My last post is regarding NERC CIP V5 is the automatic ‘Low’ classification of Blackstart generation resources that do not meet bright line criteria. The committee cites compliance costs and a potential withdrawal of blackstart resources as the primary drivers for defaulting to Low. The committee states that the ‘Low’ ranking is the least detrimental option available because the withdrawal of blackstart would result in a decrease in reliability. This justification is likely based on the (usually accurate) rule that having fewer blackstart resources results in higher risks during grid restoration.
The other side of the argument is that when all else fails, there is only blackstart. During a wide area blackout, there are NERC Critical Assets that require blackstart in order to transform from hunks of steel, concrete, wiring, and fuel into beefy producers of bulk electric power. To require zero technical methods of preventing cyber security compromise to blackstart resources (i.e. the Low Impact rating) doesn’t help assure a reliable restart of the grid in the case of an emergency. Because of the critical, but limited, nature of blackstart, I’m proposing the following set of controls pulled from the NERC CIP V5 standards be applied to blackstart resources, in addition to the ‘Low’ requirements:
- Require a list of cyber assets associated with reliable operation. This has been cited in numerous cyber security publications as a minimum requirement, no matter your cyber security posture.
- Require an electronic security perimeter be established to surround those cyber assets, and limit access to only those functions and systems necessary for reliable operation. Isolation from other non-control networks, has been identified even by control system engineers as a necessary practice, so enforcing and documenting the ‘current’ isolation should not be much more difficult. If isolation is being done, of course.
- Require logging of all traffic into and out of the electronic security perimeter, but no requirement for active monitoring. While most security professionals are likely screaming, this allows root-cause analysis in case the system is found to be compromised at a later date. If you can’t prevent it, log it and point the finger later.
- Require account management for all external interactive access to the electronic security perimeter. The intent is to ensure that remote connections into the control system are authorized, access controlled, and logged through some mechanism. A manual form of this is usually done at sites, I’m proposing a technical enforcement component be required.
- Document all changes to software and hardware, ensure that those changes are authorized by management, and ensure that the employees understand the consequences of making changes outside of change management. This is a primitive way to separate good changes from bad changes in the event of a cyber incident.
- Require annual re-assessment of the controls stated above to ensure they continue to work as designed, and to identify any new vulnerabilities that were not captured in design phase. I’m not talking an expensive full blown assessment, I’m talking of a review of controls in place.
The bare bones, stripped down, requirements above take advantage of a difference between blackstart generation and normal generation. Normal generation actively produces power, and the cyber security controls emphasize continuous protection and response to prevent impact to BES due to compromise. The minimal controls above are tailored for blackstart facilities, facilities that are defined by being available for production, but cannot immediately impact the BES if degraded or destroyed (so long as the grid isn’t blacked out, of course). Additionally, the controls should allow the blackstart pool to remain, as the heaviest NERC CIP costs are associated with CIP-004, CIP-006, and CIP-007.
If a compromised resource is needed during an emergency, and cannot respond, these controls will allow investigators to identify if there is a cyber security problem. Additionally, it provides some mitigation for historic methods of control system compromise: lax remote access and lack of perimeter protection. Ideally, the technical controls can be attained through a simple perimeter firewall/VPN.
And just so it’s clear, I’m working the compromise, as I believe this Low impact classification will be put in the final standard, and will likely be pounded by Congress. Stay tuned, I’ve worked up a nice movie scene between Congress and NERC if the Low criteria stays in.
If you have any other suggestions for the controls above, make sure to post a comment quickly. Today is the deadline to get feedback to NERC for CIP V5.
title image by David Lendrum
MT: Removed a duplicate paragraph.