Mark Weatherford, Under Secretary for Cybersecurity at the Department of Homeland Security, offered comments as the morning keynote speaker on the second day of the Industrial Control System Joint Working Group (ICSJWG). Weatherford is the former Chief Security Officer at the North American Electric Reliability Corporation (NERC) and therefore has some knowledge of control system and their security vulnerabilities. Mr. Weatherford stressed a theme of partnerships and information sharing between industry and government, noting that nearly 85% of the critical infrastructures in the US are owned by the private sector. He stated the we need to raise the nation’s cybersecurity IQ, not only with the general public but also with regulators and Congress. He also acknowledged that cybercrime nets more money for criminals than the cocaine, heroin and marijuana industries combined, worldwide. Mr. Weatherford also pointed to the inter-dependencies with the critical infrastructures in the US. Security in the electric sector cannot be accomplished without considering the communications that link electric system devices.

Regarding legislation currently before Congress on this issue, Mr. Weatherford stated that there is a place for government enforcing cybersecurity standards, but the government should not presume that they can write these standards for control systems. Government must still rely on industry for standards and best practices. When asked if vendors should be held accountable for insecure products, Mr. Weatherford responded that industry is making great strides in delivering secure systems, but industry is still accountable for deploying and correctly configuring these systems. If security settings are turned off because they are inconvenient, then the user is to blame, not the vendor.

The Federal Energy Regulatory Commission (FERC) and the North American Reliability Corporation (NERC) have released a comprehensive report that pins the 2011 Southern California blackout on inadequate planning and grid coordination. Last September, millions of people in Southern California, Arizona and Mexico's Baja California were left in darkness after an employee's work on a transmission line at an Arizona substation triggered a massive blackout. The report dives into the causes of this incident, areas effected and the timeline of the system collapse and restoration.
The report’s overall recommendation calls for an improvement of bulk power system operators’ situational awareness through improved communication, data sharing and the use of real-time tools. It lists 27 specific recommendations to that end, each addressing specific findings from the investigating team. The full report can be accessed at http://1.usa.gov/KoSCTy

The Federal Energy Regulatory Commission (FERC) has approved Version 4 of the Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC). The currently-effective Version 3 CIP Reliability Standards. NERC had sent the CIP 4 standards over to FERC for approval back in February 2011, and FERC’s rulemaking on the same was initiated in September.
NERC CIP 4 presents significant changes in the way utilities identify critical assets and the means used to protect them. The main difference between Version 3 and Version 4 is a change in definition for “Critical Assets” (found in CIP-002-4). Specifically, Version 4 includes uniform “bright line” criteria for the identification of “Critical Assets,” which replace the “risk-based assessment methodology” developed and applied by individual responsible entities under Version 3.
NERC now has till March 31, 2013 to submit the next version of the CIP Reliability Standards, and Version 5 is still waiting approval by NERC. Discussions on NERC CIP 5 suggest that it is intended to finally address all of Order 706.

A proposal put forward by the North American Electric Reliability Corporation (NERC) to use a three-tier format informational filing to report possible violations of Reliability Standards has been approved by the Federal Energy Regulatory Commission (FERC). In an Order released yesterday, FERC set conditions related to NERC's "Fix, Find, Track and Report" (FFT) proposal intended to ensure that the minor violations dealt with under the program were handled properly. Minor violations are defined as minimal to moderate risk, and include administrative, documentation, and certain maintenance or testing program implementation failures. FERC will also survey a random sample of FFTs each year to determine how the program was working and to see if improvements to the program were needed. The full text of the Order can be viewed here.

Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

Integration of smart grid devices, and other new and emerging technologies reliant on communications to control operations of the device pose a threat to the reliability of the electric grid, according to a new report released by the North American Electric Reliability Corporation (NERC). Providing a 10-year outlook on the North American electric industry, the new '2011 Long Term Reliability Assessment' report released by NERC evaluates key reliability indicators and dives into the impact of regulations and other issues on bulk power system reliability. The key issues discussed in the report were: the decrease in projected generation resources; the growing dependence on natural gas as a primary fuel source of on-peak capacity; the increased demand for integrating and delivering new resources and the subsequent growth of transmission; and the cumulative effect from environmental regulations may reduce reserve margins in ways that could affect bulk power system reliability, depending on the scope and timing of final regulation implementation. Read more »

In a recent announcement, the North American Electric Reliability Corporation (NERC) has published ten CIP standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1), a set of new and revised NERC Glossary definitions, and a proposed implementation plan. The documents have been posted on the NERC website for a formal 60-day comment period through Friday, January 6, 2012, which will be accepted via an electronic form. The implementation plan, also called the mapping document, identifies each requirement in the already-approved Version 4 CIP standards and identifies how the requirement has been treated in the Version 5 CIP standards. For more information, click here.

Source: FERC Press Release dated September 15, 2011

"In a long awaited regulatory action, the Federal Energy Regulatory Commission (FERC) took steps to support continued transmission system reliability by proposing revisions to eight critical infrastructure protection (CIP)reliability standards that include a new method of identifying cyber assets that are critical to the nation’s bulk power grid.

The North American Electric Reliability Corp. (NERC) voted to approve the newest version of the CIP standards some time ago, and the industry has been waiting for FERC's decision on whether the standards should be enacted.

If enacted, NERC CIP 4 would present significant changes in the way utilities identify critical assets and the means used to protect them. Utility security professionals should review the draft standards and begin considering changes needed to their procedures to comply with the new methodologies.

The notice of proposed rulemaking (NOPR) stressed that NERC has not addressed all the modifications directed by the Commission’s Order No. 706, which approved the original CIP standards in January 2008. The NOPR would require NERC to make a filing to fully comply with Order No. 706 by the end of the third quarter of 2012. Comments on the proposed rule (RM11-11) are due 60 days after publication in the Federal Register.

The proposed “Version 4” CIP standards are an interim step, FERC said in directing the electric industry and the North American Electric reliability Corp. (NERC) to continue developing a comprehensive approach to assure the grid can withstand a cyber security incident. NERC is the Commission-certified electric reliability organization responsible for developing and enforcing mandatory reliability standards."

The Department of Energy, in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation, has released a draft of the Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline for public comment. The RMP Guideline was drafted by a joint public-private sector team that also included representatives from the Federal Energy Regulatory Commission, the Department of Homeland Security, and utilities. The initiative to develop the RMP Guideline is led by the Department’s Office of Electricity Delivery and Energy Reliability. Comments are by October 28, 2011 and can be made at: https://public.commentworks.com/CW_DOE_AWF/ Read more »

Earlier today, the Senate Energy and Natural Resources unanimously approved the "Grid Cyber Security Act", a somewhat amended version of the bill it approved last session but was never brought to the Senate floor for a vote.  The bill now goes to Senate Majority Leader Harry Reid, who may opt to fold it into a more comprehensive cybersecurity bill he hopes to bring to the Floor later this summer. 

Meanwhile, the House Subcommittee on Energy and Power of the Energy and Commerce Committee plans a hearing next Tuesday, May 31, on its own version of the bill whose language is based on the GRID Act passed unanimously last year by the House.

Under the provisions of the Senate bill, FERC jurisdiction would be expanded to include distribution in addition to generation and transmission systems and assets deemed "critical electric infrastructure [CEI]," defned as "so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety."

Within 120 days of enactment, FERC is directed to review current standards to determine their adequacy to mitigate cyber vulnerabilities.  Due in part to criticisms that the NERC CIP standards setting process is too slow, the bill would impose a 180 day deadline for NERC to propose revisions to those standards that FERC finds wanting, or develop a new standard to address new vulnerabilities identified by FERC.  Reasonable time extensions will be granted, but the bill is silent on penalities if the deadline is not met. Read more »