Sunday, November 2, 2014

Breaking News: CIP Actually Works!

This is the second of two posts with actual good news.  I apologize that I haven’t posted since the first post a week and a half ago, but I have been busy with my day job.  Various people have inquired about my health, since I don’t usually write about positive developments.  I can assure you I’m fine, and I will soon be back to my normal regime of relentless negativity.

The second good news is something I heard Mark Fabro of Lofty Perch say at GridSecCon two weeks ago (in the Monday training sessions[i]); it was just a side comment, and I’m not sure anyone else noted it as being significant.  He was talking about cyber attackers trying to penetrate electric utilities, and pointed out that those utilities that have had to fully comply with NERC CIP (which means they have Critical Assets that contain Critical Cyber Assets) are very hard to penetrate.

Think about it.  Mark is saying – and given his experience, he is certainly an authority on this subject – that it will be much more likely that a cyber attacker, attempting to penetrate an electric utility, will give up and move on to the next target if the utility has put in place the controls required for NERC CIP, than if it hasn’t.  This kind of sounds like success to me; does it to you?

Of course, I point this out because there exist a sizable set of industry participants that believe CIP is a complete waste of time and money.  And I will admit that a lot – perhaps the greater part - of the effort and expense required for CIP compliance are spent on paperwork exercises that don’t in themselves promote security at all.  But it is good to hear that those NERC entities that have gone through the whole exercise have a much higher level of cyber security than those that have not.

So the real question then becomes: Is the increased security inevitably tied to the high level of paperwork?  That is, would NERC entities put as much time and effort into cyber security if there weren’t mandatory standards?

Let’s say the answer to the above question is “No”.  It still leads to another question, namely: Would there be a better method of enforcing compliance than the very prescriptive method used by the CIP cyber security standards?  For example, if the cyber standards were written in the same way that CIP-014 is (or the CFATS standards for chemical facilities), would that eliminate a lot of the paperwork burden and expense?  In CIP-014, the entity is just required, for each “critical” substation, to a) get a physical vulnerability assessment done, and b) act on the recommendations (this is of course a simplification of the standards, but not hugely.  This is the approach that FERC wanted, since there was no time to go through the process of developing a prescriptive standard like the CIP cyber security standards).

The answers to these questions are left as an exercise for the reader.

Update to my Previous Post
And now I have an update to my previous post (the first “good news” post), which celebrated what I believed to be the fact that CIP v6 was now essentially finalized, and there would be no further uncertainty about what was coming with CIP for at least the next few years.  It turns out I was somewhat premature in saying this.

I was correct in saying that the Transient Electronic Device and Low impact requirements had passed the second ballot (of course, the first two items that were addressed in v6 – removal of the “Identify, Assess and Correct” language from 17 requirements, and protection for wiring between ESP devices that exits the PSP – had already passed on the first ballot).  What I wasn’t correct in saying was that it was highly unlikely that the SDT would propose any further substantial changes for the third ballot (which is required by NERC rules even after a standard has passed on the previous ballot). 

It turns out the SDT has decided they would like to address some of the comments made in the comment period that accompanied this most recent ballot, so they actually will be making some changes to the requirements that passed.  This is of course the right thing to do, since the team obviously considers some of the comments – really suggestions for improvement – to be worth serious consideration.

This does mean, however, that there will still be uncertainty regarding the Transient Electronic Device and Low impact requirements.  More importantly, it does raise the possibility, even likelihood, that these two items won’t be addressed in the submittal to FERC that is due by February 2015.  That submittal will still happen, but it may just include the two changes that passed on the first ballot.[ii]

Even though it would be nice to have CIP all set in stone for a few years, I agree with the SDT that it is good to address significant suggestions for improvement, while there is still the chance to do so.  Once the standards are submitted to FERC and approved by them, there is no longer any possibility of change – and NERC has to go into contortions to try to clear up remaining ambiguities. 

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell. 

[i] Mark’s talk was part of the session on NERC’s Cyber Risk Preparedness Assessment program, in which they come onsite and run your utility through what seems to be a very well-planned scenario of cyber/physical attacks.  Run by Orlando Stevenson of NERC, this looks like an excellent program.

[ii] These two changes – removal of IAC and wiring outside the PSP - were incorporated in the “-X” standards that were just approved.  Those standards didn’t include the Transient and Low impact changes, in case they didn’t pass on this ballot.  As it turns out, they did pass, but the SDT wants to amend them anyway.  I believe the “-X” standards will be approved by the NERC Board of Trustees in November, and submitted to FERC soon thereafter.  Since removal of IAC and the wiring issue were the only two changes that FERC gave a deadline for in Order 791, this means that NERC can submit the remaining two changes after the February deadline; it is now possible they will do that.

No comments:

Post a Comment