and Doug Howard, Counterpane Internet Security
MOST COMPUTER networks facilitate the flow of information. But in the electric industry, special computer networks control the process of generating, transmitting and distributing power. Distributed Control Systems (DCS) allow a small number of operators to control a power plant. Supervisory Control and Data Acquisition (SCADA) systems control and monitor the transmission and distribution of power across a wide area from a control center. These systems control a process that has serious human safety implications and are essential to the critical infrastructure.
Control systems have many unique aspects that aren’t found in a corporate network, from protocols and equipment used to control the physical process, commonly via measurement and actuation, to special performance and availability requirements to prevent downtime or delay. But these same control systems also have much in common with corporate computer systems that are constantly under attack. Control systems are increasingly connected to the enterprise network, which is connected to the Internet. Key components of control systems run on Windows and Unix operating systems.
Forward-thinking industry experts were worried about a cyber attack on control systems prior to the year 2000, but this was not widely embraced as a real concern.
All this changed after Sept. 11, 2001.
The industry was faced with the reality that a sophisticated and dedicated adversary wanted to damage the US and other countries. The ease at which a cyber terrorist could knock out large portions of the electric grid became a real concern.
The Northeast blackout in August 2003 was a second wakeup call because computers and applications failed to work properly. The investigation found no evidence of a cyber attack causing the blackout, but the incident highlighted the potential for a future attack.
These serious threats, along with the ubiquitous worms, viruses and general hacking faced by any computer user, underlined the need to insure appropriate cyber security measures are in place to protect the DCS and SCADA systems essential to the generation, transmission and distribution of electricity.
NERC Steps In
The North American Electric Reliability Council (NERC), with its stated mission of ensuring the reliability and security of the bulk electric system, was the logical choice for regulating cyber security for the electric sector.
The need was so critical that NERC did not follow its typical process for developing a standard. Instead, Urgent Action Standard 1200 – Cyber Security was issued in August 2003 and renewed in August 2004.
During this two-year period, NERC worked on a longerterm solution, now split into eight critical infrastructure protection (CIP) standards:
- CIP-002 Critical Cyber Assets
- CIP-003 Security Management Controls
- CIP-004 Personnel and Training
- CIP-005 Electronic Security
- CIP-006 Physical Security
- CIP-007 Systems Security Management
- CIP-008 Incident Reporting and Response Planning
- CIP-009 Recovery Plans
While implementation is likely to vary a great deal by sector, the underlying requirements could be used in any industry with little modification. The NERC CIP requirements are similar to banking, e-commerce, health care or government best practices. They require:
- A cyber security policy;
- Employee security training and awareness;
- Disabling unused network ports/services to limit what can be attacked;
- Strong passwords (a mix of character types of sufficient length that would be hard for a person or program to guess) for user authentication; and
- Monitoring the security perimeter and critical assets for attacks.
Measurement and accountability are key features of the CIP standards. Each standard includes the audit requirements to achieve compliance and requires a “senior management officer’s approval,” which will certainly help achieve management buy-in to cyber security.
NERC chose to be very general in the requirements, rather than state how to meet each requirement. It’s certainly easier to achieve consensus on general requirements and meeting them is bound to improve cyber security to some degree. But a lack of specifics also means a company could be compliant from an audit standpoint without necessarily achieving the intended goal: security.
The standards and related audit requirements apply only to “bulk electric systems,” and most organizations already know if they are subject to NERC standards. But electric systems that don’t fall under NERC’s “bulk electric system” definition would have a cyber security program if they voluntarily comply with these standards.
To take this a step further, other critical infrastructure fields, such as chemicals, oil and gas and water, could use these standards until a more applicable one is developed for their industry.
Complying with NERC CIP
All organizations fall into one of five stages in the evolution toward compliance with the NERC CIP or other compliance mandates such as Sarbanes-Oxley, ACC’s Responsible Care or HIPAA.
Stage I: No clear understanding of the organization’s risks and liabilities in relation to cyber security.
Stage II: General understanding of risks and liabilities, but cyber security as a program is ad hoc and purely reactive.
Stage III: Cyber security is defined as a program with a clear understanding of risks and liabilities somewhere within the organization, but is highly dependent on individuals.