NERC CIPS and Keeping Lights On – are they the same?

August 19th, I spent a day with the NERC Critical Infrastructure Protection (CIP) Version 5 Drafting team working on one of the NERC CIP Standards. The focus was on boundary protection, not on the actual control system devices and serial communications which were explicitly excluded. The vulnerabilities that could lead to major equipment damage and associated extended outages because of design features in the control system devices such as Stuxnet, system vulnerabilities such as Aurora, or measurement vulnerabilities such as serial HART communications were not addressed. Rather, the focus was on the traditional network issues – firewalls, routers, etc. Given the recent spate of IT hacks that have managed to make it through existing boundary protection, isn’t this thinking a bit antiquated? About the only discussion on actual control systems or facility operation came from the FERC representative not the utility attendees. The utilities’ and NERC’s concerns were how to minimize the number and activities needed to address the “Lows” (smaller facilities). There just doesn’t seem to be an appreciation of what a determined, knowledgeable attacker would attack. There also doesn’t appear to be an appreciation of just how common the equipment and the associated cyber vulnerabilities are across multiple facilities. That is, there does not seem to be an appreciation of just how many “Lows” could be compromised that could impact large portions of the bulk electric grid for a substantial period of time.

(Warning- major sarcasm) In order for the NERC CIP approach to be successful, NERC needs to hold a training session for the hackers on what the NERC ground rules are for their attacks – what is in scope for attacks and when. The hacker training should assure them that the utilities’ and NERC’s paper approach on Aurora is adequate and so they should not attempt to use that scenario. It should also convince them not to use available ICS metasploits because they are out of scope for NERC CIP mitigation.

Is there a question as to whether the lights will stay on?

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>In fairness to NERC, and what looks to be an overall thought to increase FUD over actual reporting, it seems that you must have stumbled into the "NERC CIPS" [sic] SDT meeting on CIP-005-5, which that standard is actually focused solely on boundary control systems. If you are interested in NERC CIP standards, you may want to start by reading the proposed standards that the SDT has put out for draft on the updated version 5.1, available on nerc's website. You'll first notice that there are a LOT more standards than simply CIP-005-5, including some you may want to also look into, like CIP-007-5, CIP-010-5, etc. Those deal with the systems themselves, including configuration, hardening and other activities. Posting that the utility industry is not taking security seriously when only looking at a single standard really stinks of poor research and reporting. For full disclosure, I do work for a utility and we have many staff members associated with CIP activities, both at the compliance and drafting level. To say utilities do not value security is like saying McDonalds doesn't value it's french fries - it is where money is made and people are served; if the power isn't on, there is no money to be made (and fines of up to $1,000,000/day to be paid). Companies are very serious about security, and have been putting major upward pressure on the few manufacturers of equipment out there to modernize; until then, we can minimize attack footprints, take things completely off line, air gap, and take other standard risk mitigation measures that compose any good companies layered security approaches. </p>


RSS feed for comments on this page | RSS feed for all comments