Documentation key to power industry’s latest cyber security standards

If you thought your process control systems were excluded from the NERC’s definition of “critical cyber assets,” think again. Today at the Honeywell User Group gathering, Barry Ingold, from Tri-State Generation and Transmission Association, presented a detailed look at the implications of the new cyber security standards from the North American Reliability Council, a quasi-governmental body that oversees and makes standards for the power transmission and generation industries.

He noted that the original “Urgent Action Standard 1200” specifically excluded distributed control and and other control systems in the definition of what constituted a “critical cyber asset.” Effective a year ago, however, Ingold said, the NERC Critical Infrastructure Protection committee (NERC CIP) released an entirely new version of Urgent Action Standard 1200. “This time,” Ingold said, “the definitions no longer exclude control systems.”

“There are eight new standards,” Ingold continued, “covering requirements, measures that must be taken, compliance monitoring, and something new—sanctions.” This time, there are sanctions with real teeth, where the original UAC1200 had none. “These standards apply if your plant is on the grid, basically,” Ingold said.

The standard requires a phased implementation with “substantial compliance” in 2008, full compliance in 2009, and “auditable compliance” by the end of 2010, Ingold reported.

“You have to document a methodology to identify your company’s critical cyber assets; and you can use any legitimate methodology—from hazards analysis to flowcharts,” Ingold explained.

But, Ingold added, the paper trail is critical. “You have to write it down,” Ingold said.

Among the standards’ requirements are personnel security and training plans, including personal risk assessment. And because the standard calls for personnel ID verification and a 7 year criminal background check, “I see potential for the unions to pitch a fit here,” Ingold said.

Also required is a physical security plan, taking into account the distributed nature of control systems, as well as providing access controls, monitoring, plan maintenance and regular testing. This will be costly, Ingold noted, and should also produce union issues. “I recommend that you leverage existing site security assets for this activity if it is possible,” he said.

Active testing is also proscribed. “We in the power industry aren’t used to turning off the plant to test the security system,” Ingold said, adding, “I guess we’ll get through it somehow.”

Finally, the standards require a plan for patch management, malicious software prevention and account management. “Since we typically see ‘User 1 logged in’--which means the Unit 1 Operator is logged in, and never gets logged out--this is going to cause some serious changes in the way control room security gets done,” Ingold said. “You will have to have a plan for incident reporting, response planning, and you will need to produce recovery plans with annual testing procedures.

“Above all,” Ingold concluded, “document it, document it, document it.”