Security Standards for Power Companies

Electrical utilities have developed converged standards for protecting and managing risks. Is your industry next?

It took four years, twice as long as Larry Bugh thought it would, but the nation now has a proposed set of standards designed to help protect the North American power grid from cyberattack. These standards, dubbed critical infrastructure protection Permanent Cyber Security Standards and released by the North American Electric Reliability Council (NERC) in May, represent what appears to be the first set of security standards to address every aspect of cyber­security, including operation, management and even the physical safety of cyberassets.

The Federal Energy Regulatory Commission (FERC) is poised to adopt these standards, which have the potential to be seen as a model by players in other industries that make up the nation’s critical infrastructure.

Bugh is a leading player in the standards effort. He is CSO at ReliabilityFirst, one of the eight U.S. reliability councils that monitor and enforce good reliability practices in the power industry. He chaired the 25-member NERC standards draft team, which was formed in early 2003. The federal government asked the team to discuss how electric providers should respond to industry trends that showed a growing number of electrical utilities connecting their control systems to their computer networks.

Those powerful network links led to some real disconnects between professionals with different areas of expertise. Bugh says that executives at many utilities were unfamiliar with the idea of having to protect control systems from cyberattack since, in the past, control systems have typically been kept separate from other systems. But as technology has evolved and the power industry has looked for operational efficiencies, control systems have become more connected to computer systems and the Internet, and therefore are emerging computer security threats. (See “Out of Control,” www.csoonline.com/read/080104.)

Meanwhile, computer security experts had trouble adapting to the idea that any cybersecurity protections needed to be implemented in ways that did not so much as slow down the control systems.

So NERC, whose 7,500 members comprise most of the electric sector entities (including cooperatives, government and investor-owned) in the United States and Canada, as well as those in Baja, Mexico, set up the draft team to devise the original standards in August 2001.

“We knew we were breaking new ground, and we knew it would be controversial,” Bugh says of the effort and its intended product. Even still, he figured it would take only a couple of years to work things out. But a first draft that generated 900 pages of comments from NERC members was a sign of how much work was ahead.

Standards with Muscle

The new critical infrastructure protection (CIP) standards stand out both for their breadth and their teeth—once FERC approves the CIP standards, both the industry group and the government will have the power to fine member utilities that don’t comply with them.

The standards are broad, affecting everything from the hiring process for people who will be responsible for cybersecurity (including background checks), to guidelines for perimeter security responsibility and controls. They cover, among other things, training standards, management systems, electronic security, physical security, and incident reporting and response.

NERC officials are careful to note that the new infrastructure standards cover only cybersecurity—the physical aspects of the standard relate specifically to physically securing cyberassets, not, say, power transmission lines or turbine generators. Still, the effort will mean that any piece of information technology whose vulnerability could affect a control system’s operation—whether it be a computer system, backup system, network equipment or software—needs to be protected.

That risk coverage is a noteworthy step, says Dale Peterson, director of the consulting practice at Digital Bond, a company that consults on supervisory control and data acquisition, or SCADA, systems for a variety of industries, including electric power generators. Peterson has blogged extensively (at www.digitalbond.com) about the NERC standards as they have been developed. “There are no other standards in the cybersecurity space that say ‘you must do this,’ and have a measurement component and have an audit plan,” he says.

Peterson says this represents a significant shift from the guideline documents common to this industry, which have loose recommendations. “These say ‘must’ or ‘shall.’ These standards can be audited, and you can say if it’s compliant or noncompliant,” he says.

Covering Digital and Physical Ground

The new critical infrastructure protection Permanent Cyber Security Standards replaced an earlier version developed in the wake of the September 11 attacks. That version, called the Urgent Action Cyber Security Standard (also known as CIP 1200), was approved the day before the August 2003 blackout and was considered a temporary measure.

The NERC group working on the new critical infrastructure protection standards used CIP 1200 as a jumping-off point, but the new standards are far broader, with eight categories covering the gamut of physical, operational and cybersecurity challenges. Among other things, the standards would require: background checks of potential employees, access authorization on both the physical and systems side of a utility, and establishment of a full-scale disaster response and restoration plan for both cyber and physical incidents. (See “Mission Critical,” opposite page.)

Peterson says that electricity providers will be able to read the standards and understand how to build a complete security program. NERC also has organized seminars where people like Bugh talk through the standards with power industry managers.

The standards themselves still face some politicking. The NERC board approved them and considers them in effect for its members as of June 1, 2006. But NERC only submitted the standards to FERC in August, and the federal agency has no deadline for adopting these standards as government policy. NERC also is negotiating with other parties in the North American grid, including the provinces and other regulatory bodies in Canada and the Mexican state of Baja. Thus far, the province of Ontario has signed a memorandum of understanding to adopt the NERC cybersecurity standards.

FERC will release a Notice of Proposed Rule Making and allow for public comments on the standards. It may not give them a rubber stamp, though: NERC submitted 102 standards to FERC for approval in its initial application to become the nation’s first Electric Reliability organization, an entity created by the Energy Policy Act of 2005. FERC has reviewed that list but remanded 20 of the proposed standards to NERC with specific comments about what needs to be done for it to approve them. While FERC could send back some or all of the new CIP standards, Stan Johnson, a manager of situation awareness and infrastructure security at NERC, says he expects the standards to be approved by June.

Members of NERC’s drafting team says they tried to make up for the lack of hands-on examples contained in the standards by creating a three-point framework. “We had to consider three things: the [potential cybersecurity] threat, the consequence of an event and the vulnerability,” says George Miserendino, president of Triton Security Solutions. Miserendino was on the CIP cyber­security drafting team, representing Edison Electrical Institute.

The huge blackout of Aug. 14, 2003, in which a software glitch at a single electrical provider in Ohio cascaded into an event in which 50 million people in North America lost power, underscored the importance of the reliability standards discussion. But Miserendino says that the group’s biggest motivator was the threat that FERC might come in and do the regulating for it. In part, he says, that’s because the 2005 Energy Act made FERC responsible for electrical transmission reliability and gave the federal agency the ability to fine utilities for noncompliance.

Even with the threat of government regulation, Miserendino says, gaining consensus within NERC on self-regulation took almost three years. “The difficult thing was convincing people this was the first step in an evolution and not an end unto itself,” he says.

The standards have room to evolve. While more than 88 percent of NERC’s members voted to approve them—approval required two-thirds—there were still some “no” votes cast. NERC noted objections when it announced the critical infrastructure protection standards: implementation costs, combined with the potential for little or no return on that spending; requirements that went beyond critical cyberassets at bulk power system control centers; and some ambiguous asset definitions. FERC may ask for clarification on any of these issues. FERC might also balk at the industry being its own auditor. But no one expects wholesale rejection by FERC.

What remains unclear is whether the standards will have any impact on other elements of U.S. critical infrastructure, such as the chemical, water, or oil and gas industries. “I’ve told my friends in chemical and oil and gas that they could take those NERC standards, change the definition of what a cybersecurity asset is and use them as they are,” says Peterson. He suspects that won’t happen, in part because of industry politics and in part for regulatory reasons—FERC has both a measuring stick to gauge compliance and a rod to punish failures. Other industries have fewer cyber­security rules.

Johnson from NERC says that his organization has had only generic talks about cybersecurity with the chemical industry. But its CIP standards have caught the attention of the nuclear power industry and the water sector, both of which are interested in how the standards came about. It may be that Bugh and his drafting team have created a landmark in cybersecurity that will ripple beyond the electric power industry. n

Michael Fitzgerald is a freelance writer based near Boston.