The article below is literally the best
press article I’ve ever seen on NERC CIP – and not just because I’m quoted! A
subject like CIP requires a reporter to invest a lot of time to learn it, as
well as have a good background on FERC and NERC. Peter Behr has both invested
the time and has the background.
This article is reproduced in its entirety,
with the permission of the publisher. To see the article online, you can go here.
|
|
Peter
Behr, E&E reporter
|
|
Published: Monday, January 11, 2016
|
|
An official audit of
cybersecurity defenses on the nation's high-voltage power grid begins in
April, testing power companies' compliance with new, exacting federal cyber
regulations in an ongoing campaign to stay ahead of would-be attackers.
The federal rules are mandatory, backed by substantial
fines for serious violations. However, grid operators typically will not be
graded on a strict pass-fail, zero-tolerance compliance scorecard, according
to guidance from the North American Electric Reliability Corp., the federally
designated grid security monitor.
Instead, auditors will use considerable judgment in
assessing how well grid companies have complied with the fifth version of the
federal Critical Infrastructure Protection standards (CIP Version 5).
The leeway is a consequence of having to write and
enforce risk-based rules to ward off constantly evolving cyberthreats against
a high-voltage network that is itself in the throes of change, including more
digital controls and exposure to the Internet, officials said. And it
reflects NERC's goal of gaining cooperation with the industry over the
standards, the organization's statements indicate.
"We want to show that we don't necessarily have a
cookie-cutter approach," said Tobias Whitney, NERC's manager of CIP
compliance, speaking in a NERC webinar last month. "Facts and
circumstances will dictate how we monitor those entities," he added,
referring to the largest grid companies.
NERC turned down requests for interviews with compliance
officials about the audit process, referring instead to Whitney's comments on
the webinar and to guidance documents on its website.
"How strictly will NERC CIP 5 be applied? It cuts to
the core of the matter," said Lew Folkerth, principal reliability
consultant for ReliabilityFirst, one of eight regional industry organizations
that NERC has delegated to enforce its cyber rules enforcement
responsibilities.
"If you cannot strictly apply security standards,
then what good are they?" he asked in an interview. "If you apply
them too strictly, that is also a problem.
"The way things seem to be going is, we are trying
to chart a course right down the middle," he added. "We talk a lot
about risk-based compliance, risk-based security, risk-based everything. Part
of that risk assessment process is, what do the entities truly need to do to protect
their systems, without having to dot every i?"
Auditors will start with the operating companies whose
facilities are most critical to the security of the high-voltage grid and
will tailor their inspections to each company's situation, Folkerth said. For
example, grid operators that show they are on top of updating software
patches to deal with vulnerabilities may get the benefit of the doubt on some
other issues, he said.
"The audit teams can always go deeper if they need
to determine compliance," he said. If a grid company has "a history
of not doing their patching properly -- not on time or missing a patch -- I
would expect those would be thoroughly reviewed."
The CIP Version 5 rules, approved in November 2013 by
FERC in its Order 791, markedly expand security requirements over the prior
version, which took effect in 2010. FERC has announced it will make its own
spot audits of the new rules, an unusual intervention by the agency. FERC
staff were not made available to discuss the reasons for the decision (EnergyWire,
Nov. 4, 2015).
NERC officials have labored for more than 18 months with
industry representatives to pin down guidance on how companies can comply.
The task has proved so difficult that NERC pulled back compliance guidance
that it had issued in April last year on several key issues.
"NERC became aware that industry continued to have
concerns over the issues after it issued CIP Version 5 Memoranda dated April
21, 2015," a NERC memo recounted.
"On July 1, 2015, NERC hosted a small,
executive-focused face-to-face meeting to discuss the issues in the CIP
Version 5 Memoranda," NERC reported. The meeting included NERC and
industry leaders and FERC staff.
NERC said there was "convergence on several issues
and application of guidance, in addition to identifying areas that need
increased guidance or clarity."
Wrestling with ambiguity
A significant case of ambiguity in the rules involves
cyber regulation of communications channels that carry vital data between
control rooms to a data collector device (a remote terminal unit, or RTU) in
a substation, and then to relays that protect power lines from overloading
and overheating, NERC documents show.
In a much simplified example, when data or commands travel
over "routable" or programmable communication channels controlled
by software, there is a risk that attackers could gain access via an Internet
breach and block or corrupt the data stream. The CIP regulations generally
require cyber protection of such routable channels in strategically vital
grid facilities. If, however, data travels over a non-programmable
"serial" path such as a traditional telephone line or wireless
channel with point-to-point connections, the same cybersecurity requirements
don't apply under CIP Version 5.
"But there is a gray area," said Tom Alrich,
manager for enterprise risk service for Deloitte Advisory in Chicago, Ill.,
who regularly writes about the CIP process in his personal energy blog.
Data may travel over a routable connection from the
control center to a RTU but move from there to relays via serial connections.
Is that data flow routable or serial? Is it covered by CIP Version 5 or not?
"Well, the standards drafting team didn't really
address this particular issue, and it turned out to be absolutely huge,"
he added.
"Companies could have to spend millions of dollars
if the interpretation is one way or another" to protect thousands of
relays on the grid if they fell under CIP regulations, he said.
This was one of the issues on which NERC pulled back
guidance issued last April. The uncertainty over interpreting this will deter
auditors from issuing proposed violations against grid companies, he said.
"NERC has said now -- which I agree with -- that the
only way to fix the problem is to write new standards to elaborate on the
definitions. It needs to be revised. And that is the same thing as revising
the standard itself," Alrich said.
Alrich said a revision of the standard takes three to
five years to complete. He was asked whether cyber risks would persist during
that time.
"It would be a problem if the entities were just
going to blow it off and say, 'You know what, we're just going to declare
everything we have to not be externally routable.'"
NERC won't be able to issue violations on ambiguous
issues while the standards are being rewritten, Alrich said, adding that he
expects grid companies to continue interpreting the standards on their own.
"My guess is that 99 percent of NERC entities are still going to try to
comply to the best of their ability," he said.
Folkerth agreed. He advises companies that face
uncertainty in the new regulations to make prudent decisions on safeguards.
"If they take a reasonable, middle-of-the-road
approach, so they're not spending money without good reason, but they are
also minimizing their compliance risk, they should be in pretty good shape
for the audit," Folkerth said. "I suspect that if any entity is
truly not meeting the requirements of the language and standard -- and they
should know better -- they are going to get a possible violation written with
a fine attached."
Alrich said interpreting the regulatory guidance is
critical. "I call it 'roll your own.' You basically have to look at all
the guidance that comes out," he said. "You have to make a
good-faith effort and to learn everything you can. Then, if you make your
decision and thoroughly document it, you should be fine.
"If you don't bother to do that and say, 'I know
you're not going to enforce it, so why don't you take a hike' -- if they do
that, they're going to get a violation."
|
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment