I have written a number of blogs about the deficiencies of the NERC CIPs and that most utilities are playing games with compliance. I continue to insist, as do many others, that compliance does not automatically equal increased security, while proven increased security should equal compliance (or there is something wrong with the compliance process). There are very few utilities, possibly only a handful, who are actually trying to secure their systems, not just play a compliance game. Consequently, this blog is not a blanket indictment of an entire industry – but pretty close. The bottom line is the infamous “million dollars per day” fine is meant to punish those facilities that can impact the reliability of the bulk electric grid. Those utilities playing games with NERC CIP-002 (which unfortunately are most of the utilities in this country) in order not to secure their facilities should be fined the million dollars per day per facility as they can affect the reliability of the bulk electric grid. The problem is real as industry has experienced numerous power plant cyber incidents as well as several large cyber-related outages. This is serious business, and we shouldn’t be playing games. What about Wall Street? What about the insurance companies? Shouldn’t investors and actuaries be concerned about these utilities’ attitude to risk management? Ostrich behavior isn’t risk management.
Let’s talk specifics:
- The NERC CIP Drafting Team, and many utilities are still fighting removal of CIP-002 and its unconscionable exclusions.
- Some utilities are removing IP connections in order to be excluded from the NERC CIPs. Many utilities have received rate increases to improve grid reliability by installing those connections. Are the utilities refunding the money? State PUCs take note. Many states are cash strapped and could use the money if the utilities aren’t going to do what they said they would with the rate increase proceeds. Ironically, those same utilities are using IP connections for Smart Grid because the NERC CIPs exclude electric distribution. Something is wrong here.
- Some power plants are no longer providing Black Start capabilities in order not to be considered a NERC Critical Asset. This obviously impacts the reliability of the bulk electric grid and those plants should be fined a million dollars per day.
- Some utilities are reclassifying their control centers as control rooms in order not to be considered a NERC Critical Asset. This obviously impacts the reliability of the bulk electric grid and those utilities should be fined a million dollars per day.
- Some utilities have refused to classify their very large power plants as NERC Critical Assets. In at least one case that I specifically am aware, this plant is so big it exceeds the minimum reserves for an entire interconnect. This places large swaths of the US at risk for outages. As an aside, if they don’t consider their largest power plant a NERC Critical Asset, do you think they consider any of their other power plants NERC Critical Assets? This utility should face a million dollar a day fine for each unit as well as other possible penalties. I am sure that is not the only utility playing this game with their power plants. For example, I know of another plant from another utility whose single unit is significantly bigger than any single nuclear unit and it is not a NERC Critical Asset. NERC’s Michael Assante identified this inappropriate industry behavior with respect to NERC Critical Asset identification in his April 7th 2009 letter to industry, and, frankly, not much has changed.
I have also been concerned about the technical appropriateness of the NERC CIPs with respect to control systems, specifically CIP-005 and CIP-007. The concern has been that applying these IT-type standards to control systems actually could impact their reliability. There have been numerous cases where penetration testing has impacted legacy field devices. I have found my first documented case affecting non-legacy field devices. This case is from the January-June 2009 NERC Disturbance Reports: “A disturbance resulted in the loss of the utilities Energy Management System functions, including SCADA, AGC, Network Applications and ICCP. The utilities Power System Operators notified the RC and affected entities upon loss of the EMS and when EMS functionality was restored. The disturbance was caused by the implementation of a device locking security tool. The tool caused select hard drives to become unavailable resulting in the loss of the above functionality. The tool was being implemented in response to the Critical Infrastructure Protection (CIP) standards. The disturbance remediation consisted of uninstalling the device locking tool and restarting the impacted systems. To prevent the recurrence of this incident in the future, comprehensive testing will be performed to insure that tool operating characteristics are in accordance with expectations.” There are many questions that arise:
- If testing wasn’t done before the tool was installed, isn’t that a violation?
- How many other utilities are using this tool? How many haven’t tested it before installing it?
- What caused the hard drives to become unavailable?
- What other commercial tools could cause this same problem?
- Can this tool cause a similar problem in Smart Grid applications?
- Can this tool cause a similar problem in nuclear plant applications?
This is the reason I do not allow vendors to present at the ACS Conference unless I know the technology they will be touting has been successfully tested in a control system environment.