As mentioned many times, the NERC CIP process has many exceptions that make the NERC CIP process less rigorous and comprehensive than many people have been led to believe. These exceptions include the exclusion of electric distribution, the exclusion of serial (non-routable) communications, the “brightline” criteria excluding “smaller” assets, and in terms of remediation, the NERC CIPs have no requirements to remove malware, etc. These exclusions have led many utilities to consciously exclude cyber security considerations for non-CIP critical assets. Even more, NERC has provided the utilities justification for “playing games” to exclude assets that should be included in the brightline criteria such as generation sites bigger than 1500MW. The NERC CIPs do not even include some of the recommendations from the final report of the 2003 Northeast Outage. I will say it again - NERC CIP compliance is not a comprehensive cyber security program.
There have been several documented instances where meeting the “letter of the NERC CIPs” not the “spirit” of what the NERC CIPs were supposed to be (i.e., cyber securing the electric grid) have caused significant impacts to the electric grid they were meant to secure. As an example, during a regularly scheduled firewall patch installation, a utility industry organization experienced multiple inter-control center communications protocol (ICCP) communication failures with other utility industry organizations. This resulted in an outage of ICCP communications for greater than 30 minutes. According to an internal investigation, the assets being updated were identified as CIP “qualifying” assets and were not considered CIP “critical cyber assets” (CCA) per the CIP Standards. The utility industry organization’s change control process for a qualifying asset did not require advance formal notifications and reviews from all possible stakeholders that would be required for an identified “CCA” asset. The security team adhered to its change control process and communicated the work being performed just prior to the transferring of systems. The late communication is believed to have contributed to the severity of the event and its duration. Not only is this a serious security breach, it is egregiously poor engineering under the guise of meeting NERC CIP requirements.
Why is this important? All of the cyber issues associated with the Ukrainian cyber attack would be out-of-scope for all existing versions of the NERC CIPs. Consequently, July 21, 2016, FERC issued a notice of inquiry (NOI) seeking comments on whether the CIP standards related to control centers used to monitor and operate the bulk electric system in real-time need to be modified in the wake of the Ukrainian cyber attack. Specifically, FERC said it is considering requiring that control center cyber systems be isolated from the Internet and that computer administration practices be implemented to ensure that only approved, or "whitelisted," programs are run. NERC noted in its comments on the NOI that the existing CIPs already include a number of requirements designed to mitigate risks associated with Internet connectivity. However, requiring such isolation, however, could have unintended operational impacts on functions such as data exchange, remote access, patch management and transmission scheduling that may outweigh any associated security benefits, NERC warned. The Edison Electric Association, Electric Power Supply Association and National Rural Electric Cooperative Association jointly also maintained that the existing CIP reliability standards are adequate and the lessons learned from the Ukraine attack "have helped validate" their effectiveness. However, DHS has already publicly stated: “Some asset owners may have missed the memo about disconnecting control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cybersecurity issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without properly implemented security measures.” Moreover, in January 2016 (after the Ukrainian cyber attack), a NERC Advisory even recommended not using cyber security monitoring if it could impact grid visibility. As should be obvious from these examples, the NERC CIP approach ignores non-NERC CIP CCAs despite the potential for affecting the reliability of the electric grid as well as the DHS guidance about not connecting to the Internet.
As a result of NERC and the industry organizations statements about the irrelevance of the Ukrainian hack to the US grid, the Idaho National Laboratory will be making a presentation at the October ICS Cyber Security Conference on the relevance of the Ukrainian cyber attack to US electric utilities. Additionally, my abstract was accepted by the International Atomic Energy Agency on “The Implications of the Ukrainian Cyber Attack to Nuclear Plants”.
Why are NERC and the utility industry organizations so intent on keeping the grid cyber vulnerable? Why are the engineers continuing to be marginalized in the NERC CIP process?