Confidential audits of cybersecurity practices in part of the eastern U.S. transmission grid last year show a decline in violations of mandatory federal cyber rules, industry auditors report. But they also see a concerning increase in complacency about threats among some grid operators.
"The bottom line, I think we're seeing a maturation, seeing the [power] companies getting stronger in understanding the emerging threats and implementing programs to meet those challenges," said Jason Blake, vice president and general counsel of ReliabilityFirst Corp. (RF).
RF is an Independence, Ohio-based grid security monitor that assesses compliance with the Federal Energy Regulatory Commission's Critical Infrastructure Protection (CIP) Standards in 13 Mid-Atlantic and eastern Great Lakes states and Washington, D.C.
He added, "It's still developing. We don't want to open up the champagne too soon."
A briefing last month by RF staff provided a rare look inside the power industry's compliance with the voluminous FERC cybersecurity rules.
The number of self-reported violations — those the utilities voluntarily disclosed — increased from 108 to 153, and violations found by auditors increased from 12 to 32. But that was balanced by the fact that the audits were checking on a complex new set of cyber regulations, the fifth version of CIP rules, Blake said.
A second benchmark, the number of days that a violation was occurring before companies reported it or auditors discovered it, dropped by half, to 104 days, from 221 days. The number of "severe" CIP violations in the 2016 audit, which totaled 19 in 2012, fell to zero last year, RF said.
The CIP audit process is tightly shielded to protect identities of power companies where serious vulnerabilities are found. RF and other monitors report violations to FERC, which may assess fines of up to $1 million per day per violation in severe cases. FERC assessed a $1.1 million fine against an unnamed West Coast utility last year for a series of violations, for example. Two "outlier" power companies were responsible for 92 of 117 audit violations in RF's footprint in 2014, it said.
FERC turned down several requests last year to discuss the audit process with E&E News. Under a rules-setting regime enacted by Congress after the 2003 Northeast blackout, the industry-based North American Electric Reliability Corp. (NERC) is designated by FERC to write cyber rules for specific threats and issues, which FERC can approve or remand. NERC delegates the auditing to RF and seven other regional organizations of grid professionals. In its case, RF oversees 230 transmission companies, generators and regional control organizations.
The CIP rules are unique in the U.S. critical infrastructure sector domain. While the nation's nuclear plants operate under a tight set of cyber standards enforced by the Nuclear Regulatory Commission, the CIP standards are the only mandatory cyber regulations in place across vital industries like oil and gas, telecommunications, and finance.
And they fuel a debate about whether their specificity is a model that other critical infrastructure sectors should follow to document the strength of cyberdefenses, or shun to avoid consuming companies' time and attention on too many lower priority threats.
Compliance does not 'equal security'
A slide presentation by RF Enforcement Director Deandra Williams-Lewis and senior counsel Kristen Senk, at last month's conference, said improvement in the violations scorecard could be due to increased experience in applying the CIP rules, more active monitoring and enforcement, and more training and outreach within the sector.
The RF officials cautioned that compliance with the CIP checklist does not "equal security" and said that the number of reported violations can have an ambiguous meaning. High numbers could either show that detection is strong, or prevention and correction are weak.
RF cited five issues that undermined cybersecurity compliance, including management "silos" that block consistent defense approaches, inadequate threat management tools such as an overreliance on automated threat identification and a basic lack of awareness of threats.
As an example of the silo issue, RF said that a utility's human resources department may be the only unit that documents when someone's employment terminates. If HR is not linked effectively in the cyberdefense process, that person's access to critical systems may not be ended at the same time.
RF said in 2015 that it has seen power companies purchase sophisticated cybersecurity tools but fail to adapt them properly to their unique systems. Many companies use tools to detect unauthorized access to their systems to satisfy a CIP requirement. But if not set up precisely, the tools may produce huge reports "that are impossible to digest in a meaningful way." The tools need to be "tuned" to highlight potential threats, RF said.
"Complacency" was added to the list after the 2016 audit.
"It's less a theme than it is an emerging issue to keep an eye on, a caution," Blake said. "The nature of these standards is that they are governing a technology that is moving quickly, so you must remain vigilant."
Blake gave an example of a company that thought it had a defense process down pat, then rechecked and found it didn't. "The point is, it's a never-ending battle. A big focus is making sure companies understand that," Blake said.
Can CIP work?
Tom Alrich, senior manager for cyber risk services at Deloitte Advisory, challenges the ability of the cumbersome CIP rule-writing process to keep up with the constantly morphing attack strategies. Alrich's regular blogs on CIP reflect his views, not Deloitte's, he says.
"Unfortunately, I wouldn't say there is any correlation between CIP violations and the degree of cybersecurity," he said in an interview. "The fact that reported violations are low could even mean that operators don't understand the requirements enough to self-report violations and are therefore less secure."
For example, one rule, CIP-007 R2, requires regulated organizations to identify all the software systems and versions in their security perimeters and then, every 35 days, to check whether software vendors have issued "patches" to close gaps before cyber intruders can break in, Alrich said. A breakdown in patch management was the core issue in last week's global ransomware attack.
"Maybe it's a vendor that hasn't issued a security patch in 20 years, they still have to check," he said. "Then they have another 35 days to either apply the patch or develop a mitigation plan to address the vulnerability while they're waiting to apply the patch. Then they have to implement the mitigation plan, and document that it is still in force, until they can finally apply the patch.
"If companies are devoting so much time and money to this, they will almost inevitably have to shortchange other cyberthreats that could be more important, like preventing phishing attacks," he said. "Think of a major recent cyberattack that didn't start with phishing — it's hard to think of one. Yet it's not mentioned in CIP at all.
"If you think of how a utility allocates its cybersecurity budget, what will it spend money on first? The issues that are covered by CIP, that could in theory lead to $1 million a day penalties from FERC," he said. "So my biggest complaint about CIP is that it results in overspending on the particular threats addressed by CIP, and underspending on other cyberthreats of equal or greater importance."
Another rule, CIP 007 R3, is an example of what the process should demand, Alrich said. "It sets an objective: stopping malware from penetrating a designated system," he said. "There may be a number of methods of doing that; the entity chooses the one that makes the most sense. The auditor's task, then, is to determine whether the entity's method was an effective one."
Audits are necessary, Alrich added.
RF agrees: "Although compliance alone does not guarantee secure operations, an entity's failure to maintain baseline CIP compliance may be indicative of an entity struggling to ensure the security of its system."