GRID RELIABILITY
New CIP standards leave questions unanswered
This January, the Federal Energy Regulatory Commission (FERC) issued Order No. 706 approving a set of eight reliability standards for critical infrastructure protection (CIP) developed by the North American Electric Reliability Corp. (NERC). The CIP standards require responsible entities (REs) at certain users, owners, and operators of the U.S. bulk power system to comply with specific requirements to safeguard critical cyber assets. In many ways, they are the centerpiece of the larger set of NERC reliability standards that apply to modeling, protection systems, and facility ratings, among other areas.
Though NERC’s CIP standards are not as stringent as those of the National Institute of Standards and Technology (NIST)—indeed, some consider the latter superior—complying with them could be more costly than complying with other grid reliability standards now in effect. Although, in many cases, the other standards require a more granular and specific documentation procedure for activities, they are more operationally directed and already part of an RE’s routine business. The CIP standards, however, are new to almost everyone and require a retooling of business practices that could raise costs considerably.
Pay a little now, or a lot later. REs would be wise to pause and think a moment before decrying the potential additional compliance costs. One can argue that those costs to power generators, transmitters, and distributors pale in comparison with those caused by the 2003 Northeast blackout, a scenario that many fear could be repeated if a substantial breach in the security of interconnected grid controls were to occur. Even the estimated $8 billion to $12 billion total cost of the 2003 blackout is miniscule compared with the effect on national security that a widespread service outage would have (Figure 1).
1. Lesser of two evils. The costs to comply with new, mandatory FERC cyber security standards are insignificant compared with those of an outage as widespread as the August 2003 Northeast blackout. Courtesy: NREL
The new CIP standards are a subset of NERC/FERC reliability standards, and the keystone of the CIP group is CIP-002-1 for critical cyber asset identification. As a first step in establishing a list of their critical cyber assets, REs must assess the risk to the integrity of the interconnected grid that their systems’ vulnerabilities represent. The methodology to be used by such a risk-based assessment was to be completed by December 31, 2006. Any user of the bulk electric system that had not developed a methodology by that date was technically out of compliance, even though the CIP standards were not enforceable at that time.
We can reasonably expect CIP surveys from the REs in the near future. Perhaps FERC itself will gauge an entity’s reliability readiness using milestones laid out in its implementation plan for cyber security standards CIP-002-1 through CIP-009-1. Any response to the survey questions that implies an RE was not actively preparing to comply with the standards because it was waiting for the standards to become mandatory is likely not a good strategy.
Who decides what’s critical? Identification of critical cyber assets continues to be the most controversial aspect of the CIP standards. If an RE complies with CIP-002-1 by assessing its system vulnerabilities and the assessment determines that they are not critical to CIP, then CIP-003 through CIP-009 do not apply to the RE. All that remains is to re-run the criticality tests every year and meticulously document having done so.
What remains controversial is the assessment’s methodology. Questions and complaints about it were raised in comments to the notice of proposed rulemaking (NOPR) that preceded the January final rule. Some commenters said it would be difficult or impossible to meet the assessment requirement of CIP-002-1 when provided with little or no guidance on how to do so. Others stated that only an entity with a broad view of the interconnected system could make such a determination, and they asked FERC to have a third party, such as a regional transmission organization, make the call for them.
In paragraph 253 of Order No. 706, FERC responded to the requests for additional guidance on developing assessment methodologies as follows:
The Commission believes that the comments affirm that responsible entities need additional guidance on the development of a risk-based assessment methodology to identify critical assets. While we adopt our CIP NOPR proposal, we recognize that the ERO [NERC] has already initiated a process to develop such guidance. The CIP NOPR proposed to direct that NERC modify CIP-002-1 to incorporate the guidance. However, we are persuaded by commenters that stress the need for flexibility and the need to take account of the individual circumstances of a responsible entity. Thus, we modify our original proposal and in this Final Order leave to the ERO’s discretion whether to incorporate such guidance into the CIP Reliability Standard, develop it as a separate guidance document, or some combination of the two. A responsible entity, however, remains responsible to identify the critical assets on its system.
Two key points stand out in that passage. The first is that guidance is needed, and that FERC is leaving NERC to decide whether to provide it within CIP-002-1 itself or in what may end up as a reference document. The second point is that the responsibility for identifying critical assets remains with REs.
This second point is more important, for two reasons. First, considering the substantial cost of complying with the entire set of CIP standards, allowing one wholesale market participant to identify the critical assets of a competitor and thereby raise his costs would be an opportunity that would be hard to resist. Second, leaving the responsibility for identifying critical assets with owners and operators of systems or facilities ensures their engagement in the grid reliability maintenance process. Decisions related to CIP should not be farmed out to a regional entity or utility. Ultimately, REs will likely realize that FERC has done them a favor by disallowing another entity from imposing a critical asset identification on them (Figure 2). Though smaller REs may need help with the wide-area views and base-case modeling that risk-based assessments require, such assistance can come from service providers they hire to crunch their numbers in spreadsheets.
2. Change in the air. Many responsible entities are unsure how to identify their critical cyber assets and are understandably loath to allow others to do so. Courtesy: NREL
Cascading asset outages. Embedded within any risk-based assessment will be some version of the definition of risk noted in Order 706. If one accepts that Risk = Frequency x Consequence, and if Consequence is essentially infinite in the case of a major disruption to the electric grid and associated services, then any Frequency greater than 0 equates to infinite Risk.
Some have argued that because the grid was designed to withstand an N-1 contingency (the loss of any one element), no single generator or transmission element can be operationally critical. In paragraph 256 of Order 706, FERC put this concept to rest with the following language:
While the N minus 1 criterion may be appropriate in transmission planning, use of an N minus 1 criterion for the risk-based assessment in CIP-002-1 would result in the nonsensical result that no substations or generating plants need to be protected from cyber events. A cyber attack can strike multiple assets simultaneously, and a cyber attack can cause damage to an asset for such a time period that other asset outages may occur before the damaged asset can be returned to service. Thus, the fact that the system was developed to withstand the loss of any single asset should not be the basis for not protecting that asset.
Vectors of vulnerability. Close reading of the CIP standards and Order 706 gives rise to an intriguing question that REs evidently must answer themselves. The final rule defines critical assets as follows: “Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.” In turn, critical cyber assets are defined as “cyber assets essential to the reliable operation of critical assets.”
The theory is that identification of critical assets will lead to identification of those cyber systems that support the critical asset and thus need the protection of the measures of CIP-003 through 009. A key phrase that appeared in the FERC staff's December 2006 preliminary assessment of NERC's then-proposed CIP standards, but that is missing in the final rule, is “vector of vulnerability.” Here's the context of that phrase, as stated in the staff assessment: “It is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected control systems.”
This raises the question, Can one have a critical cyber asset without having a critical asset? The simple answer is no, because the (operationally) critical asset must be identified first; then its associated cyber assets can be identified. This begs the question of whether an individual computer (which per se is not a critical asset because it is not used in the day-to-day operation of the interconnected grid) can be a critical cyber asset. However, the computer—even if it is a lowly laptop that is seldom turned on—could be used to access the local utility's SCADA controls via the Internet. Destruction of this particular computer would have no impact on the operations of either the RE or the interconnected system. But should the computer still be considered a critical cyber asset because it represents a vector of vulnerability into the grid's control systems?
This is perhaps an extreme example of the questions remaining to be asked and answered about the CIP standards. Yet REs still must clarify such ambiguities when making their required risk-based assessments.
Fresh air is healthy. Discussions on the development and modifications of all NERC reliability standards take place in an open, public forum designed to solicit comments and address concerns of the stakeholder community. Paragraph 253 of Order No. 706 directs NERC to modify CIP-002-1 to incorporate guidance on risk-based assessment methodology. Accordingly, stakeholders should be attentive to publicly posted changes in the standard. They also should either participate in the process by attending drafting team meetings or monitor and comment on developments using NERC's web site (www.nerc.org).
The CIP standards and their requirements may have the largest impact of all NERC standards on the integrity of the interconnected system and on the operations and budgets of the system's users as well. While adoption of the standards will bring huge changes to the industry, it's important to realize that those changes are not being instigated in a “smoke-filled room” at NERC's headquarters in Princeton, N.J. They are born in the full light of day, so REs need only look to see what changes are proposed and comment on whether they would be good for them, CIP, and grid reliability.
—Jim Stanton (jstanton@icfi.com), POWER contributing editor and director of NERC compliance for ICF International.
Email
Comments
Print
Reuse
