SYSTEM RELIABILITY
The critical subset
Some of the most interesting reliability standards are also the ones getting the most attention as we approach the transition to mandatory compliance and enforcement this summer. They are the Critical Infrastructure Protection (CIP) standards. On December 11, 2006, the Federal Energy Regulatory Commission (FERC) issued an assessment (Docket No. RM06-22-000) of the proposed CIP standards it received from the North American Electric Reliability Corp. (NERC), America's first electric reliability organization. In the assessment, the commission said it will address approval of the CIP standards in a separate rule-making.
CIP Standards 002 through 009 are concerned with protection of the bulk electric system's critical assets—facilities that, if damaged or disabled, would compromise the integrity of the grid or cause long, widespread outages. The cause of the damage or disabling could be physical or a cyber attack on grid control or data acquisition systems. The CIP standards are intended to give users of the bulk electric system a detailed plan for securing their portion of it through identification and deterrence of electronic attacks.
The keystone of the CIP standards is CIP-002. It requires every responsible entity (RE)—a transmission owner/operator, generator owner/operator, load-serving entity, or power marketer—to perform a risk-based assessment of its assets to determine whether any meets the definition of "critical." Any facilities that do would be subject to the requirements of CIP-003 through CIP-009. So far, NERC has outlined the broad points of such an assessment but has not detailed what it would entail. FERC's December assessment is no help in that regard; it only states that "The methodology and process developed by a RE must be stringent and rigorous." Ideally, the absolute requirement by CIP-002 to do a risk-based assessment, and NERC's broad outline of it, will be sufficient to generate an array of industry responses and methodologies from which a set of best practices can be culled.
Interpretive dance
One phrase that appeared in the December docket has users scratching their heads. The assessment explains that even if an RE has no operationally critical assets, any of its cyber assets that connect to control systems of others on the interconnected grid may have to be secured to block unauthorized access to the electric system. FERC calls such exposures "vectors of vulnerability," but that's not the ambiguous term.
What is being discussed widely is language in the FERC assessment that calls on REs to use "reasonable business judgment" when interpreting the CIP standards and their requirements. To some, this is a legal term with specific precedents that may or may not serve the interests of cyber security. To others, it implies that if an RE determines that it is in its own best interest to interpret a standard one way—for example, narrowly or broadly—it could make decisions that compromise the integrity of the system as a whole.
FERC staff has reached out to various industry stakeholders and trade associations since issuing the assessment of the proposed CIP standards. One of the first questions they have asked stakeholders is their opinion of the "reasonable business judgment" phrase. Expect NERC to express its opinion when it comments on the assessment and in subsequent submittals to the commission.
No time to lose
As part of its rule-making process, FERC also will be looking closely at the schedule for implementing the CIP standards. As the standards are currently proposed, many REs must be prepared to certify that they had begun work on a CIP compliance plan by December 31, 2006.
Although FERC has neither approved the proposed standards nor issued a rule-making to implement them, the commission has stated that all REs are expected to comply with all NERC standards, regardless of their status. Many entities have already initiated the compliance efforts that the CIP standards call for. These steps include working with a regional reliability organization to develop a risk-based assessment plan, defining their own plan, and outsourcing assessments to third parties.
With the time to enforcement now down to a few months, it is time for REs to put their compliance plans in place and into effect. Implementing a compliance plan will require not only deploying the electronic tools to manage procedures, submittals, and relevant data. It also will necessitate another plan: for closely monitoring constant changes in the applicability of new standards being developed and of existing standards being modified.
—By Jim Stanton, POWER contributing editor and project manager at ICF International. He can be reached at 713-445-2000 or jstanton@icfi.com.
Email
Comments
Print
Reuse
