My previous post,
as well as a post
from September, pointed to probably the biggest problem with the NERC CIP
standards today: To address a new cyber threat through CIP, NERC has to go
through its standards development process. And the time from when a new
standard or requirement is requested (usually by FERC) to when the new standard
comes into effect is almost always multiple years, and very often more than
that (in the example I used in the previous post, the time was between 5 ½
years and 7 ½ years, depending on how you measure it).
There are two
primary consequences of this:
- There are a number of important cyber threats – phishing,
ransomware, “not-Petya”-type attacks, cloud-based threats, etc. – that
aren’t currently addressed in CIP at all; moreover, there is no serious
effort now to incorporate these into CIP.
- A great weariness with the process of developing new CIP standards,
and trying to interpret them once developed, seems to have settled on the
NERC membership since the CIP version 5 implementation experience. It is
highly unlikely that any new cyber threats will be addressed in CIP going
forward, unless ordered by FERC.
Of course,
NERC entities are, for the most part, still investing a lot of resources in
addressing new cyber threats outside of the CIP compliance process. But as
I’ve pointed out multiple times, including in my last post, the fact that some
threats must be addressed in order to comply with NERC CIP and are subject to
potentially huge fines (this includes threats like malware, firewall
misconfiguration, lack of proper network segmentation, etc.), while others are
strictly optional, means there is inevitably a tendency to overfund controls
against threats that are part of CIP, and underfund controls against threats
that aren’t part of CIP.[i] And this
discrepancy will only get much larger, since new threats are appearing more
rapidly all the time.
Yet, as I’ve
also pointed
out, the industry needs mandatory cyber security standards, since it is
only by having those in place that cyber security efforts will be well funded.
How do we break this logjam, in which the current CIP standards suck up a
greatly – and increasingly – disproportionate share of the resources available
for cyber security, while still having mandatory standards?
The answer
to this question flows almost directly from what I’ve just said: A new CIP
standards framework that will address this problem would need to replicate, as
closely as possible, the process that the entity would naturally follow on
their own if they a) didn’t have any mandatory cyber standards to comply with,
but b) they still had the same budget for cybersecurity that they have in the
presence of the mandatory CIP standards.
And what
would that process be? It would be one in which the entity
- Ranks all of the cyber threats it faces by their degree
and probability of impact – in other words, by the degree of risk that
each threat poses.
- Determines approximately what steps are required to
mitigate each threat;
- Determines the degree of mitigation that would be achieved
by taking those steps;[ii]
and
- Allocates its cyber budget so that a) all of the threats
above a certain minimum risk level are mitigated to some degree, and the
more risky threats to a higher degree; and b) the more risky the threat,
the more it is mitigated
What kind of
standard would be required to implement this process? I can tell you right now
that the current CIP standards won’t work! The problem is that some of the
current CIP requirements are excessively prescriptive. And even though a small
number of the requirements aren’t prescriptive (and I consider objectives-based
requirements like CIP-007 R3 to be the opposite of prescriptive requirements
like CIP-007 R2), the NERC compliance and enforcement process (embodied in CMEP
and the Rules of Procedure) is itself very prescriptive. Both the CIP standards
and the compliance/enforcement process will ultimately need to be changed in
order for what I’ll outline below to work.
But let’s
say I were given the power tomorrow to put in place what I think is needed;
what would I do? I’m very glad you asked that question. First, I would scrap
the existing CIP standards and put in place what is in effect a single
requirement[iii]: “On a
risk-adjusted basis, address the cyber security threats on the current list.”
And where does this “current list” come from? I’m also very glad you asked that
question. When this new standard is drafted, the drafting team will draw up an
initial list of what they consider the most important threats.
However,
this list would have to be maintained on an ongoing basis. There will need to
be some group designated to meet regularly (I would think quarterly would be
appropriate) and do the following:
- Review current cyber threats and determine which ones
should be added to the list.
- Decide if any threats currently on the list should be
removed.
- For each threat on the list, determine a set of “criteria”
that should be addressed in the plan the entity develops. I hope to have a
post out very soon on what a “plan” is and how it could be audited in my
desired scheme of things, but for the moment I’ll just point out that
CIP-003 R2, CIP-010 R4, CIP-013 and CIP-014 all speak of a plan. The
criteria are topics that must be addressed in the plan, regarding each
threat. For example, for the threat of malware infection from transient
electronic devices, the criteria could include items such as “The plan must
address devices owned by third parties as well as by the entity”; “The
plan must address how access to transient electronic devices will be
managed”; etc.
- Develop guidance on how each threat can be mitigated, and
update it in the light of real-world experience addressing these threats
(and not just experience of the electric power industry, but of other industries
as well. After all, almost none of the threats on the list will be unique
to electric power). This is probably the most important task that this
group will be faced with, and it is certainly the one that will take the
most effort.
- Develop written materials that will enable smaller,
less-sophisticated entities to determine whether and how a particular
threat applies to them, and how much of a risk it actually poses. This is
necessary in order to prevent such entities from investing a lot of time
and resources toward addressing threats that probably pose very little
risk to them.[iv]
Who would comprise the members of this group?
It will need to be a diverse group, representing the different types of
organizations subject to CIP: investor-owned utilities, Independent Power
Producers, Generation and Transmission coops, distribution-only coops, large
municipals, small municipals, ISO/RTO’s, US government agencies, etc. And it
will need to include representatives of the E-ISAC, since it is their business to
constantly identify and evaluate new threats to the electric power industry.[v]
Who would run this group? I’ll say right off
the bat that it shouldn’t be run by NERC itself, since this might be perceived
as a conflict with their role as the regulator. Obviously, NERC will continue
to be in charge of the CIP standards, but it shouldn’t be in charge of the
committee that identifies threats, since if it were this might taint the list
of threats as being somehow the equivalent of a new standard, which it certainly
is not.
I could see this group perhaps being
organized by the trade associations: EEI, NRECA, APPA and EPSA. Or maybe the
Transmission Forum and Generation Forum would get together to organize this
group from among their members. I could also see the NERC CIPC doing this,
although it would be a big expansion of their mandate and would thus require a
large additional time commitment from a significant number of its members.
So why is it important to have this group,
and to rewrite CIP so that it simply refers to the current threat list, rather
than simply address particular threats, as it does now? Because that is what it
will take – as far as I can see – to remove
the identification of new threats from the standards development process.
Instead of taking somewhere between three and eight years to address a new
threat in CIP (as is currently the case, given the cumbersomeness of the
standards development process), CIP will potentially within a few months
“address” new threats, as soon as they are identified by this group.
Before I go, I want to point out that I’ve
raised this issue before, although in a different context. In this post from
August, I brought up the issue (first raised in the previous post)
of compliance with CIP-013 R3. That requirement mandates that each NERC entity
that is subject to this standard, once every 15 months, review their supply
chain cyber security risk management plan to determine whether it adequately
accounts for the current supply chain cyber risks, as well as whether it takes
account of new developments in mitigation techniques for those risks.
In the previous post, I had wondered whether
some new body could be constituted to review new supply chain threats and
mitigations, since a lot of NERC entities wouldn’t have the in-house resources
to do this review themselves. I suggested that a committee of industry
representatives could do this on behalf of the whole industry, although
individual entities would be free to remove or add particular threats when they
drew up their own list of risks, based on their own unique circumstances. I had
concluded that this would never be allowed by the current NERC CMEP.
In the post last August (referenced above), I
discussed an email conversation I’d had with an auditor, who said that he
didn’t see any obstacle to such a body being put together; it wouldn’t involve
any conflict with the current wording of CIP-013 or with CMEP. So I think such
a body should be put together. It isn’t technically needed until a year after
CIP-013 comes into effect, which probably means around the end of 2020, but I
really think this body would be helpful even now, completely divorced from any
particular CIP purpose – but simply for the general purpose of raising
awareness of current cyber threats among NERC entities. As CIP-013 comes into
effect, and as CIP is rewritten in accordance with my suggestions (and I’m
absolutely sure this will happen, of course!), then this body could segue into
these two roles, as discussed above.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[ii]
This is without a doubt very hard to determine in any sort of scientific way.
For example, if you are going to mitigate the threat posed by phishing and you
decide that training – including sending out phishing-type emails to see who
clicks on them - is the best mitigating step you can take, how can you know how
successful it will be in reducing the number of malicious phishing attempts
that succeed in getting someone to click on them? Well, you might put this
program in place for six months or a year, and monitor statistics like number
of outside phishing emails that get clicked on, number of test emails that get
clicked on, etc. At that point you would be able to decide whether just continuing
the current program will provide enough mitigation long-term; whether it needs
to be augmented with an automated anti-phishing tool or some other mitigation
method; or whether it’s been totally ineffective and you need to drop it and
try something else.
In general, it will be very hard to determine up front
how much mitigation a particular control might provide for a particular threat;
it will usually have to be an educated guess, which can later be updated as
experience (both the entity’s experience and that of its industry peers) allows.
[iii]
It isn’t really a single requirement, and there will be more to each
requirement than just one sentence. But in principle, what I am proposing isn’t
too far from this single sentence. By the way, as I’ve said before, I am
working on a book, with two co-authors, that will discuss this idea in much
more detail – as well as justify it much more thoroughly – than I ever could in
this blog. But the book is still a long way from appearing in print (or
electrons), so at the moment this explanation, as well as others that are
scattered around my posts from the past year or so, will have to suffice.
[iv]
I’m assuming that the larger entities will have the necessary expertise on
staff to determine whether particular threats apply to them or not, and also to
estimate the risk that each of these poses. But it’s possible that larger
entities would also need some of this help as well.
[v]
However, it’s important to remember that the E-ISAC, at least as currently
constituted, only addresses what I would call technical threats. This includes
new varieties of malware, new attack vectors, etc. The E-ISAC doesn’t address
threats that can only be addressed through procedural means, such as the threat
of malware being introduced from transient cyber assets and removable media.
Those threats are sometimes addressed in the CIP standards, but increasingly
are not, for reasons already discussed in this post.