New security standards have utilities, vendors scrambling for compliance

Earlier this year, the North American Electric Reliability Corporation (NERC), formed  by the Federal Energy Regulatory Commission (FERC), established a set of critical infrastructure protection (CIP) security standards that are mandated requirements for U.S. electricity distributors. The standards were developed over the course of three years with input from the utility industry. FERC, acting on responsibility to oversee the reliability of the bulk power system provided to it in Energy Protection Act (EPAct) 2005, approved the eight standards in January of this year. Further, the Department of Homeland Security, after members of a cyber security-focused subcommittee criticized NERC for a perceived lack of urgency on security policymaking, has mandated that utility and energy companies comply with CIP guidelines by 2010. Meanwhile, FERC has suggested to Congress the need for increased authority to enhance its regulatory mission to defend against cyber security threats alongside the Department of Homeland Security. If passed, such legislation would also likely provide FERC with more oversight and leverage over AMI/Smart Grid projects.  

In general, the standards require critical cyber assets to be protected with an electronic security perimeter (ESP) and a six-walled physical security perimeter. Further, the NERC standards state that non-critical cyber assets within an ESP must also receive the same protection. Critical cyber assets range from a complex control system using components of a distributed control system or programmable logic controller-based system to a single device, such as a microprocessor-based protective relays connected for remote access via a routable protocol (e.g., Internet protocol).  

The immediate impact is that many utilities are scrambling to become compliant and are suddenly finding themselves grossly unprepared to comply with the standards in essentially a year and a half, not to mention facing the expense of compliance and the specter of heavy fines for non-compliance. One utility projected its own costs to become compliant would be in the range of $30 to $40 million over the next three years. And the non-compliance penalties are quite startling as well, reportedly in the range of a million dollars a day.  

In addition, an ever-growing market of vendors continue to develop and promote product solutions offering such utilities a “quick fix” to the issue of becoming NERC compliant, when the inherent transformation called for by federal regulators signals a vastly more complex endeavor.  

This article will take a broad look at the cyber security challenges facing the AMI/Smart Grid sector, which exist in part because of the fact that cyber security is a fundamentally different enterprise from other reliability concerns. This article will also examine the CIP standards themselves (along with why a number of industry participants have raised challenges that the NERC directives should not even be classified as “standards”), and take a look at some new technology developments and utility responses that have emerged as a result of the NERC/FERC initiatives.  

The CIP standards
Earlier this year, FERC approved the CIP standards, developed in conjunction with NERC. The CIP standards detail the action that power generation companies must take to protect their critical assets such as computers, software, supervisory control and data acquisition (SCADA) and process control systems, and the networks that support those systems. Each of the eight NERC CIP standards tackles a different aspect of IT security, such as personnel and training, incident reporting and response planning, and recovery plans.  

The eight CIP standards contain over 160 requirements and sub-requirements. Generally, the CIP standards will require the following actions when fully implemented at the end of 2010: 

• CIP-002-1--Cyber Security--Critical Cyber Asset Identification: Requires a responsible entity to identify its critical assets and critical cyber assets using a risk-based assessment methodology.

• CIP-003-1--Cyber Security--Security Management Controls: Requires a responsible entity to develop and implement security management controls to protect critical cyber assets identified pursuant to CIP-002-1.

• CIP-004-1--Cyber Security--Personnel & Training: Requires personnel with access to critical cyber assets to have identity verification and a criminal check. It also requires employee training.

• CIP-005-1--Cyber Security--Electronic Security Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002-1.

• CIP-006-1--Cyber Security--Physical Security of Critical Cyber Assets: Requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter.

• CIP-007-1--Cyber Security--Systems Security Management: Requires a responsible entity to define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the non-critical cyber assets within an electronic security perimeter.

• CIP-008-1--Cyber Security--Incident Reporting and Response Planning: Requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets.

• CIP-009-1--Cyber Security--Recovery Plans for Critical Cyber Assets: Requires the establishment of recovery plans for critical cyber assets using established business continuity and disaster recovery techniques and practices.

The initial CIP phase is largely procedural, with a focus on background checks, password protection, and audit-ability. However, the long-term reach of the CIP standards is quite significant and will impact many aspects of power generation and utility T&D operations. Some of the more significant CIP standards include: 

• CIP-005 requires power generating companies to establish and document an ESP around critical cyber assets and identify communication penetrations through the perimeter. Such companies must control, monitor, and log external access to the cyber assets within the ESP 24/7 for routable protocol (such as IP) and dialup communications. Two or more factor authentication (2FA) is required for external access to cyber assets within the ESP.

• CIP-007-001 focused on distributed control systems (DCSs). The CIP-007 standard requires protection of the critical cyber assets (including certain other cyber assets) within the ESP, such as control system subsystems or major components, including PLCs, HMIs, and data processing units. The protection requirements of CIP-007 limit the IP ports and services to only those necessary for operations, and require malicious software detection, prevention, account management controls, security status monitoring, and security patch management.

The CIP Standards were not immune to criticism, however. In its approval of the CIP Standards, FERC did state that it was concerned with the ability of power generators and utilities to interpret the standards on their own. In fairness, the standards themselves have been criticized for being too vague, thus by default requiring a fair amount on interpretation. Further, in some instances the standards only require steps “where technically feasible,” offering what some have called a dangerous loophole that enable some companies to skirt full compliance. Another criticism is that the language included in the standards allows a utility or power company to do a self-risk assessment and potentially conclude that it does not have any critical assets that are vulnerable. This lack of an independent audit could also enable some companies to evade full compliance and thus put the integrated system at continued risk. Further still, because nuclear plants are regulated by the Nuclear Regulatory Commission and not NERC, they are not subject to the CIP Standards.    

The security challenges
One of the inherent challenges of securing the nation’s electric grid against cyber security threats is that the industry is in the midst of such dramatic technology changes that impact not only security but virtually every aspect of power generation. For instance, up to recently, and still the case at many utilities, is the fact that proprietary software and protocols were used to protect a utility DCS from outside attack. Most of the time, control systems weren't attached to the corporate network or the outside and thus they didn't have a pure need for security.  

Many plants today are linked, through wired or wireless connections, to centralized performance-monitoring facilities with any number of employees responsible for multiple sites, vendors providing outsourced services, and even government agencies that may be integrated in some way. In addition, as new construction replaces older or retired plants, power generators are also installing equipment automation technologies. These technologies going forward typically will rely on Ethernet, TCP/IP, and Web technologies built around open standards. While non-proprietary, open-standards based technologies certainly foster a “plug and play” environment that offers its own set of advantages to power generators, a downside is that the new technologies are more vulnerable to cyber attacks and other problems such as viruses and worms. Put another way, almost everything that makes today’s distributed control systems (DCSs) and software so powerful, convenient, and cost-effective also makes them vulnerable to cyber attacks.  

Apart from the mandates now coming from NERC, any utility or power generator should recognize the long-term benefits of cyber security, as the consequences of an unplanned unit shutdown can include significant lost revenue along with a host of other problems. Concern about the security of the nation’s power plants was heightened last year when the Department of Homeland Security leaked a video that demonstrated how a hacker could damage a power generator using only code (subsequently referred to as the “Aurora” vulnerability).  

Another factor certainly coming into play is the aging grid infrastructure presently in operation was obviously not built with the concept of cyber security in mind. New hardware to better incorporate SCADA networks would improve cyber security, along with improved reliability achieved through the broader construction of Smart Grid systems throughout the country, would certainly go a long way to secure distribution and transmission systems. However, clearly electric utilities across the country are at very different stages of AMI/Smart Grid deployment and the achievement of an interconnected, comprehensive Smart Grid structure transcending NERC regions is a long-term project.  

The problem is that while the threat of cyber attack or malfunction is increasing every week, the pace at which utilities and power generators are able to respond is alarmingly disproportionate. In fact, in accordance with the issue of its CIP standards, NERC conducted an audit of U.S. utilities that concluded that “little meaningful progress” had been made toward safeguarding the nation’s electric grid from malicious attacks. Further, NERC concluded that few companies are ready to implement the first wave of NERC CIP Standards. The dynamic has often been characterized as an “arms race” between utilities/vendors and hackers, at a race to protect or penetrate, respectively, complex utility systems. Hackers of course can have multiple motives in attempting to crack into a utility system, ranging from the desire to obtain customer credit cards in the database to actually trying to overpower a system to the point of failure.    

Some of the questions that NERC and FERC continue to address include the following:

• What will it take to reasonably ensure the reliability of the bulk power system from a cyber security threat?

• What should NERC do to ensure its efforts are complementary to the efforts of the government and industry?

• What should NERC do to ensure there are no gaps or confusion with respect to responsibilities for and execution of cyber security protection initiatives?

Vendor response
Larger security companies that have, in the past, worked with energy firms to develop highly custom regulatory compliance procedures are looking to incorporate new methods, systems and software from a variety of sectors for meeting compliance needs. The new applications often increase the ability of firms to communicate with reliability regulators in real time. The approach, say these sources, will mean more seamless communication with regulators in providing sensitive information and thus, improved compliance with cyber-security and other standards.  

Security vendors, looking to sell their products to utilities and others to meet CIP compliance demands, have stated that the number-one challenge is the legacy systems in place at many utilities.  Such older systems offer unique difficulties in linking vulnerable systems to one console for simultaneous monitoring, according to vendors. Once the link is centralized, the second hurdle is securing the connection in order to relay information and documents to regulators, i.e. to NERC.  

There are a number of examples of vendors that are presently working with utilities to address the mandates leveled by NERC. For instance, Intralinks is offering a communication software that can be applied across all stakeholders to better communicate with reliability and federal regulators. The established compliance solution provider, Aegix, has adapted the Intralinks system recently to provide a more "streamlined way to maintain compliance and manage risk for NERC/FERC's new regulations," according to these sources. Another example of a vendor that is presently marketing product solutions to those companies impact by the NERC CIP standards is Aegis Technologies. Its Odyssey product series protects control systems by intercepting, authenticating, and encrypting all access attempts. The Odyssey product also includes a standard set of security tools that protects operating systems from malicious software. Another example is Symantec’s Control Compliance Suite, which automates key IT compliance processes and maps policies to multiple frameworks.  

In summary, the range of cyber security risks to the bulk power system is not presently known, and new risks will continue to arise. The steps taken by NERC and FERC are clearly only one step in the process of securing the electric infrastructure, but they are an important step in a multi-year process. 

About Automation Insight
Automation Insight is a complimentary monthly publication designed specifically for the utility industry and those serving the utility industry. For comments or suggestions on future article topics, please e-mail automation.insight@kema.com.

To receive Automation Insight by e-mail, please e-mail automation.insight@kema.com with 'subscribe' in the subject line.

Automation Insight is an opt-in subscription. KEMA does not sell or otherwise make public subscriber information and honors all ‘unsubscribe’ requests. To unsubscribe, please e-mail automation.insight@kema.com with 'unsubscribe' in the subject line.