Author Archives: Rick Kaun

14
DEC
2012

NERC CIP Field Report – Will CIP Version 4 Ever Be Enforced?
Posted by Rick Kaun

Hello all.

Well I am sure you were starting to wonder if our man in the field Tom Alrich was ever going to pop up on here again.  Well he has.  There has been a lot going on in the land of CIP lately and true to form, Tom has captured a great many number of aspects of it in his latest offerring.  It is a bit long for the main page so I offer the introduction here and a link to the full document in the body below.  As always, have a read, let us know what you think.  For now, sit back, relax and enjoy.

Tom Alrich tom.alrich@honeywell.com

blog post to insecurity.honeywellprocess.com

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

I attended the MRO compliance meetings recently in St. Paul, and was struck by two things: 1) the degree to which concerns about CIP now predominate over concerns about almost all of the other NERC standards put together, and 2) the high level of interest in CIP Versions 4 and 5 – both in their content and in the possible scenarios for their implementation.

Crowning all of the Versions 4 and 5 concerns is this one: Will the industry have to comply with CIP Version 4 – now approved by FERC and scheduled to come into effect April 1, 2014 – or will Version 4 be bypassed in favor of Version 5, which now has NERC Board of Trustees approval and will soon be submitted to FERC?

This is literally the (multi-) million dollar question for many NERC entities.  Many are desperate to avoid having to comply with V4 and then two or three years later with V5.  A V4 compliance program will be much different from a V5 program – documents, processes and procedures will mostly have to be redone.  And there are some controls required by V4 that aren’t required by V5, such as the infamous six-wall boundary of CIP-006.

Because the two versions are applicable to differing sets of assets, an entity could literally spend millions putting in place Version 4 controls and programs for a facility that will no longer be needed under V5 because it isn’t in scope (as a Medium or High impact facility).  Conversely, entities could expose themselves to huge penalties if they don’t put in place controls and programs for a facility that is in scope for Version 4, if Version 4 is in fact enforced on 4/1/2014.

I will be honest at the outset: I don’t know the answer to the question whether V4 will be enforced.  The only ones who possibly could know are the five FERC commissioners, and I suspect they have not made up their minds.  What I will try to do in this post is at least parameterize the different areas of uncertainty, and suggest developments that might occur next year which will indicate whether this event is more or less likely.  You are hereby warned: this will be a long post.  Like all things NERC CIP, this is a very complicated issue.

To start out, I would like to try to identify the groups that will and won’t be affected by this issue.  It is certainly true that this isn’t a problem for many NERC entities, while for others it is a huge problem.

But first I want to clarify one point: When I say an entity “has to comply” with CIP Versions 3 or 4, I mean they will have at least one Critical Asset with at least one Critical Cyber Asset.

And when I say an entity “has to comply” with CIP Version 5, I mean that they will have BES Cyber Systems associated with facilities that are listed as Medium or High impact in CIP-002-5 Attachment 1.  There are of course many more entities that will have BES Cyber Systems at facilities that are Low impact in Attachment 1.  Since the requirements for the Lows are so much less than those for the Mediums or Highs (Lows only need to develop and implement four policies, and cyber assets don’t have to be inventoried), I don’t consider the question whether or not an entity has to comply with Version 5 as a Low to be one that carries a high dollar impact.[1]

Let me first list some types of entities for which the question whether CIP Version 4 will be implemented isn’t really an issue.  They include:

Click here to see full posting

[1] I’m sure some will disagree with me in this regard, and say there could be a substantial effort required by entities to comply with V5 for Low impact facilities.  I agree a number of technologies like firewalls and locks on the doors have to be put in place (and I know that even now there are facilities without those), but the biggest burden of CIP is all the compliance procedures and paperwork, and those are almost entirely absent for Lows in V5.

 

Leave a comment
Posted in best practices, General, Power – NERC CIP and tagged , , , , . Bookmark the permalink.
21
NOV
2012

Honeywell User Group EMEA
Posted by Rick Kaun

Hello all.

I recently had the pleasure of attending the Honeywell Users’ Group EMEA which this year was held in Istanbul.  It was a fantastic event and resulted in record numbers for attendees!  Front and center on many people’s minds was the subject of cyber security and we had a number of presentations, a well attended demo room booth and my personal favorite, a general session panel discussion!

We had the pleasure to have a number of our clients join myself and our host to discuss general trends, challenges and solutions for cyber security in a production environment.

As you can expect there was no shortage of debate, discussion and otherwise healthy exchange of ideas and opinions.  It would be safe to say that given the recent activities in the ME region with respect to Shamoon we had a captive and attentive audience.  I am encouraged by this level of dialogue but a small part of me wishes we didn’t have to have an ‘event’ to get people to start to pay attention to this most important subject.  Which brings me to one of my two subjects for the day.

I still see and hear so many people treating security as an afterthought.  I know the analogy of comparing security to safety is overused but the parallel is there.  When you go to a trade school or start a job at a facility the first subject you ever learn is safety.  Safety is the foundation upon which the entire facility is run.  Safety is an integral part of every project, every department and each and every employee’s responsibility.  It is the only way a safety program can be effective.

That same level of constant scrutiny and attention in any and all actions, projects and decisions is required for security to be of any use.  To build a secure infrastructure on a capital project and then not weave security language (system hardening baselines, ISA Secure certificates (or similar)) into your procurement language means your hard won efforts and technologies will likely be undone on the next ‘minimum compliant bid’.

Second point for the day is the concern I have for ‘knee jerk’ reactions.  I have seen a number of instances lately where corporations are ‘pulling the plugs’ from internet access, USB key use, general access and otherwise electronic freedoms.  Now I am first and foremost a security advocate so dont get me wrong, controls are required.  However when y ou go to the extreme I have been seeing you effectively block the ability of your staff to do their jobs.  In fact in many cases where internet access has been blocked I see employees using personal email accounts (web based) or getting application and OS update/patches from personal computers at home!  They are not trying to be difficult or irresponsible (security wise) but they do have a responsibility to keep the plant running safely and effectively.  To that end they are simply doing their jobs.

My point is this:  it is better to allow those connections you can monitor/control than to simply shut off access.  The data/files will still get in as there is no such thing as an ‘isolated’ network (at least functionally).

That is it for me for now.  Thanks for reading and as always, let us know what you think!

Leave a comment
Posted in best practices, General, Security and tagged , , , , , , , , , . Bookmark the permalink.
09
NOV
2012

Smart Grid Regulation – Coming to a State near You?
Posted by Rick Kaun

Hello all!  It has been a while since Mr. Tom Alrich our NERC CIP ‘man in the field’ has weighed in but for those of you waiting, today is your lucky day!  Here is Tom’s most recent collection of ideas/opinions/observations.  As always, these are Tom’s personal opinions.  So have a read and, as always, let us know what you think!

 

Much ink (including mine) has been spilled regarding cyber security regulations for the Bulk Electric System (BES).  Whatever your opinion of them, the NERC CIP standards are in place. But the distribution system is another story.  CIP doesn’t apply to Distribution, because it’s not part of the BES.  This wouldn’t have been a problem even five years ago, since the distribution system was fairly ‘dumb’.  There weren’t a lot of intelligent devices to attack – certainly not the meters, and very little of the distribution equipment in the substations.  It was very hard to imagine how someone could cause a large-scale distribution failure, and almost impossible to imagine how such an attack could cause problems beyond the immediate areas affected.

But as we all know, Distribution is rapidly changing.  There are millions of smart meters already deployed, and almost every utility has a substation automation project either in process or about to start; yet this is all just a down payment on what’s to come.  Not only are there many more intelligent devices waiting to be attacked in the distribution system, but the consequences of those attacks could potentially be widespread – not just in one neighborhood or town.

This isn’t to say that there is a huge cyber security problem in the Smart Grid – in fact, I doubt there is.  However, what I or you think is irrelevant.  The fact is that wide deployment of the Smart Grid depends on the public’s acceptance of the fact that it will improve their lives (and remember, they have to be willing to pay for it).  Were the idea to become rooted that the Smart Grid is insecure, that could very well mark the beginning of the end (Many organizations, such as Pacific Gas and Electric, have already run into cyber security concerns regarding their smart meter rollout).

Which then raises the question: How can we prevent this from happening?  Waiting until a substantial portion of the public has become convinced that the Smart Grid is insecure, then unleashing a fusillade of assurances from cyber security experts, is clearly not the answer.  We all know who will win that one.  I think the only thing that will assure the vast majority of utility customers is regulation.  If regulations are in place that require a certain level of cyber security practices on the part of the utilities and the vendors, this will allow Smart Grid deployments to go forward despite the cyber security scares that will regularly show up, justified or not.[1]

So who should do the regulating, the Feds or the states?  I think the answer is fairly clear: On the Federal level, FERC and NERC don’t currently have authority to regulate the Smart Grid (or power distribution in general), and they have no desire to do so.  The only other likely Federal regulator would be the Department of Energy, but they don’t have that authority and have made no attempt to obtain it.  NIST developed – with much industry assistance – the comprehensive set of cyber security guidelines contained in NISTIR 7628.  While this is a very useful document, it does not at all pretend to be regulations or even guidelines.

On the state level, the story is quite different.  The state Public Utility Commissions already have extensive authority to regulate electricity distribution.  And they are stepping up to the table to meet the challenge of assuring the public that the Smart Grid is “cyber safe”.

There are two documents that are particularly relevant to this.  The first was published this June by Miles Keogh and Christina Cody of the National Association of Regulatory Utility Commissioners, entitled “Cybersecurity for State Regulators”.  It is a very well written document that describes the cyber security and regulatory landscape as it relates to electric power, and lays out several steps that state regulators can take to help address the issue of Distribution-level (and especially Smart Grid) cyber security.  The most important of these steps is to ask questions of their utilities regarding their cyber security policies and procedures.  These questions are listed in Appendix A, and I recommend them as a great cyber security “pop quiz” for any electric utility (in fact, they would be very relevant to a lot of other organizations, such as gas and water utilities).

However, you won’t see a recommendation for actual cyber security regulations in this document.  The authors don’t rule that out – and they discuss the relative advantages of “risk-based” and “compliance-based” approaches to cyber security – but they don’t make any recommendation for or against regulations.

The second document was published on September 19 by Elizaveta Malashenko, Chris Villareal, and J. David Erickson of the California Public Utilities Commission (CPUC).  It is entitled “Cybersecurity and the Evolving Role of State Regulation”.  Like the NARUC document, it is very well written, and includes a good overview of cyber security as it relates to electric (and gas) utilities, as well as an excellent review of government initiatives to address this – on both the Federal and state levels.

Unlike the NARUC document, this document (written by CPUC staff members) does call on the CPUC commissioners (page 22) to consider various options for regulation of cyber security for California electric power distribution in general and Smart Grid deployment in particular.  But the document clearly doesn’t favor a prescriptive approach as in NERC CIP.  Rather, the authors believe that a risk-based approach, in which each utility (with active guidance from the CPUC) analyzes its risks and decides how to address them, is best.

You may say, “OK, so California may regulate Smart Grid cyber security.  I’m not in California – why should I care about that?”  The point is that California has been the leader in many areas of regulation (I think about California every time I make a right turn on red, since they were the first to allow that).  This is true in information security, where California SB 1386 (which came into effect in 2003) was the first law requiring organizations to notify individuals when their personal information was compromised in a security breach; there are now similar laws in effect in 46 states.

Indeed, the authors state (page 21), “If the CPUC takes action, it can not only potentially protect Californians from safety and reliability threats, but also provide an example for other State regulatory agencies.”  So if the California commissioners take up their staff’s recommendation, Smart Grid cyber security regulation may truly be “coming to a state near you”!

 

[1] An analogous example from another era is what’s now called the Food and Drug Administration, which was put in place in the face of revelations of awful conditions in meat packing plants.  Had that not happened, the US now might well be a vegetarian nation!

Leave a comment
Posted in best practices, General, Power – NERC CIP, Security and tagged , , , . Bookmark the permalink.
24
OCT
2012

Good News on TFEs!!!
Posted by Rick Kaun

Howdy all!  Here is a quick one from Tom Alrich.  Have a good one and thanks for reading!

It seems rare that there is unadulterated good news regarding NERC CIP, and especially regarding Technical Feasibility Exceptions (TFEs), but there is some now: Due to the diligent efforts of the NERC regional auditors and NESCO and other industry groups, a comprehensive rewriting of the sections of the NERC Rules of Procedure that govern TFEs will be proposed to the Board of Trustees in December. And this rewriting appears to substantially decrease the burden of submitting and maintaining TFEs.  What’s not to love about that?

 

You can see these proposed changes at http://www.nerc.com/page.php?cid=1|8|169.  There will also be a webinar explaining these on Halloween (coincidence, you say?  I think not!); you can sign up at https://cc.readytalk.com/cc/s/showReg?udc=r83te3kp4n7k.  And you can submit comments on the changes to ROPcomments@nerc.net by November 19.

Briefly, the main changes (from my point of view) are:

  • There is now a single filing required, not two (i.e. no more Parts A and B) – and only one approval/disapproval.
  • The processing time is supposed to fall from approximately 13 months to 4 months.
  • The quarterly and annual reports are out!  Instead, you have to file a Material Change Report whenever something important has changed.
  • Audits are no longer required after TFE approval, although they are still an option.
  • The amount of information that needs to be submitted has been substantially reduced, although you still need to be able to produce this information if requested by the Regional Entity.
  • NERC finally recognizes that most TFEs will be open-ended, and makes those easier to put in place (so you don’t need to keep informing NERC that Cisco hasn’t suddenly allowed all its customers to load antivirus on their switches).

 I don’t expect to hear any complaints about these changes!  

 

Leave a comment
Posted in General, Power – NERC CIP, Security and tagged , . Bookmark the permalink.
01
OCT
2012

NERC CIP V5 Draft 3 Voting Starts Today!
Posted by Rick Kaun

Hello all.  I am sure you have been wondering where Tom has been?  Well he has been busy but not so much so that he didn’t want to take a few minutes and share with us a few observations on the latest effort by the SDT to get V5 into FERC’s hands!  So here we are today fresh on the heels of the FERC announcement to form its own “Office to Focus on Cyber Security” and also on the first official day of ballotting for the latest version (V5, Draft 3) of the CIP standards Tom offers this up for you.  Now I dont want to encourage wanton speculation or unsanctioned wagering but given the pressure from the White House for cyber security improvements, FERC’s announcement and the specific technical/procedural/philosophical items Tom outlines below I am willing to bet some changes are coming to the world of CIP 002-009.

Anyways, as always these observations are entirely those of Tom Alrich, not of Honeywell in any official way.  So grab a coffee and get set.  This one is interesting (if you ask me!).  Enjoy and let us know what you think!

 Third Ballot for Version 5 begins Oct. 1

Tom Alrich, tom.alrich@honeywell.com

 All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

On September 11 the CSO706 (CIP) SDT posted Draft 3 of NERC CIP Version 5; you can find the files here.  This marks the beginning of a month-long comment period.  The third ballot for Version 5 will be open from Oct. 1st to October 10th.

Every NERC Registered Entity potentially affected by CIP should, of course, both post comments and vote.  I’m not going to say how you should vote (or comment), but there is one very important fact you should keep in mind: in my opinion, the CIP Version 5 you vote on now will – even if it passes with flying colors and isn’t further amended before being sent to FERC – very likely not be the Version 5 you get when it is finally approved by FERC approximately two years from now.

The reasons I say this have all been stated in previous blog posts, so I’ll be short about them now and refer you to the other posts for more detail.  

  1. It is unlikely that FERC will leave the Attachment 1 criteria for generating stations unchanged.  My best guess is that they will substantially reduce the MW threshold in Criterion 2.1 to 750 or even 500MW.  For more on this topic, see this post:
  2. In Order 761, FERC identified four or five items they wanted to see included in Version 5 (FERC took pains to note that these were all originally requested in Order 706 and were not actually new items).  While these weren’t specifically mandated (since FERC can’t do that for a standard that’s still being developed), it seems clear to me that FERC definitely wants to see these in Version 5.  Two of those items – requiring that all BES Cyber Systems be within an ESP and that NERC and the Regional Entities have the ability to designate ‘Critical Assets’ – are quite controversial.  While the SDT did make a small gesture (not likely to satisfy FERC [editor’s note: this is Tom’s personal interpretation]) to address the first item, they have not addressed the second at all; so FERC will have to insert both items itself (or more accurately, mandate that NERC include them).  We discussed this question in a recent post:
  3. The Version 5 implementation plan should be taken with a number of grains of salt.  It says that CIP Version 4 won’t come into effect if Version 5 is approved by FERC before the effective date of V4, namely April 1, 2014.  There are three problems with this:
    1. It now looks very iffy that FERC will follow this timeframe.  The SDT intends to have V5 on FERC’s desk by March 31, 2013 (the deadline FERC set in Order 761); it could even be there a little earlier.  However, it took FERC 14 months to approve V4, and that was nowhere near as much of a change in CIP as V5 is; if they take that long or longer to approve V5, they will miss the 4/1/2014 date. 
    2. In Order 761, FERC said Version 3 is retired on 4/1/2014.  Even if they did approve V5 by that date, they would also need to issue a new order “un-retiring” Version 3, since the V5 implementation plan says it will continue in effect until V5 kicks in.  I’m not saying they wouldn’t do this, but it’s not a good idea to assume they will.[1]
    3. As I have just said above, I believe they will make changes to V5.  I have used a little shorthand in saying that, because the process of “making changes” requires sending V5 back to NERC and giving them 90 days to make the changes (see the NERC Rules of Procedure, especially paragraphs 309 and 321: If this happens, that will of course delay approval even longer.

Does this mean you should vote against V5?  Not at all.  If these changes are going to happen anyway, then it’s better if NERC just passes the standards as they currently read.  Other than these considerations, I think this new draft is wonderful.  Complying with it will be a huge improvement over complying with Versions 1-4.  But every entity should make its own decision on this.

PS: After I wrote this, I realized that the new Version 5 draft implementation plan completely removes the wording about whether V5 is approved by the effective date of V4.  It simply says that Version 4 won’t come into effect period – assuming Version 5 is approved.  So if V5 is approved after April 1, 2014, not only will FERC have to reinstate Version 3, they will have to “de-instate”l Version 4!  I find it highly unlikely that FERC will do this – just another reason why FERC will require changes to V5, thus further delaying final approval of V5. 


[1] Please keep in mind that the timeline that the SDT has included in the V5 Implementation Plan is in no way binding on FERC.  They can say all they want about how Version 3 will be extended and Version 4 will never come into effect, but FERC has to agree with that.  And this would mean countermanding their order 761; I’m not saying they would never do that, but I’m saying you shouldn’t think it’s a sure thing.

 

1 Comment
Posted in General, Power – NERC CIP. Bookmark the permalink.