April 15, 2008

Time to get serious about security

By Timothy E. Hurst, PE, Hurst Technologies

New CIP standards leave much discretion to plant owners/operators

Critical infrastructure protection (CIP) standards developed by the North American Electric Reliability Corp. (NERC) evolved from being very specific in their initial drafts to being somewhat ambiguous in their final, approved versions. For example, they require risk-based assessments of asset vulnerability (POWER, March 2008, p. 18) and are procedural, rather than prescriptive.

 

In fact, it is up to plant owner/operators to determine which of their assets are subject to the CIP standards. NERC offers little guidance here; it defines critical assets in the broadest terms as “generation resources that support the reliable operation of the bulk electric system.”

Here’s where the taxonomy of CIP, as applied to power plants, becomes complex and hard to navigate. Nuclear plants are exempt from the standards because their security aspects are regulated by the Nuclear Regulatory Commission. And the standards only apply to systems using Internet protocol communications, and only to NERC-registered entities. Confusing things even further, some large owner/operators, such as the federal power authorities, deal with cyber security using other regulatory frameworks, including those promulgated by the National Institute for Standards and Technology.

The CIP standards, on the one hand, purport to give plant owner/operators flexibility in meeting the standards and in assessing vulnerabilities on a regional basis. At the same, they allow every owner/operator to apply its own methodologies and definitions. This is reminiscent of the “flexible” mark-to-market accounting and other standards that merchant energy companies applied liberally and that destroyed Enron and its employees’ nest eggs. One has to ask, are the new CIP rules even “standards” in the conventional sense of the word?

The definition of a critical asset becomes even more ambiguous when you consider the fundamental design of the nation’s bulk power system. For example, every NERC reliability region maintains a reserve margin of generating capability above the highest expected peak daily demand. Given that, what generating resource could be considered absolutely critical for bulk supply? Some utilities argue that, because they already design their facilities to meet the so-called N-1 contingency (the loss of any one element), there are no critical assets from a cyber security perspective.

The other important aspect of the standards is that owner/operators are expected to be in compliance and “auditable” by 2009, less than a year from now.

For the most part, the CIP standards will require additional processes, procedures, and documentation at power stations, at least until some of the ambiguity is removed by challenges and lawsuits. So at this point, CIP compliance (for personnel training, for example) would appear to include the following requirements:

• A “critical asset” plant must maintain a list of personnel with “authorized cyber or authorized unescorted physical access to critical cyber security assets” and update that list quarterly to add new contractors and service personnel and delete old ones.
• The plant’s responsible entity (RE) must establish, maintain, and document a security awareness program.
• The RE must establish, maintain, and document an annual cyber security training program.
• The RE shall put a documented personnel risk assessment program in place.

From the plant’s perspective, the only conclusions that can be drawn are: (1) paperwork requirements will increase, (2) the lawyers have plenty more to argue about, and (3) the FERC-approved NERC CIP standards, however ambiguous, at least will force everyone to make cyber security improvement yet another continuous performance improvement objective on which plants will be evaluated.

Beyond CIP compliance

Although space constraints preclude a deep discussion of the details, the new CIP standards cover the following areas: critical cyber-security asset identification, security management controls, personnel and training, electronic security perimeters, physical security of critical cyber assets, systems security management, incident reporting and response planning, and recovery plans for critical cyber assets. The full texts of the standards are available at www.nerc.com.

Most governmental and quasi-governmental standards become the equivalent of the minimum daily requirement for nutrition. That is, they set the floor, not the ceiling, for compliance. However, for the purposes of actually protecting your revenue-producing assets, you need to think beyond these standards. Security experts note that many of the vulnerability scenarios are not well-understood.

For example, suppose someone secretly installed viruses or worms on DCS systems at multiple plants and synchronized their activation so controls or equipment would be disabled at a specific time in the future. Think of these lines of code as errant Y2K-like tickers lurking in multiple systems. Suddenly, an asset that wouldn’t be considered “critical” becomes critical because it is linked with other assets that would be crippled at the same time. This is the kind of scenario that keeps cyber security experts up at night. Last fall, a video marked “Official Use Only” was obtained by the Associated Press. Thought to have been produced by The Department of Homeland Security and Idaho National Laboratory, it shows an industrial turbine spinning out of control and being destroyed after having been commandeered by hackers in a mock attack.

Another way for plants to approach the new cyber security regime is to “think like a nuke.” Conceptually, managing threats and vulnerabilities, whether physical or cyber, involves the same methodologies. Nuclear plants have decades of experience in this area that could be tapped to improve the security of the U.S. fossil-fueled fleet.

Eventually, the NERC standards may get everyone on the same page. In the meantime, plants need to find some middle path between conducting business as usual and trying to meet the letter of a treaty that hasn’t yet been ratified. Some suggested actions for plant managers to take while the industry waits for more specific instructions from regulatory agencies—or the courts—follow.

Appoint someone to manage or be responsible for cyber security. CIP is no longer something that can be outsourced, treated as a DCS vendor service, or tossed over to corporate. The “responsible entity” (FERC’s jargon) must be given the resources and the budget to get the job done.

Think of cyber security as another function. Treat it as you would environmental health and safety (EHS). Almost every plant has an EHS department or an EHS coordinator. The same should be true for cyber security. At the very least, someone needs to follow what happens to the NERC standards as they wind their way through the legal challenges.

Conduct a security assessment of all of your digital systems and equipment. Also make sure you have the latest cyber security expertise on your team. That could be accomplished in conjunction with a configuration management (CM) program to identify and bridge gaps between the DCS or plant computer and the myriad software and performance applications and communications gateways.

The problem is, many DCS systems either lack a CM tool, or what they provide is incompatible with other constraints facing the plant. CM is the control system equivalent of having updated engineering drawings of physical equipment, as opposed to “as-built” drawings of the original plant design. For most plants, cyber security represents a new functional requirement that wasn’t there when the plant was designed. Note that CM is absolutely essential at nuclear plants, which have used it for years.

Begin to develop a set of written (or documented) policies and procedures to address cyber security issues. It is no longer enough to do things ad hoc or to rely on word of mouth.

—Timothy E. Hurst, PE (timh@hursttech.com) is president of Hurst Technologies (www.hcinc.com), a consulting engineering firm specializing in instrumentation and control systems for nuclear and fossil-fueled power stations. He also is a POWER contributing editor.