I recently wrote
two posts – here
and here
- on lessons that can be learned from CIP-014, the standard for physical
security of critical substations, which came into effect two years ago. I’m
interested in CIP-014 because it was the first objectives-based CIP standard;
it was followed by two other such standards: CIP-013 and now CIP-012. There are
also at least three objectives-based requirements: CIP-003 R2, CIP-007 R3 and
CIP-010 R4. In fact, all of the standards or requirements that NERC has
developed since CIP version 5 have been objectives-based (and this was mostly
because FERC has made it clear in their orders for new standards that they wanted
them to be objectives-based. I am quite sure that FERC will order all new
standards going forward to be such). I think it’s very helpful to take account
of these lessons, since it will help not only entities that have to comply with
CIP-014, but also all entities (a much larger group) that have to comply with
CIP-013, the new supply chain security standard.
In the
previous two posts, I discussed two things I learned from talking with a CIP
physical security compliance specialist at a large utility, both based on
experiences they had while getting ready to comply with CIP-014. However, I
recently attended a meeting of one of the NERC regional entities and talked
with two entities that had already been audited on CIP-014 and had some
interesting experiences in their audits. In this post I’ll discuss an important
fact I learned from those two conversations (without identifying the two
entities, of course). And I’ll draw on other things I learned from these
conversations in an upcoming post on the question of how standards and
requirements that are based on the entity’s developing and implementing a plan
can be audited (actually, on whether they can
be audited in any meaningful sense. You’ll have to stay in suspense on this
point until I write the post).
You can
download CIP-014
and read about the standard, which has six requirements. What’s most important
for this post are requirements 4-6, which seem to be where a number of NERC
entities are running into trouble. Requirements 1-3 are about determining which
substations (and control centers) are in scope for the standard, but R4-R6
cover:
- R4: For the substations and control
centers that are in scope, conduct an assessment of those facilities’
“potential threats and vulnerabilities” to physical attack;
- R5: For each facility in scope,
develop and implement a physical security plan that “covers” the
substations and control centers in scope; and
- R6: Have a qualified third party
validate both the assessment in step 3 and the plan developed in step 4.
The third party may recommend changes in either document; the entity must
change the plan to reflect those recommendations, or document why it did
not. And since the plan has to be implemented, these changes will also
need to be implemented
Both
entities reported a serious issue with the auditors based on the following:
- CIP-014 R1 requires the entity to conduct a risk
assessment of all of their “Medium impact” substations and perform an
analysis to determine which of those “if rendered inoperable or damaged
could result in instability, uncontrolled separation, or cascading within
an Interconnection.” Note that this is a holistic criterion: It looks at
what will happen if the entire substation is taken out, not if any
particular Facility within the substation is rendered inoperable (e.g.
individual transformers or buses).
- In R4, the entity is required to perform an “evaluation of
the potential threats and vulnerabilities of a physical attack to each of
their respective Transmission substations…” Note again that this is a
holistic criterion. The attacks in question are ones on the substation
itself, not on any individual Facilities in the substation.
- R5 requires the entity to develop and implement “documented
physical security plan(s) that covers their respective Transmission
stations…” Once again, this is a holistic requirement; the plan is for the
whole substation, not any of the Facilities found at it.
You may
suspect where I’m going with this. It seems pretty clear that the requirements
as written are only addressing the substation as a whole. Specifically, the
evaluation of threats and vulnerabilities and the physical security plan seem
to only apply to the entire substation. But guess what the auditors are looking
for? You’re right – they’re looking for the security plan to address protection
of the Facilities at the substation, not just the substation as a whole!
In fact,
both the entities I talked to said they were specifically called out on the
fact that their R4 threat and vulnerability assessments and their R5 physical
security plans didn’t address the transformers and other Facilities (like
buses) at the substations. One entity received an Area of Concern because of
this, while the other received an actual Potential Non-Compliance finding. Yet,
as you’ve just seen, nowhere in the CIP-014 requirements is there any mention
of anything but the substation as a whole!
Now, I’m
certainly ready to admit that the auditors weren’t unreasonable in telling both
entities that they need to address this issue. After all, the snipers who
carried out the Metcalf
substation attack, which prompted FERC to order this standard, didn’t destroy
the substation; they just attacked a number of the transformers. But they were
almost able to have a major impact on the grid in that area. So it’s not
unreasonable to expect that NERC entities that own critical substations should
take some steps to protect the individual Facilities there.
It may not
be unreasonable, but it’s also not required by the language of CIP-014! So this
is one area where the auditors need to simply issue an Area of Concern and
stress that this is something the entity should strongly consider doing for
grid security, even though it’s not in any way required.
And why isn’t
it required? I think the drafting team must have simply made a mistake.[i] After
all, FERC only gave
NERC 90 days to draft and approve the standard – a mere blink of an eye in
NERC-dom.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
I also heard about another mistake the SDT made. The risk assessment required
in R1 is specifically mandated (in R1.1) to be re-performed every 30 months.
However, the threat and vulnerability assessment required in R4 doesn’t have to
be re-performed at all! Yet I’ve heard auditors are asking utilities whether
they will re-perform that assessment every 30 months. In this case also, the
auditors should make clear that, while it isn’t required by the wording of the
standard, it certainly makes sense to re-perform both assessments every 30
months, not just one of them.
No comments:
Post a Comment