How Secure are the Electric Utilities if They Implement the NERC CIP Standards?
The NERC CIP standards were developed in a consensus fashion with representation from the smallest to the largest utility organizations. In order to obtain consensus, the NERC CIP standards are ambiguous and at best provide a "minimum bar". CIP-002 is the funnel for establishing what systems need to be addressed. If the CIP-002 risk assessment identifies the device or system as a critical cyber asset, it then needs to be further addressed in CIP 003-009. However, if the risk assessment defines the device or system as "non-critical", no further action is required.
What does this mean?
Utilizing CIP-002, many utilities are able to determine they have a minimal number of critical cyber assets. In fact, some utilities have determined they have NO critical cyber assets (power plants, substations, control centers, etc) even though some of these assets are tied directly to the Internet.
How can they do that?
CIP-002 provides several exclusions such as telecom, distribution, market functions, and non-routable protocols that immediately exclude many systems. Additionally, utilities generally use a reliability approach for determining if they can afford to lose an asset. If so, they don't consider it to be critical. In fact, one of the key questions is what is the minimum Megawatt or Voltage level that would require CIP-002 evaluation? This approach does not even ask the question that NERC CIPs were developed to address: "are you connected?"
What are the implications?
I have an informal database of over 80 cases of control system cyber events. I am currently working with NIST to provide a business justification for utilizing NIST Special Publication (SP)800-53 for control systems. As part of that effort, we are looking at actual control system cyber events and asking 3 questions:
- What more can we learn from actual events based on current knowledge?
- What were the NIST SP 00-53 controls that were violated that allowed the event to occur?
- Would application of NIST SP800-53 have prevented the event from occurring?
The first case we are analyzing is the Bellingham, WA pipe rupture and will be presented at the August Control System Cyber Security Workshop in Knoxville. By evaluating this and several other cases, a very important and stimulating conclusion is reached- applying and following NIST 800-53 could have prevented these events; applying and following the NERC CIP would NOT have prevented these events. This is consistent with the line-by-line comparison we did between NIST SP800-53 and the NERC CIPs. The conclusion was if you met NIST SP800-53, you met the NERC CIPs; however, if you met the NERC CIPs, you did not meet NIST SP800-53. Additionally, CIP-002 evaluation criteria enable utilities to define important pieces of rotating equipment as non-critical and therefore not even have to address known cyber vulnerabilities. The culmination is the CIPs would not even have addressed several actual cyber cases the NERC ES-ISAC has identified (with extensive and expensive impacts) because of exclusions such as telecom or distribution.
How secure do you feel when the NERC CIPs cannot address events that have ALREADY occurred?