power system in North America. The and its citizens.” He added that malicious cyber-activity is occurring on an NERC critical infrastructure protection unprecedented scale with extraordinary (CIP) standards requirements range sophistication. from establishing clear processes for Many cyber attacks threaten to strike terrorist threat reporting and classificaat the heart of most power plant operation of criticality of assets to specific tions: the instrumentation password policy requireand control system. As part ments, personnel risk Cyber security of the critical infrastructure, assessment, and disaster requirements generation assets are vital recovery procedures. are here to for national power grid and (See Table 1.) Failure to stay, and waiteconomic security, public comply with applicable safety, and society’s overall standards can have faring them out is well-being. That’s why it’s reaching consequences, not an option. important to equip generaincluding negative tion facilities with control publicity and considersystems that not only assure reliable able fines ranging up to $1 million per and efficient management but also proday per occurrence of noncompliance. vide maximum cyber security without These fines and other consequences negative impact on the availability of depend on a matrix compiled of violathe protected assets. tion severity levels and violation risk factors, both developed by NERC. A quick glance at recent National Standards Requirements Institute of Standards and Technology Protection of grid-related critical assets is mandated by NERC, which is tasked with ensuring the reliability of the bulk and Department of Homeland Security (DHS) publications helps us realize that we are only at the beginning of the road to secure control systems. Version three of the CIP standards was approved by the Federal Energy Regulatory Commission (FERC) on March 31 and became effective October 1. Version four of the standards is being reviewed now and is scheduled to be submitted to FERC for approval by the end of the year. Compliance Standards Compliance with the CIP standards is not an easy task. A relatively simple standard such as CIP-001 (which defines terrorist threat reporting) can be challenging, and there are several companies that failed CIP-001 audits in 2009 and 2010. Compliance with CIP-002 through 009 is much more complicated. These standards cover all aspects of critical infrastructure protection, from risk-based assessments to utilization of outdated assets. Certain the Clean Energy Advisors CAPTURING GROWTH IN A CHANGING MARKET. 8QSUHFHGHQWHGWHFKQRORJLFDODQGUHJXODWRU\FKDQJHVDUHPRYLQJWKHHQHUJ\ LQGXVWU\WRZDUGVDQHZEDODQFHEHWZHHQHQHUJ\VXSSO\DQGVRFLHWDOGHPDQG :KHQLWFRPHVWRFDSWXULQJHPHUJLQJJURZWKRSSRUWXQLWLHVDFURVVWKHHQHUJ\ YDOXHFKDLQ1DYLJDQW&RQVXOWLQJ·VFOHDQHQHUJ\H[SHUWVDUHOHDGLQJWKHZD\ » theÀUVWZHEHQDEOHGZLQGJHQHUDWLRQEHQFKPDUNLQJVHUYLFH » theH[SHUWVLQEULQJLQJORZFDUERQUHVRXUFHVWRPDUNHW » theJRWRSDUWQHUIRUUHQHZDEOHHQHUJ\PDUNHWWHFKQRORJ\DQGÀQDQFLDOGXH GLOLJHQFHVWUDWHJ\DQG0$VXSSRUW » theXWLOLW\DQGORFDOJRYHUQPHQWVXVWDLQDELOLW\SDUWQHUDGYLVRU » thePDUNHWOHDGHULQLQWHJUDWLQJWUDQVPLVVLRQZLWKUHQHZDEOHHQHUJ\ » the´%HVW$GYLVRU\5HQHZDEOH)LQDQFH1RUWK$PHULFDµLQWKHWKDQGWK Annual Environmental Finance and Carbon Finance0DUNHW6XUYH\V the Clean Energy Advisors. )RUPRUHLQIRUPDWLRQDERXW1DYLJDQW&RQVXOWLQJ·V&OHDQ(QHUJ\$GYLVRUV FDOORUJRWRZZZQDYLJDQWFRQVXOWLQJFRPFOHDQHQHUJ\ 1DYLJDQW&RQVXOWLQJ,QF$OOULJKWVUHVHUYHG1DYLJDQW&RQVXOWLQJLVQRWDFHUWLÀHGSXEOLFDFFRXQWLQJÀUPDQGGRHVQRWSURYLGH DXGLWDWWHVWRUSXEOLFDFFRXQWLQJVHUYLFHV´1$9,*$17µLVDVHUYLFHPDUNRI1DYLJDQW,QWHUQDWLRQDO,QF1DYLJDQW&RQVXOWLQJ,QF1&, LVQRWDIÀOLDWHGDVVRFLDWHGRULQDQ\ZD\FRQQHFWHGZLWK1DYLJDQW,QWHUQDWLRQDO,QFDQG1&,·VXVHRI´1$9,*$17µLVPDGHXQGHU OLFHQVHIURP1DYLJDQW,QWHUQDWLRQDO,QF6HHZZZQDYLJDQWFRQVXOWLQJFRPOLFHQVLQJIRUDFRPSOHWHOLVWLQJRISULYDWHLQYHVWLJDWRUOLFHQVHV ZZZQDYLJDQWFRQVXOWLQJFRPHQHUJ\ N O V E M B E R / D E C E M B E R 2 01 0 55 standard requirements are related to cyber security and protection of plant control systems, while other requirements cover physical security, training programs, and incident reporting. Vendor and Personnel Challenges The standard requirements also are challenging control system vendors. Not only do the modern SCADA and distributed control systems need to comply with a number of technical requirements, but vendor companies must implement processes and procedures that protect information related to NERC CIP-compliant facilities, perform background checks on employees authorized to access information, and devote resources to personnel training. For multinational companies that work around the globe, this can be difficult to accomplish. Statement of Ownership, Management, and Circulation (PS Form 3526) Publication title: Electric Perspectives. 2. Publication number: 0364-474X. 3. Filing date: October 10, 2006. 4. Issue frequency: bimonthly. 5. Number of issues published annually: six. 6. Annual subscription price: $50. 7. Complete mailing address of known office of publication: 701 Pennsylvania Ave., NW, Washington, DC, 20004-2696; contact, Eric R. Blume; telephone, 202-508-5714. 8. Complete mailing address of general business office of publisher: 701 Pennsylvania Ave., NW, Washington, DC, 20004-2696. 9. Full name and complete mailing address of publisher, editor, and managing editor: publisher and editor, Eric R. Blume, Edison Electric Institute, 701 Pennsylvania Ave., NW, Washington, DC, 20004-2696; managing editor, Bruce Cannon, Edison Electric Institute, 701 Pennsylvania Ave, NW, Washington, DC, 20004-2696. 10. Owner: Edison Electric Institute, 701 Pennsylvania Ave., NW, Washington, DC, 200042696. 11. Known bondholders, mortgages, and other security holders: none. 12. Tax status: N/A. 13. Publication title: Electric Perspectives. 14. Issue date for circulation data below: September/October 2006. 15. Extent and nature of circulation, average number of copies each issue during preceding 12 months: total number of copies, 10,791; b.(1) paid/requested outside-county mail, 9,223; b.(2) paid in-county subscriptions, 0; b.(3) sales through dealers and carriers, street vendors, counter sales, and other non-USPS paid distribution, 0; b.(4) other classes mailed through USPS, 0; c. total paid and/or requested circulation, 9,223; d.(1) free distribution by mail, outside-county, 0; d.(2) free distribution, in-county, 0; d.(3) other classes mailed through USPS, 0; d. (4) free distribution outside the mail, 1,318; e. total free distribution, 1,318; f. total distribution, 10,541; g. copies not distributed, 2505; h. total, 10,791; i. percent paid and/or requested, 87.50. Extent and nature of circulation, number of copies of single issue published nearest to filing date, 11,742; b.(1) paid/requested outside-county mail, 9,198; b.(2) paid in-county subscriptions, 0; b.(3) sales through dealers and carriers, street vendors, counter sales, and other non-USPS paid distribution, 0; b.(4) other classes mailed through USPS, 0; c. total paid and/or requested circulation, 9,198; d.(1) free distribution by mail, outside-county, 0; d.(2) free distribution, incounty, 0; d.(3) other classes mailed through USPS, 0; d.(4) free distribution outside the mail, 2,149; e. total free distribution, 2,149; f. total distribution, 11,347; g. copies not distributed, 395; h. total, 11,742; i. percent paid and/or requested, 81.07. Publication of statement of ownership will be printed in the November/December issue of this publication. 56 ELECTRIC PERSPECTIVES Industry Takes Lead on Cyber Security T he Edison Electric Institute’s board of directors approved the following Principles for Cyber Security and Critical Infrastructure Protection last September at the EEI CEO meetings. As part of the industry’s overall reliability effort, electric companies work to maintain the reliability and the security of the computers, control systems, and other cyber assets that help electric companies operate the electric grid. In response to the cyber threat, electric companies employ various strategies to protect these systems, but cyber security threats still exist. To complement its cyber security efforts and to address rapidly changing intelligence on evolving threats, the industry embraces a cooperative relationship with federal authorities to protect against situations that threaten national security or public welfare, and to prioritize the assets which need enhanced security. A well-practiced, public-private partnership utilizes all stakeholders’ expertise, including the government’s ability to provide clear direction and assess threats, while owners and operators of the critical infrastructure propose mitigation strategies that will avoid significant adverse consequences to utility operations or assets. Six Principles Prioritize assets to ensure effective protection. Recognizing that there are a variety of interdependencies, and potential consequences associated with the loss of different facilities, the utility industry supports a risk-based, prioritized approach that identifies assets truly critical to the reliable operation of the electric grid… Threats require emergency action and vulnerabilities should be addressed more deliberately. In this context, a threat is imminent and requires a rapid re- sponse. In these instances, the industry is willing to accommodate certain operational consequences in the interest of addressing the threat. Vulnerabilities, on the other hand, have a longer time horizon and can benefit from a more measured response… Clear regulatory structure and open lines of communication. The federal regula- tory framework and roles for all stakeholders involved in securing the electric grid should be clear to avoid duplicative or conflicting actions in times of crisis. The electric utility industry is not in the law enforcement or intelligence-gathering business, and the government has limited experience operating the electric grid. Thus, each should be consulted, and the flow of information should be regularly exercised, before a threat becomes a crisis. It is critical that the federal government and industry communicate with each other seamlessly… Proactively manage new risks. As the new smart grid develops, it is essential that cyber security protections are incorporated into both the grid architecture and the new smart grid technologies. The electric power industry must continue to work closely with vendors, manufacturers, and government agencies and be aligned with emerging and evolving cyber security standards…to ensure that the new technology running the grid is, most importantly, secure and reliable. We encourage the development of a security certification program that would independently test smart grid components and systems and certify that they pass security tests… Committed to protecting bulk electric system and distribution assets. The utility industry understands that cyber attacks affecting distribution systems could have broader implications. Since jurisdiction is split between state regulators and the Federal Energy Regulatory Commission, the utility industry supports enhanced threat information coordination and communication between regulatory agencies and utilities to protect our systems…while also honoring the existing regulatory model. Cost recovery and liability protection. Costs associated with emergency mitigation are, by definition, unexpected and thus not included in a utility’s rate base. To ensure emergency actions do not put undue financial strain on electric utilities, the industry supports mechanisms for recovering costs… The vigilant IT manager needs to comply with NERC requirements, as well as relevant corporate policies. iStockphoto case of multinational corporations, the configuration details for NERC CIP-compliant assets should be available only to authorized U.S. employees and not shared with overseas offices. Personnel involved with control systems for critical assets should undergo a personnel risk assessment, including background checks at time intervals required by the standard. A specially created NERC CIP awareness training program is mandatory for all involved employees, as well as annual cyber security training. Both company employees and vendors should have procedures to ensure continued monitoring of personnel access rights. Stopping an employee’s access to protected information and systems should be done while meeting or exceeding standard requirements. For example, in the case of termination with cause, the access should be revoked immediately and reported within the 24-hour period allowed by the standard. Documentation of the personnel risk assessment and completed training should also be available. Cyber security requirements are here to stay, and waiting them out is not an option. Companies may need to accelerate their compliance programs as the push for greater security only will increase. Compliance with CIP protection standards not only enhances the security of the critical infrastructure facilities, but also improves the reliability and stability of the bulk electric system. The threat from inside and outside the country is real and requires nothing less than constant vigilance and preparation. ◆ Realizing the importance and possible impact of the new security regulations at the beginning of the standard review process is important. Companies should use computer emergency response teams (CERTs) or information security (IS) departments to support the preparation of the standards adoption. A CERT or IS group needs to conduct a comprehensive internal security review of its control system and SCADA offerings, assess the need to ramp up security testing for power industry-related products, create additional cyber security consulting teams, and provide high-quality help with any aspects of NERC CIP compliance implementation. CERT and IS groups also need to work closely with customers to make sure that in addition to coverm ing the requirements of the standards, additional requireTABLE 1 NERC CRITICAL ments set by respective corpoINFRASTRUCTURE RE E rate policies also are met. PROTECTION Control system vendors not STANDARDS only should support the NERC CIP-001 Sabotage Reporting orting CIP standards as they relate to purely technical product feaCIP-002 Critical Cyber Asset Identification tures and consulting services CIP-003 Security Management Controls as set out in CIP 005, 007, and CIP-004 Personnel and Training 009, but also should impleCIP-005 Electronic Security Perimeter(s) ment internal procedures and CIP-006 Physical Security of Critical Cyber Assets processes that comply with the CIP-007 Systems Security Management requirements of standards 003 CIP-008 Incident Reporting and Response Planning and 004. The vendors should CIP-009 Recovery Plans for Critical Cyber Assets have processes to guarantee that protected information Source: North American Electric Reliability Corporation about NERC CIP-compliant generation facilities is available only to authorized individuals and that people having access to critical facilities have appropriate cyber security training. System operators should always know who has access to the data about the facility at any one time. In the N O V E M B E R / D E C E M B E R 2 01 0 59