NERC just issued their 2008 Annual Report. Enclosed is my objective look at NERC’s 2008 accomplishments for critical infrastructure protection (CIP). The President’s Report: “The bulk power system is only as strong as its weakest link”
When trying to explain who NERC is and what we do in interviews, social settings, and meetings with leaders outside the industry, I am often asked: “how can an industry regulate itself? Isn’t there a conflict of interest?” I answer them by explaining that the electric industry is different than others in that we are critically interconnected: the bulk power system is only as strong as its weakest link. Every asset owner has an interest in ensuring its neighbors keep reliability a priority - what happens on one system affects the next, and so on. In short, I explain, we are in a unique position to make the self-regulatory model work. As Mike Aassante’s April 7th letter indicates, self regulation has NOT worked. Additionally, the federal power agencies (eg, TVA, BPA, etc) are required by law to meet NIST SP800-53 which is more comprehensive than the NERC CIPs. Many of the utilities have been vehement they will not accept NIST SP800-53. That means interconnections from the non-federal utilities to the federal power utilities ARE weak links.Perhaps the best illustration of this change occurred in 2008 as we faced increasing scrutiny on our response to cyber security. It quickly became clear that NERC was to be held accountable for its actions to protect the grid - and, fairly or unfairly by extension, the industry’s actions as well. Policy makers expect NERC to oversee the industry, not the other way around. Put simply: if reliability problems persist, NERC will be asked why its standards and compliance actions weren’t tougher. Some reliability problems are BEING CAUSED by the NERC CIPs as utilities use the loopholes to avoid the NERC CIPs.NERC’s rules of procedure set the bar high on all fronts - from standards to compliance to assessments. Our rules specify that NERC standards are not to be a “lowest common denominator compromise,” but rather are intended to seek, via a stakeholder driven process, the best approach for bulk power system reliability. Our rules specify the maintenance of an American National Standards Institute (ANSI) accredited process designed to ensure fairness, equal representation, and due process. The ANSI process was been used to keep the NERC CIPs from being anything but a lowest denominator compromise (in private, many NERC CIP participants call it a low bar). Yet even with that, Mike Assante’s letter shows that industry as a whole doesn’t even meet this low bar.In this capacity, NERC must act as a regulatory authority with fully independent oversight of the industry. Compliance is not an industry-driven process, yet to be successful it must encourage self-reporting and support the development of a strong compliance culture by users, owners, and operators. NERC Staff have told numerous audiences that compliance not security is what is required. Mike Assante’s letter as well as discussion with industry shows that NERC and their compliance organizations are taking the approach that compliance not security is what is important.NERC’s government partners also have an important role to play in the self-regulatory electric reliability organization model. Is there a question why there is now legislation to regulate grid cyber security and to give that responsibility to FERC? The successful development of violation severity levels for the original 83 FERC-approved NERC standards is another of NERC’s accomplishments in 2008. Violation severity levels address how non-compliant an entity is with a specific requirement. NERC has submitted a “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard” to FERC. The Violation Risk Matrix would be used for the initial basis for determining enforcement action for future violations.” There are 171 NERC CIP002-009 specific items in the matrix – only 2 of which are considered HIGH CIP-002-1 R2 Critical Asset Identification and CIP-002-1 R3 Critical Cyber Asset Identification. Ironically, Mike Assante letter was faulting the industry for not identifying appropriate assets as Critical.2008 Ten Most Violated Reliability Standards – CIP-004 CIP-004 is training which is not considered HIGH severity (it is LOW to MEDIUM). What’s more, the Training requirements do not even require it to be appropriate – that is for Control System Cyber Security. Mike Assante’s letter shows how industry has gamed CIP-002 which effectively games the entire NERC CIP process. Since CIP-002 has the only HIGH severity levels (see above), there is no chance there will be the infamous $1Million/day fines.In 2008, NERC streamlined its situation awareness and critical infrastructure protection programs, bringing renowned security expert Michael Assante on board as its chief security officer. Under Assante, the two programs expanded NERC’s role in ensuring the security of critical assets, issuing six security-related alerts in the fourth quarter and working closely with industry to begin revisions of the critical infrastructure protection standards. IF CIP is so important to NERC, why isn’t Mike being given adequate budget and authority to FIX things? While the smart grid promises to bring greater efficiency and functionality to grid operators, it also poses a significant cyber challenge. NERC is actively considering these issues to ensure a secure and reliable energy. By enabling greater communication between the utility and remote equipment, the “smart grid” may provide more access points to critical infrastructure, potentially increasing the risk for cyber attack. Ongoing standards development efforts - both at NERC and other standards setting bodies - will need to be coordinated to ensure security is appropriately addressed as development continues. Currently, the NERC CIPs explicitly exclude distribution. How can NERC say they are addressing Smart Grid cyber security when distribution is the heart of the Smart Grid? Joe Weiss
When trying to explain who NERC is and what we do in interviews, social settings, and meetings with leaders outside the industry, I am often asked: “how can an industry regulate itself? Isn’t there a conflict of interest?” I answer them by explaining that the electric industry is different than others in that we are critically interconnected: the bulk power system is only as strong as its weakest link. Every asset owner has an interest in ensuring its neighbors keep reliability a priority - what happens on one system affects the next, and so on. In short, I explain, we are in a unique position to make the self-regulatory model work. As Mike Aassante’s April 7th letter indicates, self regulation has NOT worked. Additionally, the federal power agencies (eg, TVA, BPA, etc) are required by law to meet NIST SP800-53 which is more comprehensive than the NERC CIPs. Many of the utilities have been vehement they will not accept NIST SP800-53. That means interconnections from the non-federal utilities to the federal power utilities ARE weak links.Perhaps the best illustration of this change occurred in 2008 as we faced increasing scrutiny on our response to cyber security. It quickly became clear that NERC was to be held accountable for its actions to protect the grid - and, fairly or unfairly by extension, the industry’s actions as well. Policy makers expect NERC to oversee the industry, not the other way around. Put simply: if reliability problems persist, NERC will be asked why its standards and compliance actions weren’t tougher. Some reliability problems are BEING CAUSED by the NERC CIPs as utilities use the loopholes to avoid the NERC CIPs.NERC’s rules of procedure set the bar high on all fronts - from standards to compliance to assessments. Our rules specify that NERC standards are not to be a “lowest common denominator compromise,” but rather are intended to seek, via a stakeholder driven process, the best approach for bulk power system reliability. Our rules specify the maintenance of an American National Standards Institute (ANSI) accredited process designed to ensure fairness, equal representation, and due process. The ANSI process was been used to keep the NERC CIPs from being anything but a lowest denominator compromise (in private, many NERC CIP participants call it a low bar). Yet even with that, Mike Assante’s letter shows that industry as a whole doesn’t even meet this low bar.In this capacity, NERC must act as a regulatory authority with fully independent oversight of the industry. Compliance is not an industry-driven process, yet to be successful it must encourage self-reporting and support the development of a strong compliance culture by users, owners, and operators. NERC Staff have told numerous audiences that compliance not security is what is required. Mike Assante’s letter as well as discussion with industry shows that NERC and their compliance organizations are taking the approach that compliance not security is what is important.NERC’s government partners also have an important role to play in the self-regulatory electric reliability organization model. Is there a question why there is now legislation to regulate grid cyber security and to give that responsibility to FERC? The successful development of violation severity levels for the original 83 FERC-approved NERC standards is another of NERC’s accomplishments in 2008. Violation severity levels address how non-compliant an entity is with a specific requirement. NERC has submitted a “Complete Violation Risk Factor Matrix Encompassing Each Commission Approved Reliability Standard” to FERC. The Violation Risk Matrix would be used for the initial basis for determining enforcement action for future violations.” There are 171 NERC CIP002-009 specific items in the matrix – only 2 of which are considered HIGH CIP-002-1 R2 Critical Asset Identification and CIP-002-1 R3 Critical Cyber Asset Identification. Ironically, Mike Assante letter was faulting the industry for not identifying appropriate assets as Critical.2008 Ten Most Violated Reliability Standards – CIP-004 CIP-004 is training which is not considered HIGH severity (it is LOW to MEDIUM). What’s more, the Training requirements do not even require it to be appropriate – that is for Control System Cyber Security. Mike Assante’s letter shows how industry has gamed CIP-002 which effectively games the entire NERC CIP process. Since CIP-002 has the only HIGH severity levels (see above), there is no chance there will be the infamous $1Million/day fines.In 2008, NERC streamlined its situation awareness and critical infrastructure protection programs, bringing renowned security expert Michael Assante on board as its chief security officer. Under Assante, the two programs expanded NERC’s role in ensuring the security of critical assets, issuing six security-related alerts in the fourth quarter and working closely with industry to begin revisions of the critical infrastructure protection standards. IF CIP is so important to NERC, why isn’t Mike being given adequate budget and authority to FIX things? While the smart grid promises to bring greater efficiency and functionality to grid operators, it also poses a significant cyber challenge. NERC is actively considering these issues to ensure a secure and reliable energy. By enabling greater communication between the utility and remote equipment, the “smart grid” may provide more access points to critical infrastructure, potentially increasing the risk for cyber attack. Ongoing standards development efforts - both at NERC and other standards setting bodies - will need to be coordinated to ensure security is appropriately addressed as development continues. Currently, the NERC CIPs explicitly exclude distribution. How can NERC say they are addressing Smart Grid cyber security when distribution is the heart of the Smart Grid? Joe Weiss
