The Implications of NERC CIP

Barry Ingold, from Tri-State Generation and Transmission Association, presented a detailed look at the implications of  the new NERC CIP Cyber Security Standards, noting that the original "Urgent Action Standard 1200" specifically excluded DCSs and control systems in the definition of what constituted a "critical cyber asset." NERC stands for the North American Electricity Reliability Council, a quasi-governmental body that oversees and makes standards for the power transmission and generation industries.

Effective a year ago, however, Ingold noted, the Critical Infrastructure Protection Committee  (NERC CIP) released an entirely new version of Urgent Action Standard 1200. "This time," Ingold said, "the definitions no longer exclude control systems."

Ingold reviewed the new standards. "There are eight new standards," he said, "covering requirements, measures that must be taken, compliance monitoring, and something new, sanctions." This time, there are sanctions with real teeth, where the original UAC1200 had none. "These standards apply if your plant is on the grid, basically," Ingold said.

The standard requires a phased implementation with "substantial compliance" in 2008, full compliance in 2009, and "auditable compliance" by the end of 2010, Ingold reported.

"You have to document a methodology to identify your company's critical cyber assets. You can use any legitimate methodology, Ingold said, like an analytical approach to risk assessment. "Are you more likely to get attacked by a terrorist, or by a disgruntled employee?" Ingold cracked. You can also use a flowchart approach. Then you have to actually make the determinations and get senior management to buy in that these are in fact the critical assets.

Ingold noted that the paper trail is critical.

You must put together a cyber security policy with access control and change management. "Lots of people already do this, it just isn't written down. You have to write it down," Ingold said.

You will also need to put together personnel security and training plans. These plans will include generating awareness, training, and personal risk assessment. The standard calls for personnel ID verification and a 7 year criminal background check. "I see potential for the unions to pitch a fit here," Ingold said.

You are also required to produce a physical security plan, which takes into account the distributed nature of control systems, as well as providing access controls, monitoring, plan maintenance and regular testing. This will be costly, Ingold noted, and should also produce union issues. "I recommend that you leverage existing site security assets for this activity if it is possible," he said.

You are also required to actively test your system. "We in the power industry aren't used to turning off the plant to test the security system," Ingold said, adding, "I guess we'll get through it somehow."

The standard requires a plan for patch management, malicious software prevention, and account management. "Since we typically see "˜User 1 logged in' which means the Unit 1 Operator is logged in, and never gets logged out, this is going to cause some serious changes in the way control room security gets done," Ingold said.

You will also have to have a plan for incident reporting, response planning, and you will need to produce recovery plans with annual testing procedures.

 "Above all," Ingold said, "document it, document it, document it."