By Jim White, Vice President, Uniloc

“Regulatory compliance.” These are two words that open ibuprofen bottles and drain coffee pots in IT departments around the country. With a seemingly endless supply of expert consultants and solutions on the market, many IT departments in the electric power generation industry have made significant inroads in the past few years toward becoming compliant, step by painstaking step, striking a balance between rigorous attention to regulatory chapter and verse, while still making time to support the critical projects and initiatives that keep a power plant operating.

Although it may be difficult to confront, the fact of the matter is that not all IT groups in the electric power generation industry are fully compliant with information-security regulations. The area of North American Electric Reliability Corp. (NERC) critical cyber-asset identification is one prominent example.

Recently, Michael Assante, NERC’s vice president and chief security officer, sent out a letter to power industry stakeholders raising the issue of somewhat widespread misidentification of qualifying assets. In a letter about the self-certification survey for NERC Reliability Standard CIP-002-1 for the period July 1 through Dec. 31, 2008, Assante wrote:

“The survey results, on their surface, raise concern about the identification of Critical Assets (CA) and the associated Critical Cyber Assets (CCA) which could be used to manipulate them. In this second survey, only 31 percent of separate (i.e. non-affiliated) entities responding to the survey reported they had at least one CA and 23 percent a CCA. These results are not altogether unexpected, because the majority of smaller entities registered with NERC do not own or operate assets that would be deemed to have the highest priority for cyber protection. … Closer analysis of the data however suggests that certain qualifying assets may not have been identified as ‘Critical.’ ... Although significant focus has been placed on the development of risk-based assessments, the ultimate outcome of those assessments must be a comprehensive list of all assets critical to the reliability of the bulk electric system.”

In any critical infrastructure sector, the very nature of self-certification means that it’s easy to evade the letter of the law, however unintentionally. The power generation sector is no different; even when a company is making progress toward compliance, human nature and the economic pressures of the times can lead overworked professionals to cut corners.

Subcertification Is Not Sufficient

These attempts to ease the process are, of course, not limited to organizations that operate within the energy sector but are common in every industry. Emerging practices among financial executives related to SOX regulations provide a recent example, as recently reported upon by Compliance Week:

“The Sarbanes-Oxley Act requires chief executive and financial officers to put their liberty on the line when they attest to their companies’ financial statements. The safest way to do that: back up those attestations all the way down the line … ‘Some CEOs and CFOs think that, as long as they have a stack of subcertifications, they can go ahead and sign their own certifications,’ says Stephen Poss, a lawyer with Goodwin Procter in Boston. ‘That’s not a recommended practice. CEOs and CFOs need to be active participants in the process. Subcertifications are not a substitute for diligence and knowledge.’”

Following publication of the NERC survey results, wherein more than a third of utility companies failed to classify even a single cyber asset as critical to the power grid, the Wall Street Journal published a story on how foreign states including China and Russia are actively studying and mapping out our national electric utilities for vulnerabilities in their cyber controls. This quickly led to a memo on April 9 by Congressman Edward Markey (D-Mass.) to the Federal Energy Regulatory Commission (FERC) calling for increased cyber controls in the utility sector.

Shortly thereafter, new legislation from the House of Representatives was proposed in the form of the Thompson-Lieberman bill, which calls for:

• The assessment and establishment by FERC of interim standards deemed necessary to protect against known cyber threats to critical electrical infrastructure
• New authority for FERC to issue “emergency rules or orders” to address cyber security threats once agency agreement on the threat has been established
• The Department of Homeland Security to investigate whether or not the security of federally owned utilities has already been compromised by outsiders.

Every sector within critical infrastructure will benefit from a more proactive and thorough approach to regulatory compliance, particularly if failure to take a more rigorous approach leads to more and more regulation.

Let’s say your organization is exemplary and that you’ve completed your regulatory compliance boot camp, trained your employees, documented your policies and procedures, implemented your processes and are now fully compliant. But being compliant is not the same thing as being secure. You may already know or have suspected this and yet this fact may not be top of mind as the demands of daily operations and meeting organizational goals leave your IT department stretched thin.

Today’s Threat Is Evolving

Being compliant in today’s threat environment simply isn’t enough to guarantee your organization is secure and maintaining continuous operations—or even its survival as a service provider. Industry regulations were never intended to be sufficient; they were designed to be used as frameworks within which IT groups could begin studying and outlining more rigorous security for their own particular environments.

Most challenging of all is the fact that cyber threats to the energy sector are growing, both in terms of the number of potential attackers and in scope. As NERC’s Michael Assante said in his letter to the power industry:

“But as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations … A number of system disturbances, including those referenced in NERC’s March 30 advisory on protection system single points of failure, have resulted from similar, non-cyber-related events in the past five years, clearly showing that this type of failure can significantly ‘affect the reliability (and) operability of the bulk electric system,’ sometimes over wide geographic areas.

“Taking this one step further, we, as an industry, must also consider the effect that the loss of that substation, or an attack resulting in the concurrent loss of multiple facilities, or its malicious operation, could have on the generation connected to it. One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance. The majority of reliability risks that challenge the bulk power system today result in probabilistic failures that can be studied and accounted for in planning and operating assumptions. For cyber security, we must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected. This is why protection planning requires additional, new thinking on top of sound operating and planning analysis.”

As noted earlier, the power industry is in no way alone in needing to think more broadly about genuine security. As current events are illustrating all too clearly, true security is not a matter of simply passing the test and calling it a day: it is an on-going process that must be monitored daily.

If regulatory compliance is not even roughly equivalent to real security, how can true information security be defined?

Wikipedia says, “Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,” and goes on to say, “Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer.”

This is a basic definition, of course. In reality, the definition should include your group’s evaluation of:

• The financial consequences to your organization after a successful cyber attack
• The effect on the municipality, community or industry you serve
• The resulting effect on your own career as an IT professional and on the careers of your co-workers.

David A. Chapin and Steven Akridge, in their article entitled “How Can Security Be Measured?” suggest that, “Traditional security metrics are haphazard at best; at worst they give a false impression of security that leads to inefficient or unsafe implementation of security measures.”

In recent years large-scale power plants have witnessed significant capital investment in infrastructure, with financing based on 90 percent to 100 percent uptime. If your systems do go down and your plant’s operations are interrupted, consequences might include:

• Purchasing resource and commodities from other sources and at higher than market rates to satisfy immediate demand
• Loss of production capacity that results in lost profit opportunities, higher costs of goods, capital and labor
• Customer imposed penalties or loss of customers
• Political fallout.

The resulting fall-out from one or more of the above can be detrimental to the long-term success of any organization. Within power generation, the fall-out effect is amplified due to the critical nature of the networks and grids at stake. In a cyber-attack scenario, the effect of downtime may go well beyond organizational issues, as public safety in surrounding communities can be affected immediately.

Security Models

Compliance is a state, a measurable result against a fixed requirement. Security is a process, evolving with the threat matrix and different for each enterprise based on risk.

By the very nature of standards, upon which compliance is based, the result has to be an average consensus of a particular state in time. Compliance leads organizations to accept a requirement based on the average risk analysis for an industry or segment. There are no expectations that these regulations or standards results in security, only that a minimum framework has been put in place. Unfortunately, some enterprises see compliance as a “get-out-of-jail-free card” to avoid a penalty or fine instead of a framework to develop an ongoing process to secure their operations against evolving cyber threats.

A risk-management model versus compliance takes a much broader approach to security, aiming for robust business-continuity plans with meticulous, organization-wide incorporation of best practices in all processes

The process of comprehensive network security requires the acceptance that it is part of the corporation’s fiduciary responsibility to both the communities it serves and its investors. Cyber security should be an integral part of a business continuity plan that is reviewed, updated, implemented and managed on an on-going basis. It cannot and must not be an “end state.”

To achieve this level of security, the electric power sector must accept the challenge of adopting a “big picture” approach that addresses small checkpoints daily. This approach would have your IT and security groups commit to ongoing evaluation and adoption of best practices and best technologies for cyber security, continuous threat evaluation, daily practice of security with rapid change in practices in response to changes in the risk environment and treatment of security as an integral part of the business, not a one-time project or exercise.

Author: Jim White is vice president of critical infrastructure security at Uniloc.