power system in North America. The
and its citizens.” He added that malicious cyber-activity is occurring on an
NERC critical infrastructure protection
unprecedented scale with extraordinary
(CIP) standards requirements range
sophistication.
from establishing clear processes for
Many cyber attacks threaten to strike
terrorist threat reporting and classificaat the heart of most power plant operation of criticality of assets to specific
tions: the instrumentation
password policy requireand control system. As part
ments, personnel risk
Cyber security
of the critical infrastructure,
assessment, and disaster
requirements
generation assets are vital
recovery procedures.
are here to
for national power grid and
(See Table 1.) Failure to
stay, and waiteconomic security, public
comply with applicable
safety, and society’s overall
standards can have faring them out is
well-being. That’s why it’s
reaching consequences,
not an option.
important to equip generaincluding negative
tion facilities with control
publicity and considersystems that not only assure reliable
able fines ranging up to $1 million per
and efficient management but also proday per occurrence of noncompliance.
vide maximum cyber security without
These fines and other consequences
negative impact on the availability of
depend on a matrix compiled of violathe protected assets.
tion severity levels and violation risk
factors, both developed by NERC.
A quick glance at recent National
Standards Requirements
Institute of Standards and Technology
Protection of grid-related critical assets
is mandated by NERC, which is tasked
with ensuring the reliability of the bulk
and Department of Homeland Security
(DHS) publications helps us realize
that we are only at the beginning of
the road to secure control systems.
Version three of the CIP standards was
approved by the Federal Energy Regulatory Commission (FERC) on March
31 and became effective October 1.
Version four of the standards is being
reviewed now and is scheduled to be
submitted to FERC for approval by the
end of the year.
Compliance Standards
Compliance with the CIP standards is
not an easy task. A relatively simple
standard such as CIP-001 (which
defines terrorist threat reporting) can
be challenging, and there are several
companies that failed CIP-001 audits
in 2009 and 2010. Compliance with
CIP-002 through 009 is much more
complicated. These standards cover all
aspects of critical infrastructure protection, from risk-based assessments to
utilization of outdated assets. Certain
the Clean Energy Advisors
CAPTURING GROWTH IN A CHANGING MARKET.
8QSUHFHGHQWHGWHFKQRORJLFDODQGUHJXODWRU\FKDQJHVDUHPRYLQJWKHHQHUJ\
LQGXVWU\WRZDUGVDQHZEDODQFHEHWZHHQHQHUJ\VXSSO\DQGVRFLHWDOGHPDQG
:KHQLWFRPHVWRFDSWXULQJHPHUJLQJJURZWKRSSRUWXQLWLHVDFURVVWKHHQHUJ\
YDOXHFKDLQ1DYLJDQW&RQVXOWLQJ·VFOHDQHQHUJ\H[SHUWVDUHOHDGLQJWKHZD\
»
theÀUVWZHEHQDEOHGZLQGJHQHUDWLRQEHQFKPDUNLQJVHUYLFH
»
theH[SHUWVLQEULQJLQJORZFDUERQUHVRXUFHVWRPDUNHW
»
theJRWRSDUWQHUIRUUHQHZDEOHHQHUJ\PDUNHWWHFKQRORJ\DQGÀQDQFLDOGXH
GLOLJHQFHVWUDWHJ\DQG0$VXSSRUW
»
theXWLOLW\DQGORFDOJRYHUQPHQWVXVWDLQDELOLW\SDUWQHUDGYLVRU
»
thePDUNHWOHDGHULQLQWHJUDWLQJWUDQVPLVVLRQZLWKUHQHZDEOHHQHUJ\
»
the´%HVW$GYLVRU\5HQHZDEOH)LQDQFH1RUWK$PHULFDµLQWKHWKDQGWK
Annual Environmental Finance and Carbon Finance0DUNHW6XUYH\V
the Clean Energy Advisors.
)RUPRUHLQIRUPDWLRQDERXW1DYLJDQW&RQVXOWLQJ·V&OHDQ(QHUJ\$GYLVRUV
FDOORUJRWRZZZQDYLJDQWFRQVXOWLQJFRPFOHDQHQHUJ\
‹1DYLJDQW&RQVXOWLQJ,QF$OOULJKWVUHVHUYHG1DYLJDQW&RQVXOWLQJLVQRWDFHUWLÀHGSXEOLFDFFRXQWLQJÀUPDQGGRHVQRWSURYLGH
DXGLWDWWHVWRUSXEOLFDFFRXQWLQJVHUYLFHV´1$9,*$17µLVDVHUYLFHPDUNRI1DYLJDQW,QWHUQDWLRQDO,QF1DYLJDQW&RQVXOWLQJ,QF1&,
LVQRWDIÀOLDWHGDVVRFLDWHGRULQDQ\ZD\FRQQHFWHGZLWK1DYLJDQW,QWHUQDWLRQDO,QFDQG1&,·VXVHRI´1$9,*$17µLVPDGHXQGHU
OLFHQVHIURP1DYLJDQW,QWHUQDWLRQDO,QF6HHZZZQDYLJDQWFRQVXOWLQJFRPOLFHQVLQJIRUDFRPSOHWHOLVWLQJRISULYDWHLQYHVWLJDWRUOLFHQVHV
ZZZQDYLJDQWFRQVXOWLQJFRPHQHUJ\
N O V E M B E R / D E C E M B E R 2 01 0
55
standard requirements are related to
cyber security and protection of plant
control systems, while other requirements cover physical security, training
programs, and incident reporting.
Vendor and
Personnel Challenges
The standard requirements also are
challenging control system vendors.
Not only do the modern SCADA and
distributed control systems need to
comply with a number of technical
requirements, but vendor companies
must implement processes and procedures that protect information related
to NERC CIP-compliant facilities, perform background checks on employees
authorized to access information, and
devote resources to personnel training.
For multinational companies that work
around the globe, this can be difficult
to accomplish.
Statement of Ownership,
Management, and Circulation
(PS Form 3526)
Publication title: Electric Perspectives. 2. Publication number:
0364-474X. 3. Filing date: October 10, 2006. 4. Issue frequency:
bimonthly. 5. Number of issues published annually: six. 6.
Annual subscription price: $50. 7. Complete mailing address
of known office of publication: 701 Pennsylvania Ave., NW,
Washington, DC, 20004-2696; contact, Eric R. Blume; telephone, 202-508-5714. 8. Complete mailing address of general
business office of publisher: 701 Pennsylvania Ave., NW, Washington, DC, 20004-2696. 9. Full name and complete mailing
address of publisher, editor, and managing editor: publisher and
editor, Eric R. Blume, Edison Electric Institute, 701 Pennsylvania
Ave., NW, Washington, DC, 20004-2696; managing editor,
Bruce Cannon, Edison Electric Institute, 701 Pennsylvania Ave,
NW, Washington, DC, 20004-2696. 10. Owner: Edison Electric
Institute, 701 Pennsylvania Ave., NW, Washington, DC, 200042696. 11. Known bondholders, mortgages, and other security
holders: none. 12. Tax status: N/A. 13. Publication title: Electric
Perspectives. 14. Issue date for circulation data below: September/October 2006. 15. Extent and nature of circulation, average
number of copies each issue during preceding 12 months: total
number of copies, 10,791; b.(1) paid/requested outside-county
mail, 9,223; b.(2) paid in-county subscriptions, 0; b.(3) sales
through dealers and carriers, street vendors, counter sales,
and other non-USPS paid distribution, 0; b.(4) other classes
mailed through USPS, 0; c. total paid and/or requested circulation, 9,223; d.(1) free distribution by mail, outside-county, 0;
d.(2) free distribution, in-county, 0; d.(3) other classes mailed
through USPS, 0; d. (4) free distribution outside the mail, 1,318;
e. total free distribution, 1,318; f. total distribution, 10,541; g.
copies not distributed, 2505; h. total, 10,791; i. percent paid
and/or requested, 87.50. Extent and nature of circulation, number of copies of single issue published nearest to filing date,
11,742; b.(1) paid/requested outside-county mail, 9,198; b.(2)
paid in-county subscriptions, 0; b.(3) sales through dealers and
carriers, street vendors, counter sales, and other non-USPS paid
distribution, 0; b.(4) other classes mailed through USPS, 0; c.
total paid and/or requested circulation, 9,198; d.(1) free distribution by mail, outside-county, 0; d.(2) free distribution, incounty, 0; d.(3) other classes mailed through USPS, 0; d.(4) free
distribution outside the mail, 2,149; e. total free distribution,
2,149; f. total distribution, 11,347; g. copies not distributed,
395; h. total, 11,742; i. percent paid and/or requested, 81.07.
Publication of statement of ownership will be printed in the
November/December issue of this publication.
56
ELECTRIC PERSPECTIVES
Industry Takes Lead on Cyber Security
T
he Edison Electric Institute’s board of directors approved the following Principles for Cyber Security and Critical Infrastructure Protection last September at
the EEI CEO meetings.
As part of the industry’s overall reliability effort, electric companies work to maintain
the reliability and the security of the computers, control systems, and other cyber assets that help electric companies operate the electric grid. In response to the cyber
threat, electric companies employ various strategies to protect these systems, but
cyber security threats still exist.
To complement its cyber security efforts and to address rapidly changing intelligence on evolving threats, the industry embraces a cooperative relationship with
federal authorities to protect against situations that threaten national security or public
welfare, and to prioritize the assets which need enhanced security. A well-practiced,
public-private partnership utilizes all stakeholders’ expertise, including the government’s ability to provide clear direction and assess threats, while owners and operators
of the critical infrastructure propose mitigation strategies that will avoid significant
adverse consequences to utility operations or assets.
Six Principles
Prioritize assets to ensure effective protection. Recognizing that there are a
variety of interdependencies, and potential consequences associated with the loss of
different facilities, the utility industry supports a risk-based, prioritized approach that
identifies assets truly critical to the reliable operation of the electric grid…
Threats require emergency action and vulnerabilities should be addressed
more deliberately. In this context, a threat is imminent and requires a rapid re-
sponse. In these instances, the industry is willing to accommodate certain operational
consequences in the interest of addressing the threat. Vulnerabilities, on the other
hand, have a longer time horizon and can benefit from a more measured response…
Clear regulatory structure and open lines of communication. The federal regula-
tory framework and roles for all stakeholders involved in securing the electric grid
should be clear to avoid duplicative or conflicting actions in times of crisis. The electric utility industry is not in the law enforcement or intelligence-gathering business,
and the government has limited experience operating the electric grid. Thus, each
should be consulted, and the flow of information should be regularly exercised, before
a threat becomes a crisis. It is critical that the federal government and industry communicate with each other seamlessly…
Proactively manage new risks. As the new smart grid develops, it is essential that
cyber security protections are incorporated into both the grid architecture and the new
smart grid technologies. The electric power industry must continue to work closely
with vendors, manufacturers, and government agencies and be aligned with emerging
and evolving cyber security standards…to ensure that the new technology running the
grid is, most importantly, secure and reliable. We encourage the development of a security certification program that would independently test smart grid components and
systems and certify that they pass security tests…
Committed to protecting bulk electric system and distribution assets.
The utility industry understands that cyber attacks affecting distribution systems could
have broader implications. Since jurisdiction is split between state regulators and the
Federal Energy Regulatory Commission, the utility industry supports enhanced threat
information coordination and communication between regulatory agencies and utilities
to protect our systems…while also honoring the existing regulatory model.
Cost recovery and liability protection. Costs associated with emergency mitigation
are, by definition, unexpected and thus not included in a utility’s rate base. To ensure
emergency actions do not put undue financial strain on electric utilities, the industry
supports mechanisms for recovering costs…
The vigilant IT manager needs to
comply with NERC requirements,
as well as relevant corporate policies.
iStockphoto
case of multinational corporations, the configuration details
for NERC CIP-compliant assets
should be available only to
authorized U.S. employees
and not shared with overseas
offices.
Personnel involved with
control systems for critical
assets should undergo a personnel risk assessment, including background checks at
time intervals required by the
standard. A specially created
NERC CIP awareness training
program is mandatory for all
involved employees, as well as
annual cyber security training.
Both company employees and vendors should have procedures to ensure
continued monitoring of personnel
access rights. Stopping an employee’s
access to protected information and
systems should be done while meeting
or exceeding standard requirements.
For example, in the case of termination
with cause, the access should be revoked immediately and reported within
the 24-hour period allowed by the
standard. Documentation of the personnel risk assessment and completed
training should also be available.
Cyber security requirements are here
to stay, and waiting them out is not an
option. Companies may need to accelerate their compliance programs as
the push for greater security only will
increase. Compliance with CIP protection standards not only enhances the
security of the critical infrastructure
facilities, but also improves the reliability and stability of the bulk electric
system. The threat from inside and
outside the country is real and requires
nothing less than constant vigilance
and preparation. ◆
Realizing the importance and possible impact of the new security regulations at the beginning of the standard
review process is important. Companies should use computer emergency
response teams (CERTs) or information
security (IS) departments to support the
preparation of the standards adoption.
A CERT or IS group needs to conduct a
comprehensive internal
security review of its control system
and SCADA offerings, assess the need
to ramp up security testing for power
industry-related products, create additional cyber security consulting teams,
and provide high-quality help with any
aspects of NERC CIP compliance implementation. CERT and IS groups also
need to work closely with customers to
make sure that in addition to coverm
ing the requirements of the
standards, additional requireTABLE 1
NERC CRITICAL
ments set by respective corpoINFRASTRUCTURE
RE
E
rate policies also are met.
PROTECTION
Control system vendors not
STANDARDS
only should support the NERC
CIP-001 Sabotage Reporting
orting
CIP standards as they relate to
purely technical product feaCIP-002 Critical Cyber Asset Identification
tures and consulting services
CIP-003 Security Management Controls
as set out in CIP 005, 007, and
CIP-004 Personnel and Training
009, but also should impleCIP-005 Electronic Security Perimeter(s)
ment internal procedures and
CIP-006 Physical Security of Critical Cyber Assets
processes that comply with the
CIP-007 Systems Security Management
requirements of standards 003
CIP-008 Incident Reporting and Response Planning
and 004. The vendors should
CIP-009 Recovery Plans for Critical Cyber Assets
have processes to guarantee
that protected information
Source: North American Electric Reliability Corporation
about NERC CIP-compliant generation facilities is available
only to authorized individuals and that
people having access to critical facilities have appropriate cyber security
training. System operators should always know who has access to the data
about the facility at any one time. In the
N O V E M B E R / D E C E M B E R 2 01 0
59