Debate surrounds critical infrastructure compliance in power industry
By Rick Kaun
Last month, The Wall Street Journal reported cyber-spies had penetrated the U.S. electrical grid and left behind software programs that could see use to disrupt the system. National Security officials reported the spies came from China, Russia and other countries, possibly on a mission to navigate the U.S. electrical system and its controls. The intruders had not sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis of war. Officials stated water, sewage and other infrastructure systems were also at risk.
Reliability standards have created a frenzy over the last few years for corporations in pipelines, food and beverage, pharmaceuticals, and oil and gas, but never so predominantly as in the power industry, especially with the mandatory critical infrastructure protection (CIP) standards the North American Reliability Commission (NERC) has issued. Once finalized, the standard will be fully enforceable in the U.S. on behalf of the Federal Energy Regulatory Council (FERC) and by provincial authorities in Canada and will bring with it a myriad of exorbitant costs for power companies. (See accompanying article on NERC CIP compliance.)
The establishment of a compliance system itself can bring enormous costs, ranging from hundreds of thousands of dollars to over $1 million in order to create and implement the program. Once complete, there is the potential cost for noncompliance or compliance infarctions, which can easily cost up to $1 million.
However the most costly issue is the maintenance of these systems. Companies are just starting to give this cost serious thought, with industry estimates ranging toward $2 million a year for larger, more complex utilities. With all this money being spent on adopting systems that will allow power companies to be CIP-compliant, users should now start thinking about what is involved in maintaining these systems, and how to do this with less financial and human capital investment, while ensuring the system remains near-foolproof.
In total, 107 standards have gone for FERC approval, 24 have received approval, and 83 are pending. NERC will perform periodic, formal audits within this compliance process. There will also be active self-certification, periodic reporting, and self-reporting of any noncompliance.
The current CIP standards NERC is releasing to the power industry include eight topics and are applicable to any entity that owns, operates, or uses a portion of the bulk power supply in the U.S. These standards outline procedures you must adhere to regarding:
- Critical assets: Identifying and documenting critical assets and critical cyber assets
- Security Management Controls: Establishing governance of a compliance program and a cyber security program
- Personnel and training: Security awareness and training, documenting risk assessment, and access to critical cyber assets
- Electronic security perimeter: Define, document, monitor, and control access to the electronic perimeter that encloses the critical cyber assets
- Physical security of critical cyber assets: Define, document, monitor, and control access to the physical perimeter that encloses the critical cyber assets
- Systems Security Management: Define, document, monitor, and control access to critical cyber assets
- Incident reporting and response planning: Develop, test, and execute incident response plans and reporting incidents to the appropriate agencies
- Recovery planning: Develop, test, and exercise plans for backup and disaster recovery
While companies have already begun to think about how to establish a documentation system to gain compliance, they should next think about how to maintain an implemented system to keep the organization CIP compliant. The compliance program involves financial, physical, and human resources to ensure consistent adherence to standards. In terms of human assets, market research shows some power companies already implementing a maintenance system are anticipating the need for an additional five to 15 full-time employees to ensure they are maintaining proper documentation, compiling proper reports, and submitting timely and accurate information to NERC.
Due to the criticality of establishing a compliance system and ensuring it is enforceable within the timelines NERC dictates, power companies have begun to find ways of using existing document management systems to complete the tasks necessary within the CIP standards. The concerns with using an existing physical documentation system that relies on human factors to orchestrate the workflow involved with maintaining any compliance are three-fold.
First, a paper-based or manual documentation system creates too large of a time gap. In order to report on what is happening in a network effectively, an entity needs an automated system to pull data in as close to real-time as possible. This not only ensures reports are as current as possible, but if any threats to security occur, or any potential risks need mitigation, they can address them as soon as possible, minimizing the effects of a potential security threat or critical activity.
We can also find value in reducing the gap between problems occurring and our reaction to them, because it can significantly reduce downtime. This downtime can affect one piece of equipment, or the entire organization, depending on where the problem originates. This all allows companies to move from a reactive mode of operation to a more proactive approach.
The second major problem with relying on human factors to complete the compliance requirements is the risk of human error that cannot be mitigated. With a physical documentation system, the best-case solution is to use an electronic system to create reminders at appropriate landmarks in the audit process, but the system cannot ensure the tasks are carried out on time and in full. Without using technology to automate this process, there is no way to lessen the risks associated with human error, especially when people are working beyond what their physical bandwidth allows.
Third, most existing document management systems are built to comply with regulations enforced on a corporate level. These systems work with Sarbanes-Oxley and other such audit regulations, and are unable to work within the scope of a plant floor, simply due to the systems within which they are associated. These corporate systems are used to manage data fed to an enterprise resource planning system or other enterprise-wide system and are unable to communicate effectively with resources on the plant-level. We need to build a custom system to these resources in order to use them at the most efficient level.
The only way to create a solution to this problem is to look at a system that automates the data collection and entry component involved in the compliance program. There are many benefits to creating an automated compliance management system for any compliance program. First, the accuracy of the data in the compliance system is better. So it reduces the risk of incurring any noncompliance fines associated with submission errors. Second, once the system is in place, you can halve the amount of human capital dedicated to this task, so the main responsibility of the compliance team is now analysis, management, and reporting, rather than data collection, data entry, clarification, correlation, and submission.
In terms of efficiency, the ability to orchestrate workflow and automate systems into real-time deliverables allows companies to manage their compliance program in an on-going basis as opposed to ad-hoc or deadline driven as audit cycles approach.
On-going programs are more secure as well. If you are not using a real-time system with automatic updates, the only source of information (and frequency) would be for local staff to look at the data, sort through all the documentation, realize there is a security problem, and address it. By this time, there is already a risk to your network, your critical assets, and your compliance program.
By moving to a real-time automated system, you can receive alerts when there is a change to your protected systems and supporting systems that is misaligned with your normal expectations and then generate work processes to update and re-align your compliance program.
The benefits of an automated system are obvious, but it is imperative an organization understands the importance of these compliance standards and all associated long-term costs and risks, not just those incurred in the short-term when establishing a regulator compliance program such as for CIP compliance. And since this particular standard is mandatory, the only difference each organization will see is how each manages change over time against this standard. The emergence of this standard signifies a change that will impact the organization on every level, and it is important to understand how to manage an emerging compliance program most effectively with the least amount of financial outlay.
ABOUT THE AUTHOR
Rick Kaun is director of industrial security and compliance at Matrikon Inc., whose compliance services help organizations identify, assess, and manage security risks, out of Edmonton, Alberta, Canada. E-mail him at email@example.com.
Voices ignite on power security standards
Opinions on the viability of the critical infrastructure protection (CIP) standards the North American Reliability Commission (NERC) has issued (see main story, "Critical compliance") are not the only ones being bandied about in the industry. Proponents and opponents of the National Institute of Standards and Technology (NIST) legislation continue to spark debate as well as differing opinions on the readiness of an ISA standard to join the mix.
"A number of us involved in ISA99 are familiar with the NERC CIP Standards; we submitted formal comments on them, both to NERC and (Federal Energy Regulatory Council) FERC," said Bob Webb, a security consultant with ICS Secure in Poulsbo, Wash., and managing director of ISA99, Control System Security standards. "The NERC CIP Standards establish rigorous requirements to implement automation security programs, evaluate risk, take steps to reduce risk, and carefully document these activities. This requires a significant amount of work on the part of utilities. However, a number of experts believe the scope of the standards and the technical requirements, which are applied to automation systems, do not adequately protect the nation's critical infrastructure. FERC has ordered NERC to consider specific issues as NERC develops revisions to the standards."
Joe Weiss, managing partner at Applied Control Solutions in Cupertino, Calif., presented a testimony in March to the U.S. Senate regarding the need for legislation of control system security standards.
The NERC CIPS were developed effectively with "no expertise coming from the process controls or power plant side of the world," Weiss said. The original intent was to secure the electric infrastructure. "By the time it actually got put to paper, what you had was the industry coming up with a self-regulating set of standards," he said.
Industry consciously wanted to put together a standard that was "loose and ambiguous enough that they could come up with whatever rationale anyone wanted as to what they would have to do," Weiss said. "There was a big cross section, but nobody wanted to do much because they didn't believe cyber security risks were real. They weren't about to force themselves to do a lot of things for something they thought was hypothetical. So what they did was develop a set of standards that were designed for a modern IT-based control room SCADA system. It was never meant for power plants or substations with all the legacy stuff we have. Then what they did was said, 'We'll limit the scope.' So a priori they put in a set of exclusions."
Weiss's 19 March testimony said the industry desperately needs legislation that makes NIST standards mandatory. Why NIST and not ISA? "ISA is not yet approved and ready for prime time," he said. "And as soon as it is, we should be using ISA. But in the mean time, we need legislation to mandate we have to use the NIST standards until ISA is ready for prime time. For instance, Part 4 is still undergoing changes and has not yet been approved. But we still need to get that standard piece together," he said.
"The NIST standard is the only one that has both IT and control systems in the same document because it was an IT document to start with and extended to control systems. The ISA document is purely for control systems. A lot of what's in the ISA document came from NIST. As soon as Part 4 is ready and has appropriate information from NIST, we can extend that and use that for the non-nuclear and non-electric. Because now nuclear and electrical have requirements for security and need something to reference today. This would initially be a stop-gap measure, and ideally we could get all this information into ISA99, get it approved, make it into an IEC document, and run from there."
No new legislation
"The ISA99 committee has produced and approved a total of two technical reports and two standards that are generally available and ready for immediate application. They address the need for a set of consistent concepts, models, and terminology, as well as providing an approach for how to develop an effective cyber security program," said Eric Cosman, an engineering solutions consultant at Dow Chemical Company in Midland, Mich., and co-chair of ISA99. "The development of detailed technical requirements is currently underway and will produce several standards in this area. Our goal is to deliver them as quickly as possible, beginning later in 2009."
While Weiss strongly believes in a need for legislation, Bryan Singer said, "Most of industry including other leaders would say that this is not necessarily the case."
"A big disappointment in recent testimony was the regurgitation of the same types of messages with the same 'this is really bad' messaging and scare tactics," said Singer, principal consulting engineer at Kenexis Consulting Corp. in Pelham, Ala., and co-chair of ISA99. "It does a great discredit to excellent work done by many. Are we perfect? No. But look at the messages of 2001-2002, and compare them to today's messages," he said.
The messages of 2001-2002 implied "lots of problems, and technology was not appropriate to solve them," Singer said. "We need to solve these problems. These messages were largely driven by a smattering of solutions that have since been either greatly improved or have been invalidated," he said.
"Today, look at how we talk about security and topics like smart grid, and network defense, Singer said. "Look at the great efforts of ISA99, government, and countless firms; there is more work to be done, but a positive message for us is to show progress, and if there is any problem, it is that legislation and many regulatory efforts should be encouraged and directed to enhance and support such work, to grow and change the messages along with the common level of understanding. If anything needs to be done by government, it is more collaboration with industry and to create bodies like OSHA to help provide vehicles for assessing and regulating whether or not companies are indeed exercising due care and due diligence," he said.
"Engineering problems should be solved by engineers, and not enforced through specific prescriptive legislation, 'thou shall' considering that as soon as done, we have stuck a stake in the ground of time and not encourage additional improvement." Yet the main point, "isn't an issue of whether we use ISA99 or NIST or even for that matter the NERC CIP standards," Webb said. "They both have information and requirements people should be using. The issue is how do we as a society get more users to apply that information to the critical infrastructure and get owners to go out there and improve security?"
More testimony to come
Mark Fabro, chief security scientist at Lofty Perch, Inc., a consultant for SCADA and control system cyber security, in Toronto, Ontario, Canada, and co-chair of a new ISA99 working group, Governance and Metrics for Industrial Automation and Control Systems Security (WG10), is also scheduled to testify to the U.S. Department of Homeland Security (DHS) subcommittee for Smart Grid Cyber Security. "The power industry is, of all the sectors, in a very good position to lead the way for cyber security standards," Fabro said. "NERC CIP has been a terrific starter, and although in need of some refinement to provide some granularity, it can serve most asset owners well. Standards do need to be defined better to ensure we hold the assets owners accountable; and we should not provide standards so flexible they can wiggle out of compliance based on guidance verbiage. Over time, NERC CIP will evolve and should be a solid set of standards. Other standards such as NIST can also work very well, but it cannot be considered the sole solution."
The key issue, Fabro said, is "what do we do for future state architectures? It is important that we look at existing successful efforts and leverage those, especially as we advance with things like Smart Grid. The recent public disclosure of some very good security research in the advance metering infrastructure (AMI) space seemed to make headlines. Only limited reference to the good work being done to mitigate the security issues discovered were announced with it. Work by ISA, AMI-SEC, UTC, and some major utilities have shown tremendous progress that can and should be leveraged. Work by DHS, NERC, and U.S. Department of Energy can be used as well, especially the public/private efforts driven by those entities. We need to learn from that work. We know there are valuable and useable results that can be used to populate standards frameworks for things like AMI—things that are working and are in place today. Do we need more new legislation? No. That could be a waste of time and resources, and may do the community of interest a huge disservice."
One benefit could come about through "tuning current legislative initiatives that support existing private/public efforts in place now," Fabro said. "Nurture the initiatives that have been shown to work well, and provide incentives for the research, vendor, and asset-owner communities to work together. Considering the tempo at which technology is maturing, especially for the energy sector, we don't really have the time to start new things. We need to unite proven efforts, leverage real progress, and move forward—away from messaging that is almost a decade old."