This is the second of two posts with actual
good news. I apologize that I haven’t
posted since the first
post a week and a half ago, but I have been busy with my day job. Various people have inquired about my health,
since I don’t usually write about positive developments. I can assure you I’m fine, and I will soon be
back to my normal regime of relentless negativity.
The second good news is something I heard
Mark Fabro of Lofty Perch say at GridSecCon two weeks ago (in the Monday
training sessions[i]); it
was just a side comment, and I’m not sure anyone else noted it as being
significant. He was talking about cyber
attackers trying to penetrate electric utilities, and pointed out that those
utilities that have had to fully comply with NERC CIP (which means they have
Critical Assets that contain Critical Cyber Assets) are very hard to penetrate.
Think about it. Mark is saying – and given his experience, he
is certainly an authority on this subject – that it will be much more likely
that a cyber attacker, attempting to penetrate an electric utility, will give
up and move on to the next target if the utility has put in place the controls
required for NERC CIP, than if it hasn’t.
This kind of sounds like success to me; does it to you?
Of course, I point this out because there
exist a sizable set of industry participants that believe CIP is a complete
waste of time and money. And I will
admit that a lot – perhaps the greater part - of the effort and expense
required for CIP compliance are spent on paperwork exercises that don’t in
themselves promote security at all. But
it is good to hear that those NERC entities that have gone through the whole
exercise have a much higher level of cyber security than those that have not.
So the real question then becomes: Is the
increased security inevitably tied to the high level of paperwork? That is, would NERC entities put as much time
and effort into cyber security if there weren’t mandatory standards?
Let’s say the answer to the above question is
“No”. It still leads to another
question, namely: Would there be a better method of enforcing compliance than
the very prescriptive method used by the CIP cyber security standards? For example, if the cyber standards were
written in the same way that CIP-014 is (or the CFATS standards for chemical facilities),
would that eliminate a lot of the paperwork burden and expense? In CIP-014, the entity is just required, for
each “critical” substation, to a) get a physical vulnerability assessment done,
and b) act on the recommendations (this is of course a simplification of the
standards, but not hugely. This is the
approach that FERC wanted,
since there was no time to go through the process of developing a prescriptive
standard like the CIP cyber security standards).
The answers to these questions are left as an
exercise for the reader.
Update to
my Previous Post
And now I have an update to my previous post
(the first “good news” post), which celebrated what I believed to be the fact that
CIP v6 was now essentially finalized, and there would be no further uncertainty
about what was coming with CIP for at least the next few years. It turns out I was somewhat premature in
saying this.
I was correct in saying that the Transient
Electronic Device and Low impact requirements had passed the second ballot (of
course, the first two items that were addressed in v6 – removal of the “Identify,
Assess and Correct” language from 17 requirements, and protection for wiring
between ESP devices that exits the PSP – had already passed on the first
ballot). What I wasn’t correct in saying
was that it was highly unlikely that the SDT would propose any further substantial
changes for the third ballot (which is required by NERC rules even after a standard
has passed on the previous ballot).
It turns out the SDT has decided they would
like to address some of the comments made in the comment period that
accompanied this most recent ballot, so they actually will be making some
changes to the requirements that passed.
This is of course the right thing to do, since the team obviously
considers some of the comments – really suggestions for improvement – to be
worth serious consideration.
This does mean, however, that there will
still be uncertainty regarding the Transient Electronic Device and Low impact
requirements. More importantly, it does
raise the possibility, even likelihood, that these two items won’t be addressed
in the submittal to FERC that is due by February 2015. That submittal will still happen, but it may just include the two changes that passed on the first ballot.[ii]
Even though it would be nice to have CIP all
set in stone for a few years, I agree with the SDT that it is good to address
significant suggestions for improvement, while there is still the chance to do
so. Once the standards are submitted to
FERC and approved by them, there is no longer any possibility of change – and NERC
has to go
into contortions to try to clear up remaining ambiguities.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
Mark’s talk was part of the session on NERC’s Cyber Risk Preparedness
Assessment program, in which they come onsite and run your utility through what
seems to be a very well-planned scenario of cyber/physical attacks. Run by Orlando Stevenson of NERC, this looks
like an excellent program.
[ii]
These two changes – removal of IAC and wiring outside the PSP - were
incorporated in the “-X” standards that were just approved. Those standards didn’t include the Transient
and Low impact changes, in case they didn’t pass on this ballot. As it turns out, they did pass, but the SDT
wants to amend them anyway. I believe
the “-X” standards will be approved by the NERC Board of Trustees in November,
and submitted to FERC soon thereafter.
Since removal of IAC and the wiring issue were the only two changes that
FERC gave a deadline for in Order 791, this means that NERC can submit the
remaining two changes after the February deadline; it is now possible they will
do that.
No comments:
Post a Comment