Inside the NERC CIP Standards Minnesota

From the Editors of CIOSC

While we don't see frequent reports on hackers causing serious damage to the systems that feed the U.S. electric power grid, their efforts are heightening concerns that electric companies haven't adequately fortified defenses against a potential catastrophic strike. As The Washington Post reported earlier this year:

"Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems. . . . Describing his reaction to the demonstration, Wood said: 'I wished I'd had a diaper on.'"

The article also quoted the chief risk officer for Constellation Energy Group Inc., which operates Baltimore Gas and Electric. Hundreds of times a day, said John R. Collins, hackers try to slip past cyber security into Constellation's computer network.

"We have no discernable way of knowing who is trying to hit our system," Collins told The Washington Post. "We just know it's being hit."

Facing up to the challenges

Such accounts lend extra urgency to the efforts of the North American Electric Reliability Council. NERC is currently in the process of drafting wide-ranging cyber security guidelines to replace narrower, temporary precautions adopted in 2003 as the NERC Cyber Security Standard 1200 (and renamed the NERC Cyber Security Standard 1300 in 2004). NERC CIP is the first set of comprehensive requirements to protect electric utility assets from cyber security attacks. It is currently in Draft 3, with Draft 4 slated to come out soon and be finalized in spring 2006.

Most electric power utilities have already achieved compliance with NERC Standard 1200 and are currently making serious efforts to plan compliance with these security standards. Below, we outline the additional requirements introduced by NERC CIP and what they mean for electric power companies.

NERC CIP establishes standards in eight key areas that are designed to protect not only power plants but all other aspects of electric utility operations and assets as well. These standards cover the same areas covered by the NERC 1200 Standard, but with some important differences. For example, instead of requiring organizations to identify their critical cyber assets directly, they must now identify their critical assets and then determine their critical cyber assets. (A critical cyber asset must be dial-up accessible or use a routable protocol for communication.) That's at the heart of CIP-002 (Critical Cyber Assets).

Likewise, the new standards require responsible entities to implement a cyber security policy that "at a minimum, addresses NERC CIP-002 through CIP-009 Standards." That requirement could compel responsible entities to revise their current policy in order to be compliant.

Let's look at some of the other key differences between NERC 1200 and the new CIP requirements.

CIP-003 (Security Management Controls)

CIP-003 Requirements 4 and 5 extend NERC 1200 by requiring a formal program for categorizing critical information and a formal set of roles and responsibilities for the access, use, and handling of critical information. This isn't required by NERC 1200, and it could take significant effort to implement properly, especially for responsible entities that handle large amounts of critical information.

NERC CIP-003 Requirement 5 also states that responsible entities must "document and implement a program for managing access to information associated with Critical Cyber Assets." The focus now is on the information rather than the cyber assets themselves. In addition, Requirement 5 goes beyond NERC 1200 in that responsible entities must document who is allowed to grant access to critical cyber assets. As a result, responsible entities will have to improve their access control programs to meet these new documentation requirements.

The need for change control procedures for changes to critical cyber assets has also evolved. NERC 1213 required that critical cyber assets installed or modified comply with the NERC 1200 standard, and that all testing and acceptance be done in an isolated environment. CIP-003 Requirement 6 requires a formal testing and change control program.

CIP-004 (Personnel and Training)

CIP-004 combines two sections from NERC 1200 -- 1207 (Personnel) and 1211 (Training) -- and adds the requirement of a quarterly awareness program that goes beyond annual training. NERC has also changed the language of 1207 ("background screening") to "Personnel Risk Assessment" in CIP-004 Requirement 3. Responsible entities must document how they screen prospective and current employees, maintaining records on which employees and contractors have been screened, and which have participated in training and awareness programs. Developing an appropriate Personnel Risk Assessment could require significant time and effort.

CIP-005 (Electronic Security)

In general, CIP-005 is the same as NERC 1203, but with some additional sub-requirements. These include the following:

• Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).
• For dial-up accessible Critical Cyber Assets that use non-routable protocols, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device.
• Communication links connecting discrete electronic perimeters shall not be considered part of the security perimeter. However, end points of these communication links within the security perimeter(s) shall be considered access points to the Electronic Security Perimeter(s).
• Non-critical Cyber Assets within the defined Electronic Security Perimeter(s) shall be subject to the requirements of this standard.
• Cyber Assets used in the access control and monitoring of the Electronic Security Perimeter(s) shall be afforded the same protections as Critical Cyber Assets.

CIP-005 also requires responsible entities to "maintain a documented procedure for securing dialup access to the Electronic Security Perimeter(s). The documentation shall describe controls implemented to secure these connections." This exceeds the NERC 1212 requirement to "secure dial-up modem connections."

In addition, CIP-005 calls for "strong procedural or technical controls to ensure authenticity of the accessing party." This requirement is more specific than NERC 1200 and could represent a significant challenge.

Another new requirement addresses an appropriate use banner: "Where technically feasible, electronic access control devices shall display an appropriate use banner upon interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner." "Where technically feasible" provides responsible entities with some flexibility.

Also new:

• For dial-up accessible Critical Cyber Assets that use non-routable protocols, the Responsible Entity shall implement monitoring controls at the single access point at the dial-up device, where technically feasible.
• Where monitoring controls have not been implemented or have only been implemented partially, the Responsible Entity shall implement procedures to verify authorized access to the protected Critical Cyber Asset on a periodic basis, as determined and documented by the Responsible Entity's risk-based assessment.

These requirements could also mean significant effort on the part of responsible entities.

CIP-006 (Physical Security)

CIP-006 offers a slight variation on NERC 1200. NERC 1200 required individual documents on the perimeter, access controls, and monitoring. CIP-006 now requires a document that includes all of these aspects of physical security. In addition, CIP-006 calls for a physical security plan for the use of access cards (including card loss, visitor passes, and inappropriate uses, such as piggybacking and card sharing), and requires responsible entities to "implement a maintenance and testing program to ensure that all physical security systems operate properly."

CIP-007 (Systems Security Management)

CIP-007 introduces a major change, requiring responsible entities to treat all of the systems within the electronic security perimeter as critical cyber assets.

CIP-007's requirements regarding account management methods for enforcing access authentication and accountability of user activity are also significantly more detailed compared with NERC 1200. Likewise, CIP-007 is much more specific about system log monitoring than NERC 1200, requiring responsible entities to maintain, retain, and review logs of system events related to cyber security. This new requirement could impose significant effort. Also new are requirements for disposing and redeploying critical cyber assets.

CIP-008 (Incident Reporting and Response Planning)

CIP-008 contains the new requirement that responsible entities must "define procedures to characterize and classify events as Cyber Security Incidents in accordance with cyber event criteria defined in NERC's Indications, Analysis & Warning Program (IAW) Standard Operating Procedure (SOP)." They must now create much more documentation for full compliance, including incident handling procedures, escalation procedures, and communications plans.

Also new is the requirement that responsible entities must test their cyber security incident response plan annually.

CIP-009 (Recovery Plans for Critical Cyber Assets)

CIP-009 expands upon, and is more specific than, NERC 1200. The new standard mandates the creation and annual testing of a recovery plan, as did NERC 1200, but it also addresses change communication and the backup and storage of information required to restore critical cyber assets. The new requirement also calls for entities to update their recovery plans after each yearly exercise.

In addition, CIP-009 requires entities to have "processes and procedures for the backup and secure storage of information required to successfully restore critical cyber assets." Also new is the requirement to test backup media annually to ensure that the information is recoverable.

Raising awareness, improving security

Improving security should be part of an enterprise-wide risk management program for all electric power companies. But the challenges are daunting. Moreover, the two groups that must jointly solve this problem -- corporate IT personnel and plant operators -- traditionally do not work closely together. At the same time, a general lack of awareness that the problem is serious slows progress.

Here is one four-step cyber security process -- assessment, policy, measure deployment, and monitoring/management -- that power companies can adopt to improve security:

• The security assessment step includes gathering knowledge about the environment, both inside and outside of the organization. This includes awareness of electronic threats before they reach the organization, identifying possible regulatory compliance issues, assessing the effectiveness of security and administration tools, and manually validating these security concerns using penetration testing methods.
• Security policy creation and enforcement establishes who is authorized to gain access to what information, establishes who is authorized to perform what functions, measures compliance with these policies and procedures, and recommends ways to improve compliance.
• Security measure deployment includes the deploying of security measures and responding successfully to vulnerabilities, securing devices, applications, and networks against threats before they occur, and taking steps to ensure that information is up-to-date, compliant, and restorable. It also involves recovery procedures and tools in the event that an attack eludes other security measures.
• Security monitoring and management involves real-time, 24/7 monitoring and management of security information resources to prevent disruptions and minimize downtime.

Conclusion

The new NERC standards CIP-002 through CIP-009 advance and expand upon the NERC 1200 standard. In many ways, CIP-002 through CIP-009 set a higher bar for security. While the standard has not been finalized and may be modified, deployment of security best practices will help to address the requirements in a phased manner without requiring a one-time, major investment.