A recent report issued by ICS-CERT indicated that attacks against energy related assets have increased as much as 380% since 2010, putting a great deal of pressure on the energy sector to bolster NERC CIP compliance where cybersecurity is concerned.
NERC is the acronym for the North American Electric Reliability Corporation, a non-profit organization which operates under the auspice of the Federal Energy Regulatory Commission (FERC). It was conceived for the purpose of creating and enforcing security standards to ensure the reliability of the Bulk Electric System in North America, including Canada and parts of Mexico.
These Critical Infrastructure Protection (CIP) standards they have developed are comprised of 8 primary standards which include 41 requirements and 164 sub-requirements for mandatory compliance for all of the major electric companies that make up the North American power grid.
The first NERC CIP version went into effect in 2008, and so began the Sisyphean task of achieving and maintaining compliance. Since then, several new versions have been drafted which have added additional requirements and broadened the number of critical assets in-scope.
Companies are currently being audited based on CIP version 3 and are mandated to become fully compliant with version 4 by April of 2014, which has many entities struggling under the pressure because of limited resources.
To further complicate matters, CIP version 5 has already been drafted and is awaiting final approval. What’s at stake? Fines for compliance violations can be up to $1 million/day, and in the past four years, actual fines assessed have totaled more than $150 million.
With so much at stake and time literally running out, the question remains as to whether or not utilities have a clear understanding of NERC CIP version 4 requirements. Fortunately, the only thing that changed substantially in version 4 was CIP-002 which deals with the identification of Critical Assets and Critical Cyber Assets. Version 4 has theoretically made it easier for utilities to determine what is critical and what isn’t, so that should make the task more attainable for those who had a firm grasp on version 3.
“I think they have passed the 80% understanding of v4, and even some detailed understanding of various components of it,” said Brent Huston, CEO of MicroSolved, who maintains a special focus on areas of critical infrastructure, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks.
“Specifically, I would say they are getting pretty good at understanding the reporting requirements. In terms of adoption, though, that is different than understanding. Adoption of even v4 standards are well behind where we would have expected and liked to have seen, but they are making slow and steady progress in most cases,” Huston continued.
With this basic understanding, the next question is whether or not they have the right tools for automation and the correct processes in place to comply with version 4. It appears that those who are further along in their general security and compliance maturity should fair well, such as Balance Authorities and most Transmission Operators who were “Table 1” for version 1, but other utilities that are not that far along may struggle.
“In most cases they have the tools and much of the automation or can easily gather what they need,” Huston said. “In some cases, funding is not even the primary issue – the issue is processes and resources. Many organizations simply don’t have any resources to undertake digesting the regulations, performing a gap analysis against current operations and coming up with a plan for compliance. In my opinion, most folks have the tools BUT lack either the human cycles or political/management will to make compliance happen at this point in time.”
In any case, the utilities that would most likely struggle with version 4 are those that did not previously have Critical Cyber Assets as defined by version 3, but would under the new criteria.
Those utilities probably don’t have a clue on what the standards require yet, and they may find themselves out of compliance when version 4 takes effect.
Some, though, may be counting on the fact that Version 4 might never actually take effect, and this notion is based on the recently issued FERC Notice of Proposed Rulemaking (NOPR) on the newly drafted version 5 which proposes skipping version 4 altogether.
So that begs the next question, which is whether or not affected utilities have a clear understanding of the proposed NERC CIP version 5 requirements.
Version 5 is a significant rewrite which almost no one could completely grasp as of yet. At a glance, some mandates are similar to those in previous versions while other things have been significantly modified or are completely new or have been removed altogether.
“I think they are still working on the understanding of the differences. I would say there is slow awareness building, but I wouldn’t say that we have seen many folks deeply digging into v5 and building heavy analysis of their current programs,” Huston ventured.
“In some cases we have seen folks building action plans for moving programs that were loosely based on v4 toward v5 compliance. But in many cases, especially with lower resourced utilities and many co-ops, we continue to see folks still struggling to even understand the basics of NERC CIP requirements ~ even on an ad-hoc basis.”
There are definitely drawbacks to banking on version 4 being shelved and investing in preparations for version 5, this first of which is obviously that they they have not yet been approved. Also, FERC may direct changes or add significant guidance on how the standards should subsequently be audited, enforced, interpreted, and ultimately applied. Furthermore, auditors have not yet had a chance to work on their audit approaches and utilities have not established common practices, which can influence audit approaches.
Version 5 still has a long way to go before it would be ready to implement, and given that it is still in draft form, it seems unlikely that it could be fully amended in time to meet the version 4 implementation deadline.
There may be some necessary improvements in version 5, but the overall the reaction in the industry has been that the approach is far too prescriptive, has not properly addressed the need to take an assessment based approach to audits, and still requires too much paperwork, which effectively just eats up limited resources.
“In my mind it is too prescriptive for sure. I would just love to see it evolve and a body of knowledge and interpretation be built up around it to make it more leveragable for those struggling with slim resources,” Huston said. “I am not sure it is general enough to cover areas of risk that may be relevant to smaller installations, and the specificity might not allow them to be flexible enough to take advantage of newer solutions or think outside the box about new ways to solve traditional problems. That said, it is better than nothing.”
While the CIP standards have largely forced many utilities to improve security, like many regulatory efforts it has created an artificial ceiling on the overall effectiveness of security programs for others, and has diverted resources and focus away from more relevant security related activities, as well as potentially stifling innovation in the marketplace.
“Regulation is hard. It’s hard to work through government processes and oversight in a manner that is capable of syncing with technology changes and innovation in the real world. This is especially true in ICS where the innovation engines are running full steam now that many tech companies have set their eyes on the marketplace,” Huston continued.
“I think this part gets worse before it gets better.”
Editor’s note: Special thanks to Steve Parker of EnergySec for consultation on this article.
Upcoming Webcast: Passing NERC CIP Audits via Automation
Webcast highlights include:
- CIP requirements most likely to cause audit findings
- Examples of successful – and unsuccessful – approaches to achieving compliance
- Using Tripwire products, services and NERC-specific extensions to meet CIP standards
- Live demonstration of using Tripwire to address specific NERC CIP requirements
- Date: June 11, 2013
- Time: 10:00 AM Pacific/1:00 Eastern
- Duration: One Hour
More details HERE
Images courtesy of ShutterStock