Chris Jager is a freelance security consultant who is always looking for interesting projects related to NERC CIP or ICS cybersecurity. In this four-part guest post series, he goes over changes to the NERC CIP standards and challenges facing the industry as they wrestle with compliance in a changing threat landscape. (Read Part 1, Part 2 and Part 3)
In the first three parts of this series, I gave a brief overview of how we arrived at Version 5 of the NERC CIP standards, how they align to current threats, and a few areas within where problems reside. This final post outlines a few approaches that can be taken to move industry forward.
Do Nothing
That’s right. Do nothing.
There are a surprisingly large number of people in this camp. While there is much public debate over how “bad” the security regulations are for the Bulk Electric System (BES), very few want to see the current approach scaled out to the grid at large.
The thought process is that the standards are being audited to the letter as opposed to the intent. This is what gave rise to the expense of feeding the regulatory “paper tiger” and the inching of toes to the requirement line without stepping beyond. Until this approach is changed, there is little to no security value gained through increasing the scope of the regulatory reach or the breadth of the control catalog.
Scrap Them
Another camp wants to scrap the NERC CIP standards altogether. The argument here is that there are already enough standards on the books for control systems. These standards come from recognized standards bodies such as ISA, IEC, ISO, IEEE, NIST, and more. Why have yet another?
The promoters of this approach, however, don’t often take into consideration that the NERC CIP standards are not really designed to be a control systems security standard. They are intended to prescribe a set of minimum criteria by which a North American electric utility needs to conduct overall operations in a “secure enough” fashion so as not to have a cascading BES failure be initiated by a security incident.
Continue Refining
A third camp wants to continue moving down the current road. That is, take the work that has been done with NERC CIP Versions 1 through 5 and improve the standards outside of responding to FERC orders.
Arguments for this approach primarily center on the concept of showing that industry takes the problem seriously and isn’t waiting for the government to grab its ear, twist, and lead it around. The problem here, however, is that it may be too late.
As discussed in previous parts of this series, should NERC CIP Version 5 pass on schedule and its successor (whatever that may be) follow along a similar schedule, when initial ramp up and planning is taking into account, NERC will have promulgated effectively the same slate of controls to industry for more than a decade. The potential saving grace is that this was all in response to the buildup and issuance of one order – FERC Order 706.
Federalization
As evidenced in transportation, the federal government has proven a desire and ability – effectiveness notwithstanding – to take over security efforts for other critical infrastructure sectors. Federalizing security of the power grid versus airports, for example, is like comparing apples to oranges. In order to really federalize security of key operational choke-points, the choke-points themselves would need to be federalized.
This administration, in particular, has shown no hesitation to take over ownership and operation of banks, automobile manufacturers, and companies in other industries. Ostensibly, this was done to halt a large scale cascading failure of the financial system due to negative impacts at one or a handful of critically placed companies. If you take that same logic and apply it to the energy sector as it pertains to cascading failure of the power grid stemming from a security impact at one or a handful of companies, it’s not outside of the realm of possibility that the same could occur here.
I point to GAO and DOE IG reports of the security operations at Federal Power Agencies for expectations of how well that might go. Could the energy sector benefit from the skills embedded in some of the more capable areas of the federal government that deal with Computer Network Defense? Absolutely. This should, however, be more of a workforce development effort that provides capable, experienced operators into industry once they are done with government service.
Holy Grail?
For me, the right approach to moving things forward will include the following key elements:
- Audit to the intent of the standard: Does the utility actually provide the intended security of the requirement through their implementation of a given requirement? If so, they get a pass – even if they miss on a technicality. This requires qualified auditors who are experienced in both utility operations and security more so than auditors that come from financial or other disciplines.
- Reduce and limit the control catalog: Rather than create new controls and go through the process of obtaining buy-in and consensus on the specific language, create a menu of existing controls. Utilities would be required/allowed to choose from a suite of standards, such as those from ISA, IEC, ISO, NIST, etc., and document their justification on a per asset/function basis. The NERC CIP standards should identify acceptable standards and/or controls within specific standards that a utility can choose from. Uniquely developed controls should be limited to situations that are truly unique for the sector or are not served by at least two other approved catalog sources.
- Begin down a proactive path: Industry developed the meat of the NERC CIP standards in 2006, then FERC adopted them in 2008 with the issuance of Order 706. Version 5, submitted to FERC earlier this year for proposed adoption in 2015, was still developed in response to FERC Order 706. If audits can move away from ticky-tack penalties and focus on capabilities and improvements, the NERC CIP standards should start to branch out from what is prescribed though FERC orders.
This approach takes key elements from most of the camps outlined earlier in this post. It also establishes a framework that allows specific details to be hashed out by various subject matter expert groups (see standards bodies) without needing to cobble together a group of willing volunteers to drive consensus. Let those industry volunteers focus on the industry-specific issues inherent in selecting and adopting a controls framework.
Additionally, this keeps the NERC standards development process for the CIP standards. This is a process that has been developed by NERC, adopted by industry, and approved by FERC. The CIP standards should not be a catalyst for change to that, should one even need to occur. Future revisions to the standards can be focused on industry-specific concerns and a review of the control catalog menu for applicability, capability, and currency. Gone, in theory, would be the rigmarole over language selection within the majority of the controls catalog itself.
More importantly, it resets the relationship between the regulatory strata and industry. The approach that has been undertaken to date has not worked and no amount of tweaking that approach will re-establish trust on either side. This is the opportunity to reboot while taking the lessons learned from the past number of years to heart.
Wrapping Up
Waiting around for another decade while security regulations catch up to today’s threat landscape should not define due care by FERC, NERC, or industry. If you ask 50 experts, you’ll get 200 reasons as to why each group is at fault – often excepting their own.
Somewhere, a promoter of public/private partnership is weeping, huddled up in a corner of the Capitol Building…
I need to preface the following by saying that, by and large, I have the utmost respect for those that have been placed in the impossible position of trying to improve the sector’s security posture through drafting and updating the NERC CIP standards. However, promoting additional regulatory scoping and citing what we’ve all done with existing security regulations in the electric sector should automatically warrant the stink eye.
Once we “fix” regulation as it pertains to security of the BES, only then should we consider whether or not it makes sense to scale security regulation to other elements of the grid. Until we do, no evidence exists that suggests we (government, regulators, industry) can get it right.
Image by Picture_taking_fool