An official audit of cybersecurity defenses on the nation’s high-voltage power grid begins in April, testing power companies’ compliance with new, exacting federal cyber regulations in an ongoing campaign to stay ahead of would-be attackers.
The federal rules are mandatory, backed by substantial fines for serious violations. However, grid operators typically will not be graded on a strict pass-fail, zero-tolerance compliance scorecard, according to guidance from the North American Electric Reliability Corp., the federally designated grid security monitor.
Instead, auditors will use considerable judgment in assessing how well grid companies have complied with the fifth version of the federal Critical Infrastructure Protection standards (CIP Version 5).
The leeway is a consequence of having to write and enforce risk-based rules to ward off constantly evolving cyberthreats against a high-voltage network that is itself in the throes of change, including more digital controls and exposure to the Internet, officials said. And it reflects NERC’s goal of gaining cooperation with the industry over the standards, the organization’s statements indicate.
"We want to show that we don’t necessarily have a cookie-cutter approach," said Tobias Whitney, NERC’s manager of CIP compliance, speaking in a NERC webinar last month. "Facts and circumstances will dictate how we monitor those entities," he added, referring to the largest grid companies.
NERC turned down requests for interviews with compliance officials about the audit process, referring instead to Whitney’s comments on the webinar and to guidance documents on its website.
"How strictly will NERC CIP 5 be applied? It cuts to the core of the matter," said Lew Folkerth, principal reliability consultant for ReliabilityFirst, one of eight regional industry organizations that NERC has delegated to enforce its cyber rules enforcement responsibilities.
"If you cannot strictly apply security standards, then what good are they?" he asked in an interview. "If you apply them too strictly, that is also a problem.
"The way things seem to be going is, we are trying to chart a course right down the middle," he added. "We talk a lot about risk-based compliance, risk-based security, risk-based everything. Part of that risk assessment process is, what do the entities truly need to do to protect their systems, without having to dot every i?"
Auditors will start with the operating companies whose facilities are most critical to the security of the high-voltage grid and will tailor their inspections to each company’s situation, Folkerth said. For example, grid operators that show they are on top of updating software patches to deal with vulnerabilities may get the benefit of the doubt on some other issues, he said.
"The audit teams can always go deeper if they need to determine compliance," he said. If a grid company has "a history of not doing their patching properly — not on time or missing a patch — I would expect those would be thoroughly reviewed."
The CIP Version 5 rules, approved in November 2013 by FERC in its Order 791, markedly expand security requirements over the prior version, which took effect in 2010. FERC has announced it will make its own spot audits of the new rules, an unusual intervention by the agency. FERC staff were not made available to discuss the reasons for the decision (EnergyWire, Nov. 4, 2015).
NERC officials have labored for more than 18 months with industry representatives to pin down guidance on how companies can comply. The task has proved so difficult that NERC pulled back compliance guidance that it had issued in April last year on several key issues.
"NERC became aware that industry continued to have concerns over the issues after it issued CIP Version 5 Memoranda dated April 21, 2015," a NERC memo recounted.
"On July 1, 2015, NERC hosted a small, executive-focused face-to-face meeting to discuss the issues in the CIP Version 5 Memoranda," NERC reported. The meeting included NERC and industry leaders and FERC staff.
NERC said there was "convergence on several issues and application of guidance, in addition to identifying areas that need increased guidance or clarity."
Wrestling with ambiguity
A significant case of ambiguity in the rules involves cyber regulation of communications channels that carry vital data between control rooms to a data collector device (a remote terminal unit, or RTU) in a substation, and then to relays that protect power lines from overloading and overheating, NERC documents show.
In a much simplified example, when data or commands travel over "routable" or programmable communication channels controlled by software, there is a risk that attackers could gain access via an Internet breach and block or corrupt the data stream. The CIP regulations generally require cyber protection of such routable channels in strategically vital grid facilities. If, however, data travels over a non-programmable "serial" path such as a traditional telephone line or wireless channel with point-to-point connections, the same cybersecurity requirements don’t apply under CIP Version 5.
"But there is a gray area," said Tom Alrich, manager for enterprise risk service for Deloitte Advisory in Chicago, Ill., who regularly writes about the CIP process in his personal energy blog.
Data may travel over a routable connection from the control center to a RTU but move from there to relays via serial connections. Is that data flow routable or serial? Is it covered by CIP Version 5 or not?
"Well, the standards drafting team didn’t really address this particular issue, and it turned out to be absolutely huge," he added.
"Companies could have to spend millions of dollars if the interpretation is one way or another" to protect thousands of relays on the grid if they fell under CIP regulations, he said.
This was one of the issues on which NERC pulled back guidance issued last April. The uncertainty over interpreting this will deter auditors from issuing proposed violations against grid companies, he said.
"NERC has said now — which I agree with — that the only way to fix the problem is to write new standards to elaborate on the definitions. It needs to be revised. And that is the same thing as revising the standard itself," Alrich said.
Alrich said a revision of the standard takes three to five years to complete. He was asked whether cyber risks would persist during that time.
"It would be a problem if the entities were just going to blow it off and say, ‘You know what, we’re just going to declare everything we have to not be externally routable.’"
NERC won’t be able to issue violations on ambiguous issues while the standards are being rewritten, Alrich said, adding that he expects grid companies to continue interpreting the standards on their own. "My guess is that 99 percent of NERC entities are still going to try to comply to the best of their ability," he said.
Folkerth agreed. He advises companies that face uncertainty in the new regulations to make prudent decisions on safeguards.
"If they take a reasonable, middle-of-the-road approach, so they’re not spending money without good reason, but they are also minimizing their compliance risk, they should be in pretty good shape for the audit," Folkerth said. "I suspect that if any entity is truly not meeting the requirements of the language and standard — and they should know better — they are going to get a possible violation written with a fine attached."
Alrich said interpreting the regulatory guidance is critical. "I call it ‘roll your own.’ You basically have to look at all the guidance that comes out," he said. "You have to make a good-faith effort and to learn everything you can. Then, if you make your decision and thoroughly document it, you should be fine.
"If you don’t bother to do that and say, ‘I know you’re not going to enforce it, so why don’t you take a hike’ — if they do that, they’re going to get a violation."