By Jeff Postelwait
Online Editor
A power interruption could happen as a result of a malicious attack, an act of cyber-terrorism or simply an innocent mistake. No matter what the cause, the North American Electric Reliability Corporation's Critical Infrastructure Protection standards are part of an effort to reduce the chances of such events touching off a disaster.
The Federal Energy Regulatory Commission (FERC) granted NERC the authority to enforce reliability standards in July 2007. This summer, those audits will begin.
Utilities must be compliant with NERC CIP standards by July 1, 2009, or potentially face fines and penalties depending on their level of non-compliance.
Beau Woods, a security consultant for SecureWorks, an Atlanta, Ga.-based information security firm with clients in the power generation industry, said many levels of compliance exist with the standards. To find out where a utility stands, Woods said many utilities first must assess their assets.
"The basic first step is to put documentation together, assemble a list of assets that would have to be covered," Woods said. "Typically I'll go on site and take a look at the controls they have at their facility."
One guiding question Woods tries to answer for plant managers is which of the facility's equipment, if shut down could affect the bulk electric system.
Even assets that are not themselves considered critical become critical if they are connected to the function of a critical asset, he said.
"If you have a workstation that has another asset connected to it, they both have to be protected if they are critical – anything that could potentially touch that asset would have to be protected as though it were critical," he said.
Martin Travers, president of Black & Veatch's telecommunications division, said the audits will be a good way for utilities to find out where they are relative to NERC CIP compliance.
Depending on how stringent the audits are, Travers said the regulations are so new and complicated that few utilities will be found compliant with the standards.
"I think a good percentage of companies will find some areas within their organizations that are not compliant," he said. "It's unlikely anyone will come through unscathed."
NERC CIP 002-1, "Critical Cyber Asset Identification" defines a critical asset as anything that could impact the reliability of the delivery of bulk electricity if it were compromised, attacked or shut down. The regulation also specifies that critical assets identified through a risk-based assessment.
Beyond that standard, Woods said, what constitutes a critical asset has not been well defined.
"Obviously there are some that would clearly be critical and some that would not be critical, but the line has to be more defined."
Travers said he expects there to be some disagreement as to what a critical asset is once audits begin.
"The definitions are somewhat self-policed. The utility has to make the determination based on the guidelines that are established in the NERC guidelines," Travers said.
When it comes to complying with the CIP standards, some utilities and plants may have more work ahead of them than others. Nuclear facilities, for example, are already subject to rigorous safety and security standards, so entities in charge of nuclear plants may have an easier path to compliance than a utility with a large coal plant, Woods said.
"A lot of the coal plants haven't had to meet some of those same standards as nuclear, so the bar may be set a little bit higher on the nuclear facilities," Woods said.
NERC CIP standards 005-1 and 007-1, which deal with electronic security and systems security, may be among the more exacting standards for some plant owners to meet, Travers said.
"These deal with the technical aspects of the regulations, making sure there's testing that goes on in the implementation of any security updates," he said.
This testing can be done actively, in which a test is run against the system. A second method is through paper-based tests, in which control configurations are checked to make sure they are adequate.
"If you have a good security plan in place, it will also be a good compliance plan," he said.
Woods said most in the power generation industry will do everything possible to bring their facilities into compliance with the CIP standards. However some creative planning will be needed to do so.
"They'll do everything they can to comply, but it will take some long-term strategic thinking to comply," he said. "If you are out of compliance, you need to have a plan to get into compliance."
Woods said some flexibility is written into the standards for utilities that have a logistically or financially difficult compliance process ahead of them.
"If there isn't enough money, standards allow for budget revisions to be made for the future to put changes into production. If you're not compliant, that's OK as long as you have a plan to come into compliance some time in the future," Woods said.
When compliance audits begin, Woods said he doubts whether many entities will be able to get the official seal of approval, but he added that the regulations are a step in the right direction.
"Compliance can be expensive for both large utilities and small; even the big guys," he said. "While it's true they have more money, they also have more assets to secure."
In the future, how companies bring their plants into line with the standards and perhaps even the standards themselves will change as the audits are conducted.
"We are often fond of saying that security is a journey, not a destination, and that definitely applies to this," he said.