Utilities are gearing up for cyber security compliance. Will the standards prove worthy?
Michael T. Burr is editor-in-chief of Public Utilities Fortnightly. Scott M. Gawlicki provided some content for this story. Email Michael at email@example.com.
When Alison Silverstein limped into an Arlington, Va., hotel meeting room in March 2002, few would have guessed the woman on crutches would throw down such a heavy gauntlet.
But broken foot notwithstanding, the senior policy adviser to then-FERC Chairman Pat Wood carried a weighty ultimatum. Just six months after the 9/11 terrorist attacks, she told members of the NERC Critical Infrastructure Protection Committee to secure the grid, or the federal government would secure it for them.
Actually Silverstein’s message was slightly more nuanced.
“I gave them two options,” she says. “One, you write the rules you want to live with; or two, I’ll get a bunch of federal bureaucrats who don’t know much about the utility industry to draft a set of rules. And you know what bureaucrats will do.”
The committee got the message. NERC began developing standards and guidelines for its members to use in securing the nation’s critical power infrastructure, particularly against cyber attack or misuse. But disagreements over the details — especially potential compliance costs — delayed the process and forced multiple revisions that made the standards more flexible and easier for the industry to meet.
“With the earlier drafts, the critical-asset standards were very specific,” says David Grubbs, transmission manager for City of Garland, Texas. “But there was so much opposition that what’s left is really nebulous. Now it’s really more of a risk-based analysis process.”
The Northeast blackout in 2003 raised the ante, turning attention toward reliability in general. The Energy Policy Act of 2005 (EPAct) created a legislative mandate for reliability standards, and led to NERC gaining enforceable authority as the FERC-designated Electric Reliability Organization (ERO).
Amid these upheavals, the CIP-standards process crawled forward. And finally — after five years, an act of Congress, a FERC staff report and a FERC NOPR — the final CIP standards are now emerging, accompanied by a compliance and enforcement regime (see sidebar “ERO Enforcement Emerges”).
The good news is the CIP standards are working. “Maybe they aren’t perfect, but boy are they having the desired effect,” says Dale Peterson, president of cyber security consulting firm Digital Bond Inc. “We’ve seen a dramatic increase in the level of effort by a large number of utilities.”
That doesn’t mean, however, the cyber security journey is over — either in terms of implementation or policy development (see “Commission Watch,” p.46). By all accounts, the industry is taking just the first shaky steps toward a more secure utility grid.
To be sure, the NERC CIP standards represent an historic achievement. They include the first mandatory cyber security requirements of their kind to be imposed on a U.S. private-sector industry. Considering the scope and sensitivity of the grid-security issue, developing a set of enforceable standards inevitably would entail a complex and contentious process. From that perspective, NERC, FERC and the industry have made remarkable progress, and their efforts deserve accolades.
“I’ve been very impressed by NERC’s leadership in this domain,” says Darren Highfill, utility communications security architect with EnerNex Corp. in Knoxville, Tenn. “From an organizational standpoint and within the scope of NERC’s charter, I think they’ve done a very good job. The CIP standards are procedural and not prescriptive. They cover all the bases and they are pretty well constructed.”
But as a first effort, the standards are destined for refinement, strengthening and possibly expansion as the industry discovers weak links in the regulatory fence.
For example, the standards give regulated entities the task of identifying which of their assets will be subject to regulation, with little specific guidance about how they should conduct the process. In effect, this means utilities decide what systems CIP-compliance auditors will examine if they come a-calling (see “Defining ‘Critical Assets’”).
Additionally, the standards exempt many assets common sense suggests should be included in any logical definition of “critical infrastructure.” Speaking on condition of anonymity, a manager for a major T&D utility told Public Utilities Fortnightly, “We operate the largest transmission system in our state and we may end up with the smallest number of critical cyber assets. That’s because most of our substations are not IP (Internet Protocol) or dial-up accessible.”
The CIP cyber standards govern only systems using IP communications, while many utilities’ control systems use serial or point-to-point connectivity (See “Aurora Attack”). “That’s a weakness in the standards,” the manager says. “They don’t require us to protect those assets.”
Additionally, the standards exclude assets regulated by the Nuclear Regulatory Commission (NRC)—which means some of the largest power plants on the grid, with the highest-profile safety issues, are exempted. (The NRC imposes its own security requirements on nuclear licensees.)
Also, the standards apply only to NERC-registered entities and others with assets that are critical to the bulk-electric grid—a term NERC defines in fairly general terms. NERC and most of its control areas consider 100 kilovolts the working threshold between distribution and bulk-power assets, but even that definition falls short.
“There is no universally accepted definition of bulk power,” says Tobias Whitney, compliance and infrastructure-protection practice leader at Burns & McDonnell in St. Louis. “In practical terms, utilities generally consider it anything that could contribute to a cascading blackout like what happened in the Northeast. But there’s a gap between the definition and what’s practically considered the bulk-electric system.”
This gap could represent a dangerous loophole. To the degree utilities are uncertain about their compliance requirements, that uncertainty might expose the entire bulk grid to security risks. Further, the CIP standards don’t apply to interdependent infrastructure, such as pipelines and telecommunications networks, or to most municipal utility systems—even large ones with hundreds of thousands of customers.
“Some distribution systems are almost bulk systems,” says Larry Bugh, chief security officer at Reliability First, the NERC regional entity covering PJM. “Some distribution systems are operated in a fashion that could impact the reliable operation of the grid, at least in a local area. Do those folks need to think about infrastructure protection and cyber security? They probably do, but we have jurisdiction issues today.”
The most obvious omissions from the CIP standards result from NERC’s focus on regional-grid reliability, rather than local distribution. Plus EPAct authorizes the ERO and FERC to regulate the bulk-electric system and nothing else.
“The NERC CIP standards point to interdependency issues with regard to coordination with other areas, such as fuel supply,” says Joseph H. McClelland, director of FERC’s Office of Electric Reliability. “The Commission’s authority under Section 215 of the Federal Power Act, however, does not extend to other infrastructure outside of the bulk-power system.”
Beyond those reasons, however, the administrative structure of NERC—as an industry-financed and industry-governed association—seems to have affected the way the standards evolved.
Several sources, speaking to Fortnightly on condition of anonymity, observed the NERC CIP standards were developed in a way that allows utilities to develop security strategies based on implementation cost and business implications, rather than an empirical risk threshold.
“The cyber-asset standard is loosely written,” says one utility manager. “NERC did that to get membership buy-in.”
Most notably, the standards repeatedly state that entities should use their “reasonable business judgment” in compliance. This leeway makes a certain amount of sense, because it helps ensure security requirements don’t cause unintended consequences, or result in unjustifiable investments. But it also results in an ill-defined and weak standard.
FERC noted as much in its July 20, 2007 NOPR: “The Commission acknowledges that cost can be a valid consideration in implementing the CIP reliability standards. However … it is unreasonable to allow each user, owner or operator to determine compliance with the CIP reliability standards based on its own ‘business interests.’ Business convenience cannot excuse compliance with mandatory reliability standards.”
The FERC NOPR directs NERC to remove the “business judgment” language from the CIP standards, and FERC’s comments in general suggest the standards will get tougher in the future. “FERC can throw back standards that aren’t good enough, as they already have done,” Silverstein says. “That forces NERC to rise above the lowest of its members’ interests, and write tougher standards.”
Nevertheless, to the degree the NERC administrative structure tolerates weak standards, it could leave the grid more exposed than it should be.
“NERC is in a weird position, with two conflicting masters—the regulator and the regulated,” Peterson says. “Now FERC is asking them to modify the standards, and NERC rules require a consensus of members. That’s backwards; regulated people don’t get to say, ‘Let us decide if this is acceptable.’ They will continue to have this problem until they structurally separate the ERO from the bulk-electric system.”
Given NERC’s jurisdictional limitations and potential conflicts, many industry analysts question whether the organization is the right agency for promulgating and enforcing security standards for the industry. (NERC officials declined to comment for this story, given the organization’s policy on ex-parte communications.)
“The NERC CIP standards are really just a starting point,” says Joe Bucciero, senior vice president with KEMA Consulting in Philadelphia, Pa. “They’re a good start, but they’re certainly not enough. More needs to be done. Whether NERC is the right one to do it is another question.”
In particular, as the distribution grid becomes more automated, and operational systems get connected with enterprise systems, the bulk-power distinction loses relevance in terms of cybersecurity and critical infrastructure threats.
“With cyber systems crossing so many different areas, we need a super-NERC,” Bucciero says. “Maybe NERC should just focus on reliability, and a separate cyber counterpart should look across the industry, irrespective of the voltage level.”
Although FERC lacks the authority to take such a holistic approach to regulating security, the necessary authority might be available under the aegis of DOE or the Department of Homeland Security. Alternatively, Congress could enact new federal authority for such an agency.
Or perhaps such authority isn’t really necessary. Groups like IEEE successfully promulgate standards without legal authority, and in the long term a non-regulatory approach might prove more successful than stretching mandatory standards further than existing institutions feasibly could enforce. Apart from national-security level concerns, which the CIP standards are intended to address, perhaps cyber security should be treated the same as any other operational or business risk. Utilities might be expected to apply “reasonable business judgment” and protect their systems appropriately without an intrusive regulatory regime.
“You can’t be everybody’s mommy,” Silverstein says. “You can’t cover all the sharp edges in the world. People have to protect their own business interests and assets.”
In the short term, utilities have their hands full complying with the mandatory CIP standards, while also grappling with cyber security vulnerabilities outside the bulk-electric system. Indeed, NERC CIP compliance likely will be just the beginning of a long and complicated journey for the industry.
“This stuff is not easy or cheap,” Silverstein says. “These are huge operational changes. It seems to me you have to walk before you can run.”