good news: Now you’re going to have to prove it to us.”

Too-Long a Timeline?

Threats of fines aside, not everyone in the industry is as excited about the potential of NERC’s new standards to prevent cyber attacks. With worms and viruses constantly morphing, many utilities say their networks are vulnerable to threats from without, or sabotage from within, with each passing day.

KEMA’s Joe Weiss continues to sound the alarm about network vulnerabilities. Working at the SCADA Test Bed at the Idaho National Engineering and Environmental Lab, he sees the pitfalls of various control systems day in and day out. An implementation timeline going out nearly four years is little comfort against cyber attacks, Weiss says, and that lack of urgency will fail to persuade utilities not already on board to come around to NERC’s way of thinking.

“If cyber is real, how on God’s green earth are we sitting around doing nothing?” Weiss asks. “And if cyber isn’t real, why are we doing anything? A number of utilities feel that if they are not within NERC scope, they won’t do anything. Another group feels this is important to their business and will do it anyway.”

Weiss’ concerns aren’t limited to vulnerable SCADA systems. They apply to the other pieces of utility infrastructure, because, Weiss says, as far as utility security goes, “a utility is only as strong as its weakest link.” NERC, however, is mandated to focus only on the bulk electricity grid. That’s not enough to shore up cyber-security, according to Weiss.

“The positive development [with NERC’s new standard] is, you’ve now got a standard. The negative is, in a funny sense, you now have a standard.

“We’re starting to find cases where the NERC standard would not have precluded [the incidents], but could have camouflaged them. Some of these have happened over the past six months. …

“I think there are people who think this standard covers a whole lot more than it does. … Part of why this is difficult, and wrong from the beginning, is we’re talking cyber, electronic communication.”

Reliability traditionally has referred to what size plant or substation could go down without affecting the reliability of the grid, but the electronic connections involved with cyber make size irrelevant, Weiss says.

“A very small substation or power plant, if it’s electronically connected, can affect the whole grid. … As written now, these units are outside the purview of the NERC standards. Transmission talks to the distribution. Substations serve both. But we’ve excluded distribution.”

Weiss says the standards need to be broadened to address the fact that legacy systems—whether SCADA systems, power plants, or legacy substations—have different technical capabilities than do new systems.

Test-Bed Trials

Workers at the SCADA test-bed, part of the Idaho National Laboratory, are doing their part to shore up the industry against cyber attacks.

The test bed, a joint program with Sandia National Laboratories and backed by the Department of Energy, received its first dedicated funding in May 2004 and now works with four SCADA vendors: GE, ABB, Areva, and Siemens.

“We’re in discussions with two more [companies],” says James Davidson, principal investigator at the lab. “It’s been gradually expanding. It started with ABB. They were the first ones in the door and were just tremendous at helping us get started. And then Areva followed, then GE, and Siemens. It’s just continued to build over the past couple of years.

“Our purpose is to identify potential vulnerabilities in systems, find mitigating strategies, and look for commonalities across platforms that are indicative of a farther-reaching problem. Then to take what we learn and get it back into the vendor and user communities—lessons learned and best practices.”

During testing at the site, Davidson and his colleagues discovered numerous areas of weakness that open the door to system attacks. Among the problems: unencrypted communications, account management, communications authentication, general coding practices, and unpatched components.

Bill Brownlee, vice president of marketing at Emerson’s Power and Water Solutions division, says his company wasn’t convinced of the benefits of participating in the test-bed program. Emerson’s Ovation system is used by numerous major utilities, including Dominion, Southern Co., AEP, TVA, Excel, Duke, Entergy, FPL, Exelon, and Progress Energy.

“We knew early on which direction [the NERC CIPs] were going and could react as they changed. When June 1 came ... we were already compliant. The new systems we ship today, the [security requirements] come built into the system.” A recent deal with Symantec adds other key abilities, such as virus protection.

To meet NERC’s compliance deadlines, Brownlee says users need to begin work now to work any expenses into their budget cycle.

Even so, Brownlee says, “You can never guarantee beyond a shadow of a doubt that you have fool-proof security, but there is a reasonable level where you can say, ‘We’ve done everything reasonably achievable to provide a level of security in this infrastructure,’ so that the level of effort somebody would have to make in order to hack into the system is not worth the result.”

Davidson echoes that thought. “There’s no such thing as a secure system. The key to any cyber-security is ‘defense in-depth.’ You can liken it to setting up multiple barriers, to where an attacker has to get across barrier after barrier after barrier before they can actually get into the SCADA system. So they’re more likely to go somewhere else. Just like locking your door. If your door is locked a burglar is liable to go next door, to a door that’s unlocked.

Davidson attends vendor user groups to get feedback from the field, and he heads up outreach efforts to report back lab findings. In doing so, he says utilities are better prepared to meet any cyber-security standards that may be imposed at a future date.

“While many people are focused on NERC compliance, we’re focused on how to secure systems and use that to meet NERC compliance requirements,” he says.

The new requirements not only strengthen system integrity against outside threats, but help address the threat from disgruntled employees and other insiders, who can severely damage systems as a way to retaliate against their employers. “It’s just poor practices that allow those [events] to occur,” he says. “But part of the CIPs is so that everybody understands that poor practices aren’t acceptable any more. You need to have passwords. If somebody leaves the company, you need to immediately remove their account from the system. The [CIP] requirements cover those things.”

ISAC Keeps an Eye Out

With the industry still on the early part of the implementation curve, NERC remains committed to overcoming threats to the bulk electricity network, whether from individuals or Mother Nature. Through operation of the Electricity Sector Information Sharing and Analysis Center (ISAC), NERC stays abreast of reports of possible cyber events, working with other NERC members—and the other critical infrastructure ISACs—to coordinate a response to infrastructure damage.

NERC’s Stan Johnson says there’s “a fairly high level of activity” at the ISAC, but many reported events don’t rise to the level of a cyber attack. “We had a situation that turned out not be an attack, but more on the business side. An employee used passwords that disrupted the energy trading in the Western part of the United States. We investigated it and found out what happened. It was clearly identified as to who had done it. Our role is to make sure that the system’s integrity is maintained.”

The Electricity Sector ISAC also was involved with last year’s major hurricanes—Katrina, Rita, and Wilma. “We shared information between critical infrastructures,” Johnson says. “I don’t know that we were able to prevent any damage, but we certainly were able to assist in any restoration.”

During the hurricanes, the Department of Energy needed to determine from Entergy the number of its towers that had been damaged, and the number of miles of transmission lines on the ground. “We were able to go to the people we work with at Entergy and get that. DOE then factored that into its situation reports,” Johnson remembers. The Electricity Sector ISAC also communicated information to the Telecom ISAC, as telecom companies in and around New Orleans tried to restore their critical facilities. “Entergy got some of its maps and figured out what their restoration strategy was in that part of New Orleans, so we were able to work with the telecom sector,” Johnson says.

Weather events and terrorism threats remain real, Johnson says, although experts believe the greatest vulnerability of cyber systems is not from outside sources, but from insiders. Still, “whether the threat is internal or external, caused by Mother Nature or terrorists, or all of the above, it’s a full dimensional threat,” Johnson says.