What precipitated this blog was a NERC employee trying to discourage a utility from participating in an Aurora hardware demonstration. Based on the facts below, I would posit that the NERC CIP approach has not improved the reliability of the electric grid from cyber threats and may have actually made it more vulnerable.
- The NERC CIPs are a roadmap for hacking the electric grid. They identify what assets are considered critical and need to meet the NERC cyber security requirements and when that needs to occur. By default, all other assets are not considered critical and therefore do not need to be cyber secured and generally are not secured. Two examples demonstrate this issue. The NERC brightline criteria for transmission assets is 500,000 volts (500KV) or greater. PG&E's main north-south transmission lines consist of 500KV and 230KV lines. Since the 230KV lines do not need to be secured, there is a pretty good chance they are not. Take out the 230KV lines and you will overstress the 500KV lines even if they are cyber-secured. The NERC brightline criteria for generation is1500MW. This would exclude probably 70-80% of the generation in North America. Take out a substantial number of those "smaller" units and you will have grid chaos.
- The NERC CIPs exclude several of the recommendations from the 2003 North East Outage Final Report signed off by the US Secretary of Energy and his Canadian counterpart. They also exclude some specific recommendations from NERC's own advisories. The NERC CIP Drafting Team also excluded advice provided by the control system cyber security experts from ISA99.
- The NERC CIPS exclude items such as serial communications and electric distribution. There have been four major cyber-related outages in North America to-date. If the utilities would have fully implemented the latest version of NERC CIPs (Version4), they would not have prevented any of those outages.
- In the rush to exclude assets from being critical, the NERC CIP approach has actually impacted other NERC reliability criteria. An example is black start facilities which are required for grid reliability in the event of a complete black-out. However, black start facilities have been removed from being critical in the NERC CIP world.
- "New" cyber vulnerabilities are not addressed by the NERC CIPs since they are so cumbersome to change. That means that emerging threats such as Stuxnet are not addressed by the NERC CIPs.
- For reasons I do not understand, the Aurora vulnerability seems to be especially problematic for NERC. The Aurora vulnerability is a physical gap in protection of the electric grid that was demonstrated at the Idaho National Lab in 2007 with the destruction of the diesel generator. Aurora affects ALL substations and enables them to be threat vectors to destroy the Alternating Current (AC) rotating equipment and motors of utility equipment AND THEIR CUSTOMERS' AC ROTATING EQUIPMENT AND MOTORS! NERC's Tim Roxey then of Constellation Energy presented a summary of Aurora to the nuclear sector in the 2008 time frame with a slide that identified the two PG&E substations that could impact the Chevron Richmond refinery. Even though NERC was part of the team that reviewed the Aurora test plan prior to the test, the NERC representative demeaned the test results stating the test was not representative of actual conditions. Additionally, in the 2007-2008 time frame, NERC senior executives misled Congress twice on Aurora the second time resulting in Congress threatening to charge the previous President of NERC with Contempt of Congress. There were only three industry representatives at the INL test and they did not publicly discuss the results. Consequently, the misconceptions and misinformation started by NERC are still prevalent to this day. As Aurora is a physical gap in protection of the electric grid, the only way to mitigate it is with specific Aurora hardware mitigation devices. Yet the NERC Aurora committee is not requiring hardware mitigation. There are only TWO utilities in the US and Canada that are acting as demonstration sites for the Aurora hardware mitigation devices. It is probably not happenstance that neither utility has any NERC critical cyber assets. However, for only reasons NERC can understand, instead of embracing the actions of these two utilities and asking to participate, NERC has attempted to "pressure" the two utilities to not go farther with the hardware demonstrations.
- NERC routinely issues "Lessons Learned" documents to the utilities. In February, there were 4 incidents. All were clearly cyber (eg, broadcast storms, etc) yet NERC did not identify any as cyber.
- In no other industry or IT application would the end-users be able to develop their own set of guidelines and exclusions and then not require that the audits be conducted by people knowledgeable about the domain they are auditing.
What should be done:
- Act like a regulator not an industry cheerleader
- Treat cyber as a threat to reliability and act accordingly
- Don't punish utilities for doing more than regulations require
- Train engineers who understand the electric system to be the auditors so it isn't just a check the box approach
- Call a spade a spade- if it is a cyber incident call it that
- Replace NERC Critical Assets with "Mission Critical Assets". If the assets are needed for the utility to meet its mission of reliable electric service, it is critical and the utility should act accordingly
If NERC changes its ways, it puts the onus where it belongs which is with the hackers. With the current system and NERC response, NERC is the problem, not the solution.
Joe Weiss
