There's been a lot of buzz in the news lately about the new security regulations that electric utilities need to meet. In this tip, we'll cover how security solution providers can help utilities become compliant.
What is NERC? What is FERC?
These rules have been mandated by the Federal Energy Regulatory Commission (FERC) -- a Federal organization overseeing interstate transportation and marketing of energy. In turn, these requirements are being written and enforced by the North American Electric Reliability Corporation (NERC) and associated regional coordinating councils, with substantial input from the utilities themselves. NERC is headquartered in Princeton, N.J., and is an international, independent, self-regulatory, not-for-profit organization, whose mission is to ensure the reliability of the bulk power system in North America.
The nine rules being imposed are called the NERC Critical Infrastructure Protection (CIP) standards and are often referred to as NERC CIP-001 to CIP-009. The standards constitute about 47 requirements and approximately 100 sub-requirements.
The standards are organized by topic as follows:
- CIP-001 – Sabotage reporting
- CIP-002 – Critical cyber asset identification
- CIP-003 – Security management controls
- CIP-004 – Personnel and training
- CIP-005 – Electronic security perimeters
- CIP-006 – Physical security of critical cyber assets
- CIP-007 – Systems security management
- CIP-008 – Incident reporting and response planning
- CIP-009 – Recovery plans for critical cyber assets
The overriding goal of CIP-002 through CIP-009 (CIP-001 generally isn't tied to cybersecurity) is to ensure the bulk electric system is protected from unwanted and destructive effects caused by cyberterrorism and other cyberattacks, including attacks from within the utility (i.e., insider threats). Essentially, FERC -- through NERC -- wants assurance that the main electric grid in North America will not fail due to cyber-related vulnerabilities and subsequent attacks.
The bulk electric system includes electrical generation resources, transmission lines, interconnections with neighboring electric grids, and associated equipment, generally operated at voltages of 100,000 volts or higher. Large transmission towers and the huge substations on the transmission grid are part of the bulk electric system. However, the distribution power lines and equipment -- operating at a much lower voltage in neighborhoods -- are not included in the NERC CIP standards.
To ensure that utilities and affected electric energy companies are focused on the right systems, the NERC CIP standards offer a sequenced approach to identifying critical cyberassets. But companies must first understand what their "critical" assets are. These are facilities, systems and equipment which, if destroyed, degraded or otherwise rendered unavailable, would affect the reliability or operability of the bulk electric system. These assets normally include system control centers, large generation facilities and critical substations, to name a few.
Companies then must closely examine these critical assets and identify the cyber aspects that could directly affect the more general critical assets in the event of a hacking or failure. Such an event could result in a negative impact to the critical asset, and eventually cascade to the bulk electric system.
This represents an opportunity for solution providers, as some utilities may need assistance with creating this asset inventory and identifying the "critical assets."
NERC CIP standard opportunities for solution providers
The standards themselves are primarily focused on programs and processes and not so much on implementing specific technologies. Interestingly enough, most Supervisory Control and Data Acquisition (SCADA) systems are on the "edge" of inclusion in the NERC CIP standards because they tend to operate in layer 2 of the OSI model, whereas, the primary focus of the NERC CIP standards is on those systems that are TCP/IP or layer 3-based.
Many utilities will need assistance with system penetration and vulnerability testing of the critical cyber assets, as well as cyber systems used to provide physical protection of critical cyber assets. In these cases, a utility may be interested in assistance from a trained and experienced solution provider to provide the vulnerability testing, and detailed reports for audits.
The NERC CIP standards needed to be implemented by June 30, 2009 for substations, system control centers and other affected systems except for electricity generation assets. The generation assets must be compliant by Dec. 31, 2009. In addition to these deadlines, the NERC regional entities are now performing spot checks (essentially a limited audit) at utilities with a narrow focus on the first 13 standards that needed to be fulfilled in 2008 for system control centers.
Right now, most utilities are moving at break-neck speed to ensure they are compliant with NERC CIP standards. Their primary motivation is that NERC may -- and has -- imposed fines on utilities for non-compliance with the NERC CIP standards.
The primary way solution providers can help the utilities is by assisting them in implementing what I call "holistic, pragmatic security," and that can include a number of things. Some need help writing policies, standards and procedures that meet the NERC CIP standards. Other utilities need help with establishment of Electronic Security Perimeters (from CIP-005) with firewalls and other perimeter technologies. Still other utilities need help with personnel training and personnel background checks as well as strong, well organized physical and logical access control systems (CIP-004, CIP-006 and CIP-007).
Overall, this is just the beginning for the electric energy sector. NERC continues to provide reports on its audit findings and deliver analyses of electric grid events to FERC. Version 3 of the NERC CIP standards is currently under development, and will focus on inclusion of the level-2 SCADA protocols, encryption of communications, forensics following a cyber incident and closer alignment with the National Institute of Science and Technology (NIST) standards for cyber security. These future areas of inclusion for the CIP standards may be an area where security solution providers can assist utilities in their compliance activities going forward, as they can help lead utilities in developing information and infrastructure security programs that more closely resemble some programs in place in other industries. Regardless, revised standards are already expected in 2010 or 2011.
What's next? Hold on to your hat!
About the author
Ernie Hayden is the former CISO for the Port of Seattle, Group Health Cooperative and most recently Seattle City Light where he coordinated the efforts regarding NERC Critical Infrastructure Protection compliance. Ernie holds a CISSP and a Certified Ethical Hacker and lives in the Seattle area.