Thursday, August 28, 2008

Dear NERC, CIP needs a protein shake...

We've been posting a lot of information about compliance regulation lately, so I'll just add another scoop to this steamy pile...

The North American Electric Reliability Corporation (NERC) is a self-regulatory (non-governmental) organization subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC). As of June 18, 2007, FERC granted NERC the legal authority to enforce reliability standards with all U.S. users, owners, and operators of the bulk power system, and made compliance with those standards mandatory and enforceable.


The preceding paragraph came pretty much verbatim from the NERC website. Now that we have a little insight on NERC, let's stop FERC'in around and talk about Critical Infrastructure Protection (CIP).

CIP was designed to protect the United States critical infrastructure and features a heavy emphasis on safeguarding critical cyber assets (CCA) that help run the systems that generate electricity and control the transmission of electricity. The CIP standard is broken down into 8 individual requirements (CIP-002 through CIP-009) for various areas of protection or security. Audits for NERC CIP begin July 1, 2009. You might recall a certain blackout of 2003 that affected a large number of northeastern states? Hmmmmmm?? This prompted the NERC CIP standard, much like Enron prompted SOX.

As assessors or auditors, our team works with many different standards and regulations, and we've done a lot of NERC CIP related work with our energy clients over the past year. We've heard multiple complaints from clients about the CIP standard being vague or hazy, and I tend to agree. The clarity on protection levels that are expected are muddy.

As far as standards go, CIP needs a protein shake. We're talking about a standard that's designed to protect some of the country's most critical systems. It NEEDS to be stronger.

And what's with the non-standard terms in the standard? "Cyber"? "Electronic Security Perimeter"?

Really? Who uses those?

Why don't they just throw in "microcomputer" or "World Wide Web"?

While other standards and compliance reg's require penetration testing, CIP only requires vulnerability scanning. Scanning for modems is referenced quite a bit in CIP, but there's practically nothing related to wireless. Sure, there are tons of modems out there, especially in those sectors, but NERC needs to let go of 1996. Check out some of the latest breaches across the country - I can't remember the last time I read a story about a compromise being traced back to a dusty modem. (Calm down, calm down...I know it still happens, just not as frequently.) And what about the exception for nuke plants? Why can't you apply NERC CIP to nuke plants as well? Businesses have to deal with multiple compliance efforts ALL THE TIME. Why wouldn't you use CIP as a "second set of eyes" for those sites?

And one more before I move on to the positives of NERC CIP. The standard isn't a shadow of what other regulations like PCI are requiring. You mean to tell me that the standards for the companies that allow me to turn on my lights are less than those of the companies that want to swipe my plastic?

NEWS FLASH: If the power is off, no one cares about PCI, HIPAA, or SOX.

Why?

Because the 'puters, calculators, and credit card processors don't work so well without power.

On a positive note - NERC CIP outlines a great schedule for compliance, with different progression paths. It's very detailed and could be something that other regulations take note of. The standard also breaks down what can be used as measures to demonstrate compliance, as well as specific levels of non-compliance which act as a nice grading system.

All in all, the standard has some positives but plenty of negatives. In my opinion, it has a long way to go before I stop stocking up on candles.

2 comments:

Anonymous said...

You're right on target with the outdated and vague nature of the CIPs. However, working for an asset owner and having insight into dozens of peer companies, the implementation timeline is one of the biggest pains with the standards.

Fully integrated utilities (transmission, distribution, generation) have had significant angst over determining where they live in the four tables - e.g. if you have a BA function and also a GO function, do your GO assets belong on Table 3 or Table 1 Column 2 under "Other Facilities"? We now know much of this answer, but it took the industry over a year to come to a consensus on that one item alone.

Nothing about the CIPs is a panacea - especially the implementation timeline. That being said, if there were one table for all functional models, the implementation timeline would be very good.

Anonymous said...

modems are old? tell that to the hundreds of millions of companies using them today for everything from DSL to cable.

talk about antiquated words, what about electricity? or power? so old. can't they call it something else already?

yeah, cyber is soooo old.