Back to CIP-014

In July, I wrote a post describing an email discussion I’d had with an auditor about CIP-014. It was actually a rehash of a disagreement we’d had last fall (which I don’t think I ever wrote about in this blog) regarding this post from last December. The subject of both disagreements was CIP-014, the CIP standard for physical security of key substations, drawn up in the wake of the Metcalf attack in 2012, in which some large transformers were fired on and disabled at a key substation in Silicon Valley.

Here is the essence of both disagreements: In the December post, I described how, in their CIP-014 audit last year, a utility was given a PNC (potential non-compliance) finding because their physical security plan prepared for compliance with CIP-014 R5 didn’t specifically provide protections for transformers. The utility argued that all of the wording in CIP-014 applies to protecting the substation as a whole, not to particular pieces of equipment located in the substation. The auditor, in his July email to me (prompted by another post, although not related to CIP-014), argued that it would be reasonable to assume that CIP-014 was about more than just protecting the substation as a whole, since the Metcalf attack had been on transformers, not the whole substation.

Note from Tom, later on 8/21: The person in charge of CIP compliance at the utility in question just read the post and emailed me that their reasoning for only protecting on the level of the entire substation wasn't based on the fact that this is what the requirement said, but on the fact that their own engineering study had found that, if any subset of the equipment were destroyed, there wouldn't be the kind of BES impact ("instability, uncontrolled separation, or Cascading within an Interconnection") that is required for the substation to be in scope for CIP-014 in the first place. So if they tried to protect individual pieces of equipment, they wouldn't actually be doing anything that would result in greater protection for the BES itself. However, the auditor would have none of that argument. He wanted the transformers protected, period.

I didn’t contest that it was reasonable to expect the utility to include protection of transformers in their physical security plan, but I did contest the idea that they could be found in violation of the requirement, since that says nothing about anything except protecting the substation as a whole.

After that post, I got an email from Ross Johnson of Capital Power in Edmonton, Alberta (which by the way is a really beautiful city, especially if you visit in the warmer months!). Ross said:

I was on the CIP-014 SDT, and we saw the substation fence line as a component in the protection of what was inside - not the only part worth protecting.  When we talked about protecting the substation, we also talked about protecting the most important components within, and considered that all part and parcel of the substation proper.

I don’t understand the logic of saying that because Metcalf transformers were shot up that any solution that didn’t protect the transformers from gunfire was inadequate.  That’s why we put the term ‘geographic proximity’ in R4.2 (Prior history of attacks on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events).  Substations far away from threats of this kind should have that fact weighed and considered in their R4.

I live in Canada, and gun crimes are exceedingly rare.  Other than the odd power-pole transformer, gunfire attacks on electricity sector infrastructure are almost unheard of, and have never approached the scale of Metcalf.  Most of our large substations are in isolated or rural areas, and many have never, ever, had an attack of any kind - even theft by copper thieves.  To demand that they pay millions of dollars to protect infrastructure from a crime that happened a couple of thousand miles away in a different culture with a vastly different threat profile seems difficult to justify given the more modest demands of the standard.

If the intent of the standard was to armour transformers to protect them from gunfire, then it would have stated that.

Now, I have always been against taking the recollections of drafting team members as something that can shed light on the meaning of a CIP requirement, so I’m not trying to say that Ross’s word should be taken as the preferred interpretation of a CIP-014 requirement. But in this case, we have an argument about what should be implied in the wording of a requirement. Ross says it would be wrong to draw the implication that transformers need to be protected, since CIP-014 R4.2 says the entity should consider (in the threat and vulnerability assessment that forms the basis for the physical security plan in R5): “Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events”.

In other words, the entity needs to consider threats that are clearly relevant for the substation in question. One of the bases for identifying those threats is incidents that are likely to occur in the particular geography of the substation. Ross pointed out in a subsequent email that “in Canada, some of our assets are protected by 400 miles of grizzly bears…” Clearly, ballistic attacks on transformers aren’t what keeps Ross awake at night.

On the other hand, Ross is also saying that, even though the strict wording of the requirements in CIP-014 says nothing about protecting the Facilities (e.g. transformers, circuit breakers, etc.) located within the substation, it would be wrong to say that the only threats that need to be protected against are those that affect the entire substation – this isn’t in the strict wording of the requirements, either.

What are the lessons to be learned from this whole discussion? They are:

1. The utility shouldn’t have been given a PNC for not addressing threats to transformers in their physical security plan, since there is nothing in the strict language of the requirements that mandates the entity should do anything more than protect the whole substation.
2. On the other hand, the utility certainly should have been given an Area of Concern (which isn’t a violation, of course) for this. That is what a second utility (also discussed in the December post) received. They were also cited for not specifically addressing the threat of ballistic attack on transformers.
3. Any mandatory standards regime needs to have procedures by which compliance can be verified. In the case of the NERC CIP regime, compliance is verified by audits – did they do X or didn’t they do X? Because this is the case, future plan-based requirements (and all of the important CIP requirements drafted since CIP version 5 have been plan-based. This has quickly become recognized as the only type of requirement that makes sense in the CIP context – since prescriptive requirements simply don’t work well) should all include some guide to the threats that need to be identified and mitigated in the plan; they can’t just say something like “identify all the threats that apply to your environment and mitigate them” – which is essentially what CIP-014 says, as well as CIP-013.[i]
4. My poster child for a good plan-based requirement is CIP-010 R4, where Attachment 1 (which is called out by the requirement and thus is incorporated into it by reference) describes (at a high level) a number of threats that must be included in the plan (although the term used is risks, not threats. While I think risks is a workable term, I think threats is a better one in this context, for several reasons). I think all future drafting teams would do well to emulate this requirement when they draw up new plan-based requirements (or even revise existing ones. Since it’s likely that FERC will order some changes when they approve CIP-013, and since this means there will have to be another version, I would recommend that the SDT look to CIP-010 R4 inspiration on how they can make the standard auditable, since the primary requirement, R1.1, isn’t auditable as it stands now).
5. Ultimately, there will need to be a different compliance verification process for the CIP standards (and I believe the current audit-based process is fine for the O&P standards, although if anyone thinks differently I’d love to hear about it), which will be designed for plan-based requirements. It will need to include a) review by the Region of the entity’s plan before it is implemented, so that the entity can make any needed modifications before it is put in place; b) review by the Region of the entity’s implementation of that plan, so that any big mistakes can be corrected, rather than be allowed to fester (with attendant security vulnerabilities) until the next audit; and c) compliance guidance by the Regions (indeed, by NERC itself) being not only allowed but encouraged.
6. Unfortunately, until this new compliance verification process is actually implemented (and I’m not naïve enough to think this is likely to happen in the next few years), there will continue to be lots of disputes like the CIP-014 disputes I’ve been discussing. The auditors will always have their ideas about what needs to be in a plan, and in many cases that will differ from what the utility believes. There is no way to settle these disputes, except by simply agreeing that no violations can be assessed for anything that isn’t in the strict language of the requirement, although certainly Areas of Concern are appropriate. As more plan-based requirements are written on the model of CIP-010 R4, these requirements will be more auditable. However, the real solution is a different compliance verification process for the CIP standards.
7. Even though plan-based CIP requirements should include a list of types of threats that need to be considered in the plan, it should be up to the entity to determine exactly which threats belong in their plan. In Ross Johnson’s neighborhood, high-powered rifles are much less likely to be used in crimes than they are south of the 49th parallel, so that particular threat might be discounted. On the other hand, threats related to cold weather and snow might pose greater risk in northern Alberta than they do in Silicon Valley.
8. There should be some central body – composed of SME’s from NERC entities, NERC and the Regions, FERC (at least as observers), and perhaps representatives of the general power-using public – charged with developing and regularly updating a list of threats that must be considered in CIP-013 and CIP-014 plans (CIP-013 requires updating the plan every 15 months. CIP-014 requires more or less continual evaluation of new physical threats to substations). Of course, in many cases an entity will decide not to include a particular threat in their plan because it doesn’t apply to them; but in any case the entity will need to document why they did this.[ii] The reason this is needed is that it shouldn’t be left up to individual utilities – no matter how large or small – to comb through all the reports of cyber threats and mitigations worldwide, and determine which ones pose serious risks in North America and which ones don’t. There needs to be a central, regularly-updated list, although it will be up to the individual entities to determine which threats specifically apply to them.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         

---

[i] I want to point out that I’m not blaming either the CIP-013 or CIP-014 drafting teams for this situation. They were both given very tight deadlines by FERC, one year in the case of CIP-013 and three months in the case of CIP-014. In these time periods, they had to develop, ballot, re-ballot, re-re-ballot, and get NERC BoT approval for the new standard. They didn’t have time to include language in the requirements that would have taken a long time to draft, or that would have sparked a lot of controversy. A lesson learned for FERC is to be very careful about assigning deadlines for new standards, because it often doesn’t seem to work out very well.

[ii] I am writing a book on how the NERC CIP standards – as well as the compliance regime built around them – could be rewritten to eliminate five big current problems with CIP. One of my recommendations is that there be a central body that reviews and publishes a list of all cyber threats to the BES (and perhaps physical threats as well), as well as mitigation measures for those threats. In addition, this body would meet regularly to review new threats as well as mitigation measures, and update the list at least annually. The NERC entities would be required to a) determine which threats on the list pose the biggest risks in their environment and b) mitigate those threats.