I have yet to meet anyone, who is not on the NERC payroll, who believes that the CIP standards are resulting in anything close to effective and efficient improvement in the bulk electric system’s security posture. (Even ex-NERC and regional entity employees who were CIP advocates are quite negative after they leave) This is where agreement ends, and interestingly the proposed fixes to CIP are often diametrically opposed.
Joe Weiss blogged on Friday with his oft stated view that can be summarized as follows: Anything connected to the bulk electric system, including distribution, smart grid components and serially connected controllers, should be required to meet the CIP-003 – 009 security requirements. He even goes further believing that the more detailed set of security controls from NIST SP800-53 should replace the current CIP.
The other camp, which I’m in, believes we need to move away from specific required controls and move towards a classic risk-based security approach. Literally every transmission and generation system we see is being forced to perform security busy work that is resulting in little risk reduction. Conversely, many of the major risks remain unaddressed for foreseeable future under the “required for operation” clause in so many of the requirements. These could be gaping holes in the security perimeter or easily compromised services on open ports. The CIP-5 and CIP-7 vulnerability assessment requirements are embarrassing to all involved.
I have no issue with Joe’s approach that everything connected should be considered. However I would bet that most risk management, consequence x threat x vulnerability, approaches would have these currently out of scope assets / communications very low risk compared to the other assets / communications. The bright-line attempt to help or force owner/operators to come to a more reasonable consensus on assets that would have a major consequence if compromised is a step in the right direction, but it does not allow or foster this same risk management approach related to the threat or vulnerability elements of the risk equation.
A risk-based approach has major implementation challenges including:
- a significant percentage of owner/operators still are trying to avoid cyber security and would do very little if given more discretion. After all, inaction was one of the reasons regulation was necessary.
- a risk based approach could lead to a very uneven level of security even with well intentioned utilities if the proper cyber security skill set with knowledge of the BES is not available in much greater numbers.
The effort that Mike Assante is leading at NBISE for workforce development and certification is one possible solution to these problems. As a CISSP, CISA, …, I realize the limitations of certifications and have in fact ignored opportunities to be grandfathered in to newer certifications. That said, other professions have managed to develop a process, most notably accounting/CPA, that certifies professionals and has a process that addresses principles rather than specific requirements.
The key to achieving the risk management approach is to develop a set of these skills and a methodology that is accepted. More to come on this …
Image by Sigfrid Lundberg