This is my third (and last for the moment) post on FERC’s NOPR on cybersecurity incentives – the first was this one. The first two posts dealt with the financial side of the NOPR, pointing out that the financial “stimulus” that FERC is proposing is likely to end up being fairly modest. This post deals with the substance of what FERC is proposing – i.e. what those utilities lucky enough to be able to take advantage of FERC’s proposal will have to do in order to have their investments approved for reimbursement through transmission rate relief.
I must admit that my first emotion
on reading FERC’s description of the substance of their proposal was
embarrassment. Doesn’t anybody at FERC know anything about the NERC CIP
standards? After all, they did approve them, as I recall. I also have to ask
how much they know about cybersecurity in general, since a lot of what they say
in the NOPR seems to reflect the view that cybersecurity controls are a kind of
magic pixie dust. Since I know FERC has some very good cybersecurity people, I have
to assume the cybersecurity pronouncements in the NOPR were the product of too
much holiday partying.
The NOPR describes two different approaches
to cybersecurity investments, that (some) electric utilities can make in order
to receive rate-based financial incentives under FERC’s proposal.
I. NERC CIP Incentives Approach
The first approach is described
starting on page 24 of the NOPR. FERC describes this approach as “voluntarily
applying identified CIP Reliability Standards to facilities that are not
currently subject to those requirements”. Essentially, FERC is asking utilities
to “voluntarily” (as if anything the government asks you to do is done voluntarily.
I remember Milton Friedman describing, during one of the economics classes I
took with him a long time ago, President Ford’s recently-announced “voluntary”
wage and price controls thusly: “This is an Orwellian use of the term ‘voluntary’:
You do this voluntarily or your throat gets cut.”) extend the CIP standards
beyond what they apply to now.
The idea behind that is FERC doesn’t
want to pay utilities to do what they’re required to do anyway by the CIP standards
– but they’re fine with having them go beyond what’s required and paying them
for that (of course, I’m simplifying things a lot by speaking of FERC “paying”
anybody). There are two ways in which a utility can follow this approach:
First, the utility can “voluntarily”
(there’s that word again!) apply “the requirements for medium or high impact
systems to low impact systems, and/or the requirements for high impact systems
to medium impact systems”.
FERC offers two methods (or “incentives”)
for accomplishing this goal. The first – the “Med/High incentive” - is applying
the requirements for high impact facilities to medium impact ones (although strictly
speaking the high and medium designations apply to systems, not facilities. But
we’ll skip the religious arguments for the moment). This is a fairly straightforward
task: where a requirement only applies to systems at a high impact facility
like a Control Center, the utility applies it to systems at a medium impact
facility like a transmission substation.
On the other hand, I find it hard
to believe that any utility will seriously want to use this method, unless the description
of it is completely revised. By suggesting utilities can apply medium/high requirements
to low systems, or high requirements to mediums, FERC seems to be saying
(perhaps inadvertently) that the utilities will “voluntarily” (again!) declare
their lower-impact facilities to have a higher impact than they’re otherwise
required to have, by CIP-002-5.1a R1 Attachment 1. Without going into detail on
why this is a crazy idea, I’ll just say that anybody at an electric utility who
suggested uprating the impact ratings on facilities subject to NERC CIP
probably wouldn’t live to see tomorrow’s dawn.
If FERC wants this method to have
any chance of finding some takers, they will have to make it clear that the
utility will “voluntarily” apply particular controls that are only
required of higher-impact BCS to lower-impact ones – and that they can apply
those controls in any way they want, rather than strictly according to what CIP
requires. If they did that, I think some utilities might be interested in this.
However, FERC really goes to
pieces when they try to describe the second method, the “Hub-Spoke incentive. They
say “Under the Hub-Spoke Incentive, a public utility is eligible for incentives
if its investment applies CIP Reliability Standard security controls inherited
from a high or medium impact BES Cyber System at locations containing low
impact BES Cyber Systems by ensuring all external routable connectivity to and
from the low impact system connect (sic) to a high or medium impact BES
Cyber System.”
Let’s try to pull this apart. First,
FERC is trying to make the case that it would be a good idea to connect low
impact (and therefore lower security) systems to high or medium impact (and
therefore higher security) ones – that somehow the higher security will
magically flow down the wire connecting the two systems (which would be in two
different facilities).
Let’s think about this: Staff members
who have access to BCS at medium and high impact facilities have to have
background checks, whereas they don’t at low impact facilities. This presumably
makes the systems at the former more secure than the latter. Does connecting
them with a wire give the people who work in the low impact facility the
equivalent of background checks (they probably have them anyways, but that’s
not the point here)?
Here’s another example: To comply
with CIP, utilities have to spend a lot of effort on configuration and patch
management at medium and high impact facilities, but not at lows. If they run a
wire between the two, will the systems at the low facilities automatically “inherit”
(FERC’s word, not mine!) the benefits of the configuration and patch management
that’s done on the high or medium impact systems?
Of course not. The only
cybersecurity benefit that could be conferred by connecting the two levels of
facilities has to do with external routable connectivity, which FERC mentions.
But BCS at medium and high impact facilities aren’t connected directly to ERC;
instead, there needs to be some device like a firewall that makes the
connection to the outside world and extends that connection to the systems within
the facility.
But a firewall isn’t a BCS; it’s
an EACMS (electronic access control and monitoring system). And the low BCS
wouldn’t connect directly to the medium or high EACMS, but to an EACMS at the low
facility, either a router or a firewall. That would in turn connect to the high
or medium EACMS.
Moreover, it wouldn’t be good
security practice for a low impact BCS to have any true external routable
connectivity (i.e. a connection to the internet or to networks outside of the
utility’s) in the first place, no matter what system it came through. Low impact
systems, if they’re connected to anything at all, are connected to the SCADA or
EMS system in a (usually) medium or high impact Control Center. Only the latter
system would connect to any systems outside the utility, including the
internet. I might be speaking two categorically here, but I can’t think of any
reason why it would be a good idea to give ERC to individual BES Cyber Systems
at low impact assets.
In short, the “Hub-Spoke Incentive”
is described very poorly by FERC, and even describing it correctly would
probably lead to a less secure arrangement than what is in place now at most
electric utilities. But other than these quibbles, I think it’s a wonderful
idea.
II. NIST Framework Approach
FERC’s second approach (found
beginning on page 28 of the NOPR) is described by FERC this way: “public
utility may receive incentive rate treatment for implementing certain security
controls included in the NIST Framework”. Specifically, FERC suggests that five
types of controls found in the NIST Framework would be eligible for incentives:
“(1) automated and continuous monitoring; (2) access control; (3) data
protection; (4) incident response; and (5) physical security of cyber systems”.
However, the NOPR then says that initially, FERC will only consider the first
type of controls for incentives: automated and continuous monitoring.
I don’t have any problem with FERC
limiting the types of controls to five, and perhaps even limiting them to one
(which makes one wonder why they listed the other four in the first place). There’s
no doubt that one of the big deficiencies in the CIP standards is they don’t
require utilities to implement some sort of monitoring, even though many are
already doing it on their own (and that really is “voluntary”!). If more utilities
start doing this because of FERC’s proposed incentives – or more likely expand
on the monitoring they’re already doing – that in itself would lead to a higher
level of grid security.
My main question about this
approach is: What does this have to do with the NIST Framework? There are all
sorts of cybersecurity frameworks and standards that mandate some or all of the
five types of controls FERC suggests, and most of them predate the Framework. In
other words, I think FERC wasted a lot of their time writing many pages about
the Framework, and I think readers of the NOPR will waste a lot of their time
reading about it, when this Approach could have been much better categorized as
“It’s important to monitor your network, your external connections, and the
systems on your network. Do it and you’ll get rate relief.”
But there is one thing that FERC
might have added to these two sentences: “Utilities may want to look for a
different vendor for their monitoring software than the (until recently,
anyway) leading vendor: SolarWinds”. However, that’s a different issue.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment