The dreaded D-word

My last post, which discussed the most recent Wall Street Journal article on grid security, is a good example of something that’s happened to me a number of times during my storied career as a blogger: I started the post by thinking the topic was fairly well-defined and narrow, but I ended it by realizing that there was a larger issue to be addressed (you can get away with this when you’re a blogger. When you write newspaper articles like Rob Barry and Rebecca Smith do, you have to lead with the large issue, not discover it unintentionally at the end).

I indicated this larger issue when I wrote “..NERC and the industry may have been barking up the wrong tree all along, in considering that the biggest goal of cyber attackers would be causing a cascading outage in the Bulk Electric System; the right way to counter that is through the NERC CIP standards, which apply exclusively to BES assets. But if we’re talking about specific facilities like dams and military bases, the substations and generating plants that serve them are often purely distribution ones, to which the CIP standards don’t apply.”

This was also a takeaway from Rob and Rebecca’s January article (this link is to my post on the article, but if you want to see the article itself, see this funny link that I included in a footnote to my post). That article pointed out how the Russians are targeting utilities that serve military bases, which of course are also served primarily at the Distribution level, not the BES level. I wanted to write a post last January saying that everybody should be paying more attention to the risks posed by purely Distribution assets, but I started to build up a big backlog of posts to write, so I haven’t gotten around to it until now – and I only did because of the new WSJ article, which makes very clear that the primary focus of attacks on the US grid nowadays is on particular assets on the Distribution network, not the BES.

Why hasn’t there been a lot of focus on Distribution cyber regulation before this? It’s simple – because right now, it’s nobody’s job. NERC and FERC have jurisdiction solely over the Bulk Electric System (although FERC always uses the term Bulk Power System, and NERC sometimes uses that term. Nobody has been able to explain to me why one term is used rather than the other, so I will continue to believe it’s simply the preference of the person writing the document); it would take an act of Congress to change that. And if someone in Congress had the appetite to change that now, it would require a lot of cajoling and horse-trading with the state PUCs, who currently have jurisdiction over some Distribution assets in their states, and aren’t likely to give up anything to FERC and NERC without a fight.

And to be honest, the PUCs – while they talk earnestly about cybersecurity at the NARUC meetings all the time – aren’t doing a lot about grid security in their states, because they don’t have the authority for that, either. For one thing, the PUCs by definition don’t regulate anything but IOUs (for example, the state of Nebraska doesn’t have any IOUs at all, which is why the Nebraska Public Services Commission doesn’t even mention electric power on its website). And even with IOUs, the PUCs are officially only allowed to regulate pricing and safety – which is why all cybersecurity initiatives are ultimately cast as safety measures. Currently, I know of only one state – New Jersey – that has a full cybersecurity standard (and a well-written one at that); but it’s not audited, and of course it’s completely voluntary for the coop and municipal utilities in the state.

So if anybody’s thinking about cybersecurity regulation of Distribution-level assets, it’s very hard to see where it will come from barring an act of Congress, as I said earlier.

So why should we want regulation of Distribution-level assets? Haven’t I been complaining since 2014 about the CIP standards and how many problems they have? That’s true, and I certainly don’t recommend that the CIP standards as currently written should be applied to Distribution – in fact, I don’t think they should be applied to Transmission either. As I discussed in my recent webinar, I think the CIP standards need to be entirely rewritten, so that they’re much more like CIP-013 than CIP-007 R2 and CIP-010 R1. Pending that development, I wouldn’t wish the CIP standards on any other industry or country.

But, as I recently pointed out, the only good way I know for cyber professionals in any industry to get the resources they need to effectively mitigate cyber risks is to have mandatory cyber regulations. If we really want to mitigate the Distribution-level threats – which seem to be much larger than the Transmission-level ones – we need to figure out a way to develop regulations that don’t impose the big regulatory burden that the NERC CIP standards do on Transmission and large Generation entities. So extending the current CIP standards to Distribution – even if this could be pushed through Congress – isn’t a good option, and isn’t likely to be realized.

Should NERC develop a “CIP lite” that would apply just to Distribution entities? I think there should be a CIP lite (completely risk-based, as described in my webinar), but it should apply to all NERC entities, and replace the current CIP standards. While I think this will happen in the next few years (mainly because of pressure on NERC to do something to allow utilities to put Medium and High impact BES Cyber Systems in the cloud – not just BCSI), it’s currently not even on the floor, let alone on the table.

But the question is who should promulgate and enforce this new Distribution CIP standard? I vote for DoE. But there needs to be support in Congress to do this, and I know of none at the moment. So, despite the fact – well documented in the WSJ – that Distribution is probably the big problem area for cybersecurity, not Transmission, we’re a very long way from doing anything about it.

One of my favorite jokes is about a man who goes outside at night and finds his neighbor on hands and knees, looking for something under a streetlight. He asks his neighbor what he's looking for and the neighbor replies "My keys". He then asks him "Where did you lose them?", and the neighbor points to his dark lawn. So the man asks "Well, why are you looking for them here?". The neighbor replies "Because the light's better here."

This strikes me as an excellent metaphor for the current situation with cyber regulation of the US power grid. We know the focus of attacks nowadays is Distribution, but we can't do anything about it due to jurisdictional issues. So we put all of our efforts into regulating Transmission and large Generation, not Distribution. After all, the light's better there.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.