By Jay Abshier
A sea change is sweeping through the North American bulk electricity system in the wake of the U.S. Energy Policy Act of 2005 (EPAct). Previously voluntary reliability programs under the aegis of the North American Electric Reliability Council (NERC) are transitioning to mandatory standards under the Federal Energy Regulatory Commission (FERC), with substantial financial penalties for noncompliance.
The enforcement timeline for the CIP Standards commenced on January 1, 2007, with auditable compliance being required in 2010. The exact dates depend on the functional entity(ies) for which the utility is registered (transmission operator, generation operator, etc.).
Penalties for noncompliance use the standard Federal Energy Regulatory Commission (FERC) and North American Reliability Council (NERC) penalty matrix, with fines ranging from $1,000 to $1,000,000.
In July 2007, the FERC staff recommended to its Board that the CIP standards and implementation schedule be approved. FERC has also recommended that NERC revisit the CIP standard and has recommended specific areas that need modification. Observers think if the CIP standard is modified, new implementation schedules will also be adopted for conformance to any approved changes.
Reliability Standards Emerge
Reliability standards had their genesis following the major North American power outage in November 1965, with the implementation of voluntary operating policies and planning standards. These were designed to ensure the reliability of the bulk power system in the U.S. and Canada. Subsequent outage events, such as the summer 1996 Western grid blackouts and the August 2003 Northeast blackout, led to further emphasis on these standards.
As a result of EPAct, FERC certified NERC in 2006 as the Electric Reliability Organization (ERO) with full oversight for enforcing reliability standards compliance. An additional result of EPAct is that FERC now has full authority to approve all reliability standards. To date, NERC has submitted 107 standards to FERC for approval; 83 have been approved, while 24 are awaiting approval pending further refinement. Many of the approved standards received conditional approval and will require updatinga process that may require up to two, and in some cases, three years to complete. Furthermore, FERC has identified issues with CIP (Critical Infrastructure Protection) 002-009 and has solicited comments. This article will focus on CIP 002-009, the standards for cyber security.
Scope of CIP 002-009
Any entity that owns, operates or uses any portion of the bulk power system must comply with these new mandatory reliability standards. The compliance process itself involves periodic, formal NERC audits by the Regional Reliability Councils. The process also involves active self-certification, periodic reporting of compliance data and statistics and self-reporting of any noncompliance with NERC policies, procedures or standards.
Briefly, NERC CIP 002-009 covers the following topics:
- CIP 002 Critical Assets. Requirements for defining methodologies for identifying critical assets and critical cyber assets and using those methodologies to document these assets.
- CIP 003 Security Management Controls. Requirements for establishing the governance of an entitys CIP compliance program and for key elements of an effective cyber security program: policies and procedures, information protection, change control and configuration management.
- CIP 004 Personnel and Training. Requirements for security awareness and training, personnel risk assessments and documenting access to critical cyber access.
- CIP 005 Electronic Security Perimeter. Requirements for defining, documenting, monitoring and controlling access to the electronic security perimeter, within which are located the critical cyber assets.
- CIP 006 Physical Security of Critical Cyber Assets Requirements for defining, documenting, monitoring and controlling access to the physical security perimeter, within which are located the critical cyber assets.
- CIP 007 Systems Security Management. Requirements for securing, monitoring, documenting and controlling access to critical cyber assets.
- CIP 008 Incident Reporting and Response Planning. Requirements for developing, testing and executing incident response plans, and for reporting incidents to the appropriate agencies.
- CIP 009 Recovery Planning. Requirement for developing, testing and exercising plans for backup and recovery and disaster recovery.
- FAQs. These are answers to frequently asked questions, and were treated by NERC CIP Training as having equal importance to the requirements in CIP 002-009.
A Typical CIP Compliance Project
NERC CIP compliance should be undertaken in a four- phase approach. CIP 002, with the leadership portion of CIP 003, should be undertaken and completed first to determine the number and type of critical assets and critical cyber assets. Once this is finalized, Phase 2 establishes the electronic and physical security perimeter(s) and conducts a gap analysis between the clients current state and that required for compliance. Phase 3 implements the policies, procedures, documentation and, if required, infrastructure upgrades that allow the client to achieve compliance. Compliance mechanismsbasically identifying the documents required for compliance and implementing mechanisms for capturing these documentsalso must be put in place. Phase 4 is the collection of one calendar years worth of documentation identified by the compliance mechanisms to achieve auditably compliant status.
Crucial to the success of the project will be the availability of key client stakeholders and support staff to assist with this effort, and establishing an effective governance structure for both cyber security in general and CIP compliance.
Following is a high-level view of these phases and some typical tasks in each:
Phase 1: Critical asset and cyber asset identification
- Task 1: Establish governance.
- Task 2: Develop methodologies.
- Task 3: Identify critical assets.
- Task 4: Develop cyber asset inventories.
- Task 5: Identify critical cyber assets.
Phase 2: Gap Analysis
- Task 1: Develop and validate electronic security perimeters with access points.
- Task 2: Develop and validate physical security perimeters with access points.
- Task 3: Gap analysis between current state and CIP requirements.
- Task 4: Develop recommendations for policies and procedures.
- Task 5: Develop recommendations for technical and infrastructure changes, including software required for document, change, log file and configuration management, etc.
- Task 6: Establish approval and budget for gap closure; select and procure any required tools or equipment.
Phase 3: Implement recommendations to close gaps
- Task 1: Implement changes or additions to policies.
- Task 2: Implement changes or addition to procedures.
- Task 3: Implement technical and infrastructure changes.
Phase 4: Auditable compliance
- Task 1: Collect required forms, logs and other documentation for one calendar year.
Establishing a Compliance Process
The resources required for a CIP compliance project and ongoing compliance will be determined by the size of a company. In general, the equivalent of three to ten full-time employees are required to complete a compliance project and one to four to ensure ongoing compliance.
From a documentation point of view, for a single entity, the requirements for policies, procedures and forms typically include about 140 policy statements in fourteen policy documents, 20 to 30 procedures and 50 to 60 forms.
From a software tool point of view, compliance typically requires software for document management, change control, configuration discovery and management, log file consolidation and analysis, anti-virus, intrusion detection, network access control and end-point (workstation) device control.
Also, to be auditably compliant, an entity must collect one calendar years worth of documentation. This means that if compliance with CIP is required by June of 2010, then the collection of documentation (essentially being compliant without the collected documents) must start on Jan 1, 2009.
Any new regulatory requirement poses risks, and the implementation of NERC reliability standards compliance is no exception. Entities that act early and proactively to become compliant will benefit in several ways. They will establish a positive relationship with NERC auditors and rule-setting committees that will enhance their influence in setting further reliability compliance standards. Shareholders and investors are likely to view compliant entities with more confidence. Finally, compliance minimizes the possibility of financial penalties as well as other financial, legal and personal risks that can damage an entitys reputation.
Jay Abshier, CISSP, is a senior principal consultant with KEMA Inc.
Penalties for non-compliance use the standard FERC and NERC penalty matrix, with fines ranging from $1,000 to $1,000,000.