An example of why the NERC CIP-compliance-based approach including version 4 with its “bright lines” is deficient can be demonstrated with the following examples. The bright line approach is meant to set a minimum threshold before an asset needs to be considered critical and a cyber assessment made.
A 500MW coal-fired (or other fuel source) power plant is at least a billion-dollar asset. Strange as it may seem, the current version of the NERC CIPs would most likely not consider a 500 MW power plant a NERC Critical Asset as the bright line approach sets a 1500 MW threshold for considering a plant site to be critical. Since the 500MW plant would not be considered critical, there would be no NERC CIP requirement to cyber secure the plant. However, there are significant cyber issues that can affect this billion-dollar investment that affect both the utility and the bulk electric grid. When I was managing the EPRI Fossil Plant Instrumentation and Controls (I&C) Program, the utilities identified measurement of pulverized coal as the highest priority research project for our technical area. This is a very complex technical process. Similar to a car with an electronic fuel ignition system, the control system measures and then controls the amount of pulverized coal and air flow going to the individual burner pipes. This coal/air mixture affects the plant heat rate (the efficiency of burning the fuel which is akin to a car’s fuel mileage). Mal-distribution of the fuel/air mixture in each pipe (running too lean or too rich) has directly led to numerous coal plant explosions that have destroyed plants and killed people. This explains the high priority the utilities placed on developing accurate measurements. Today, the control system controlling the fuel/air mixture can be cyber vulnerable. This means that unintentional or intentional cyber incidents could cause mal-distribution of the fuel/air mixture leading to “bad things happening”. An explosion at a single plant may not affect the bulk electric grid, but it certainly can affect the utility and potentially its customers. Explosions at several plants CAN affect the bulk electric grid. Moreover, extensive damage to power plant equipment will result in very long and expensive outages.
A second reason that the compliance-based approach with bright lines does not work is that small facilities (less than 50 MW) that are electronically connected to larger facilities and/or control centers also can bring down large sections of the bulk electric grid. However, the bright lines exclude small facilities. The small facility (smaller airport) affecting the large facility (larger airport) was effectively the exploit used by the 9-11 attackers.
I would expect a risk manager would have a difficult time trying to justify such a weak compliance-based approach to the CEO and Board of Directors when these weaknesses are so well-known throughout the industry.
Joe Weiss
