NERC Cyber Security Rules: Evolution or Brownian Motion?

Follow the bouncing ball. The electricity industry is now figuring out the meaning of the fourth generation of the North American Electric Reliability Corp. (NERC) cyber security rules in four years, while a fifth version is in the works. NERC claims it is evolution. To many industry critics, it looks like regulatory Brownian motion, a random movement driven more by the vagaries of two colliding bodies—NERC and the Federal Energy Regulatory Commission (FERC)—than the result of a rational process.

Electric Power Research Institute (EPRI) executive Paul Mydra scratches his head over what he describes as “a never-ending battle of getting the standards to stay in place.” He adds, “Every time they [NERC] get them done, they seem to go and start the process again.” As a result, says Myrda, the industry holds back on needed capital investment, waiting for the regulatory landscape to become clear and predictable.

NERC’s cyber rules are known collectively as CIPS, the acronym standing for “critical infrastructure protection standards.” The full description and history can be found in the fundamental NERC bible, “Reliability Standards for the Bulk Electric Systems of North America,” updated July 18, 2012.

Congress amended the basic federal law, the Federal Power Act, in 2005 following the massive Northeast blackout of August 2003. The changes made voluntary industry reliability standards mandatory, enforced by NERC, now constituted as the nation’s “Electric Reliability Organization” or ERO. NERC became a quasi-governmental institution overseen by FERC. Among the issues NERC must address is cyber security, but it must also coordinate the regulations with emerging trends in cyber security coming from the National Institute of Standards and Technology, a federal government research agency that is part of the Department of Commerce, while tangoing with the Department of Homeland Security.

Moving Target

CIPS is a suite of standards, nine in total, of which eight are significant (CIP-002 through CIP-009), defining just what the electric industry must do under Section 215 of the Federal Power Act to protect the electric system against massive disruptions, either by acts of nature or the intent of man. The NERC cyber standards address activities such as how to define critical assets (CIP-002) and how to recover from a cyber attack (CIP-009). CIP-002 has proven to be the lightning rod for the entire complement of regulations, as defining terms has turned into a Sisyphean task.

In January 2008, FERC approved NERC’s first attempt at the cyber security rules, under development since 2006. In Order No. 706 (Docket No. RM06-22-000), the commission tentatively blessed NERC’s planned array of cyber rules, now known as CIPS-1. The FERC order stated, “The Commission may revisit this issue in future proceedings as part of an evaluation of existing Reliability Standards or the need for new CIP Reliability Standards, or as part of an assessment of NERC’s performance of its responsibilities as the ERO.”

Since then, three new versions, two of which have been major, have appeared. CIPS-3 emerged from NERC’s regulatory sausage machine in December 2009, with the process that would result in CIPS-4 already underway. CIPS-4 won formal FERC approval in April 2012 and goes into full effect April 2014, while CIPS-5 is currently in the belly of the beast, with an estimated 2013 date for its emergence into the real world. In congressional testimony in July, FERC reliability chief Joseph McClelland said that when the commission approved CIPS-4, “it recognized that Version 4 is an interim step and stated its concern that Version 4 does not provide enough protection to satisfy Order No. 706. Thus, the Commission established a deadline of end of first quarter of 2013 for NERC to file standards in compliance with the outstanding directives in Order No. 706.”

As explained at a recent webinar put on by the consulting firm PwC and cyber security software vendor SailPoint Technologies, CIPS-4 represents a fundamental change from the prior iteration. According to PwC’s Brad Bauch, version 3 of CIP-002 told electric companies to employ a risk-based approach to identifying critical assets, so the analysis might differ from system to system, based on judgments by the owners and operators. No more—FERC later determined that this approach did not meet the requirements of the law. Version 4, as a result, prescribes critical or “bright line” facilities.

Expanding Scope

What has this change meant? According to Bauch, any generating station larger than 1,500 MW (excluding nuclear units, which have their own separate security rules) is, by definition, a critical asset. Black start units are on the list, which also includes expanded elements of control centers and any plant that provides more than 300 MW of load-shedding capacity. The bottom line, says Bauch, is a 20% to 30% increase in covered assets, with concomitant cost increases.

PwC’s Bauch presented the case of a real, but unnamed, independent power producer to demonstrate the impact of the latest CIPS version. Under v3, he said, the company had no critical assets facing either a conventional or cyber threat. Under v4, 11 sites and 85 employees fall under the critical asset definition.

Version 5, in drafts circulated to date, will add further complexity (and, likely, costs), according to Bauch. Instead of a binary approach (on the list or not), NERC’s new version will include categories of coverage: high, medium, low, and “non-impactful.” This will mean, he said, “fewer assets will be critical, but coverage will be greater.” Control centers, for example, will be among the highest of critical assets, requiring greater oversight and security management. Anyone with access to a control center will have to have a thorough identity profile, including a background check and significant cyber security training. Tracking access and activities of employees and contractors will have to be rigorous. There will be a “need for deeper and broader understanding of access rights for visibility and transparency,” Bauch said.

How far will CIPS-5 move the U.S. electric system toward real security against a cyber attack, which many analysts now regard as the highest order of threat to the grid? Not far enough, according to FERC’s Joe McClelland. In his July testimony at the Senate Energy and Natural Resources Committee, McClelland outlined gaps in the law that he argues limit the ability of the federal government to provide full grid protection. First, McClelland said, the law applies only to the nation’s “bulk power system.” That means it doesn’t apply to facilities—including large government facilities—in Alaska and Hawaii. Perhaps more significantly, the definition means that the protections do not apply to the local distribution grid. Veterans of the electric business understand that making a distinction between the distribution grid, subject to state control, and the transmission that falls under FERC authority can be an exercise in arbitrariness and sophistry.

Not There Yet

What’s more, McClelland said, the cumbersome regulatory system isn’t fast or flexible enough to respond in an emergency. The NERC standards development process, involving multiple iterations reviewed by multiple stakeholders, “can be fine for routine reliability matters,” he said. But “it is too slow, too open and too unpredictable to ensure its responsiveness in the cases where national security is endangered. This process is inadequate when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information.”

Joe Weiss with the consulting firm of San Francisco-based Applied Control Solutions and a former EPRI technical manager is a veteran of grid security. In a blog commentary last year, he observed acidly: “The NERC CIPs have a number of characteristics that make them a roadmap for attacking the electric grid. They were developed by the NERC consensus process. The process is long, arduous, and inherently a ‘low bar’. As such, the process results in trying to make it easier on the ‘attackee’ than trying to make it more difficult on the attacker.”

—Kennedy Maize (@kennedymaize) is MANAGING POWER’s executive editor