My last post,
which discussed the most recent Wall
Street Journal article on grid security, is a good example of something
that’s happened to me a number of times during my storied career as a blogger:
I started the post by thinking the topic was fairly well-defined and narrow,
but I ended it by realizing that there was a larger issue to be addressed (you
can get away with this when you’re a blogger. When you write newspaper articles
like Rob Barry and Rebecca Smith do, you have to lead with the large issue, not
discover it unintentionally at the end).
I indicated this
larger issue when I wrote “..NERC and the industry may have been barking up the
wrong tree all along, in considering that the biggest goal of cyber attackers
would be causing a cascading outage in the Bulk Electric System; the right way
to counter that is through the NERC CIP standards, which apply exclusively to
BES assets. But if we’re talking about specific facilities like dams and
military bases, the substations and generating plants that serve them are often
purely distribution ones, to which the CIP standards don’t apply.”
This was
also a takeaway from Rob and Rebecca’s January article
(this link is to my post on the article, but if you want to see the article
itself, see this funny link that I
included in a footnote to my post). That article pointed out how the Russians
are targeting utilities that serve military bases, which of course are also
served primarily at the Distribution level, not the BES level. I wanted to
write a post last January saying that everybody should be paying more attention
to the risks posed by purely Distribution assets, but I started to build up a
big backlog of posts to write, so I haven’t gotten around to it until now – and
I only did because of the new WSJ
article, which makes very clear that the primary focus of attacks on the US
grid nowadays is on particular assets on the Distribution network, not the BES.
Why hasn’t
there been a lot of focus on Distribution cyber regulation before this? It’s
simple – because right now, it’s nobody’s job. NERC and FERC have jurisdiction
solely over the Bulk Electric System (although FERC always uses the term Bulk
Power System, and NERC sometimes uses that term. Nobody has been able to
explain to me why one term is used rather than the other, so I will continue to
believe it’s simply the preference of the person writing the document); it
would take an act of Congress to change that. And if someone in Congress had
the appetite to change that now, it would require a lot of cajoling and
horse-trading with the state PUCs, who currently have jurisdiction over some Distribution
assets in their states, and aren’t likely to give up anything to FERC and NERC
without a fight.
And to be
honest, the PUCs – while they talk earnestly about cybersecurity at the NARUC meetings all the time – aren’t doing a
lot about grid security in their states, because they don’t have the authority
for that, either. For one thing, the PUCs by definition don’t regulate anything
but IOUs (for example, the state of Nebraska doesn’t have any IOUs at all,
which is why the Nebraska Public Services
Commission doesn’t even mention electric power on its website). And even
with IOUs, the PUCs are officially only allowed to regulate pricing and safety –
which is why all cybersecurity initiatives are ultimately cast as safety
measures. Currently, I know of only one state – New Jersey – that has a full
cybersecurity standard
(and a well-written one at that); but it’s not audited, and of course it’s
completely voluntary for the coop and municipal utilities in the state.
So if
anybody’s thinking about cybersecurity regulation of Distribution-level assets,
it’s very hard to see where it will come from barring an act of Congress, as I
said earlier.
So why
should we want regulation of Distribution-level assets? Haven’t I been
complaining since 2014 about the CIP standards and how many problems they have?
That’s true, and I certainly don’t recommend that the CIP standards as
currently written should be applied to Distribution – in fact, I don’t think
they should be applied to Transmission either. As I discussed in my recent webinar,
I think the CIP standards need to be entirely rewritten, so that they’re much
more like CIP-013 than CIP-007 R2 and CIP-010 R1. Pending that development, I
wouldn’t wish the CIP standards on any other industry or country.
But, as I
recently pointed
out, the only good way I know for cyber professionals in any industry to
get the resources they need to effectively mitigate cyber risks is to have
mandatory cyber regulations. If we really want to mitigate the
Distribution-level threats – which seem to be much larger than the
Transmission-level ones – we need to figure out a way to develop regulations
that don’t impose the big regulatory burden that the NERC CIP standards do on
Transmission and large Generation entities. So extending the current CIP
standards to Distribution – even if this could be pushed through Congress – isn’t
a good option, and isn’t likely to be realized.
Should NERC
develop a “CIP lite” that would apply just to Distribution entities? I think
there should be a CIP lite (completely
risk-based, as described in my webinar), but it should apply to all NERC entities, and replace the
current CIP standards. While I think this will happen in the next few years
(mainly because of pressure on NERC to do something to allow utilities to put
Medium and High impact BES Cyber Systems in the cloud – not just BCSI), it’s
currently not even on the floor, let alone on the table.
But the
question is who should promulgate and enforce this new Distribution CIP
standard? I vote for DoE. But there needs to be support in Congress to do this,
and I know of none at the moment. So, despite the fact – well documented in the
WSJ – that Distribution is probably
the big problem area for cybersecurity, not Transmission, we’re a very long way
from doing anything about it.
One of my favorite jokes is about a man who goes outside at night and finds his neighbor on hands and knees, looking for something under a streetlight. He asks his neighbor what he's looking for and the neighbor replies "My keys". He then asks him "Where did you lose them?", and the neighbor points to his dark lawn. So the man asks "Well, why are you looking for them here?". The neighbor replies "Because the light's better here."
This strikes me as an excellent metaphor for the current situation with cyber regulation of the US power grid. We know the focus of attacks nowadays is Distribution, but we can't do anything about it due to jurisdictional issues. So we put all of our efforts into regulating Transmission and large Generation, not Distribution. After all, the light's better there.
One of my favorite jokes is about a man who goes outside at night and finds his neighbor on hands and knees, looking for something under a streetlight. He asks his neighbor what he's looking for and the neighbor replies "My keys". He then asks him "Where did you lose them?", and the neighbor points to his dark lawn. So the man asks "Well, why are you looking for them here?". The neighbor replies "Because the light's better here."
This strikes me as an excellent metaphor for the current situation with cyber regulation of the US power grid. We know the focus of attacks nowadays is Distribution, but we can't do anything about it due to jurisdictional issues. So we put all of our efforts into regulating Transmission and large Generation, not Distribution. After all, the light's better there.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment