The new Version 5 of the Critical Infrastructure Protection Reliability Standards must be implemented by all hydroelectric project owners and operators. Depending on the classification of your systems, significant work may be needed.
By Andrew Dressel
Cyber attacks – especially as they pertain to such critical infrastructure as Bulk Electric System1 (BES) Facilities, dams and water facilities – has been the subject of news headlines and Hollywood movies for some time now. Version 5 of the Critical Infrastructure Protection (CIP) Reliability Standards were approved by the Federal Energy Regulatory Commission (FERC) in November 2013 in an effort to reduce the likelihood of major cyber (and now physical) attacks on critical electric infrastructure and prevent the worst-case scenarios from becoming reality. The Version 5 standards are to be implemented in 2016 and 2017 and will have far-reaching implications across the utility industry – including all hydroelectric Generator Owners and Operators listed on the North American Electric Reliability Corporation (NERC) Compliance Registry – because before the enforcement dates every registered entity will now have to install at least some or improve their current electronic and physical security protection of their network-connected Facilities.
Background on CIP standards
Section 1211 of the Energy Policy Act of 2005 granted FERC the jurisdiction to certify an Electric Reliability Organization (ERO) that would create and enforce electric reliability standards for “users, owners and operators of the bulk-power system.” The act defined the term reliability standard as: “A requirement, approved by the Commission under this section, to provide for reliable operation of the bulk-power system. This term includes requirements for the operation of existing bulk-power facilities, including cybersecurity protection ….”
On April 4, 2006, NERC petitioned to become the ERO and submitted its first set of Reliability Standards, including the first cyber security standards, in separate filings to FERC. (This was not NERC’s first foray into cyber security. On Aug. 13, 2003, NERC – then an industry trade organization – issued Urgent Action 1200, which laid out the initial structure for the later CIP standards and “ensure(d) transmission reliability through protection from cyber attacks by requiring the identification and documentation by the critical cyber assets and certain measures to protect those assets from cyber intrusion.”) FERC certified NERC as the ERO on July 20, 2006.
After a FERC staff report raised concerns with several of the submitted standards, NERC submitted its first full set of CIP standards – Version 1 – on Aug. 28, 2006. In January 2008, FERC Order 706 approved Version 1 of the CIP standards, which addressed many cyber security topics:
– Critical Cyber Asset Identification (CIP-002)
– Security Management (CIP-003)
– Personnel and Training (CIP-004)
– Electronic Security Perimeters (CIP-005)
– Physical Security of Critical Cyber Assets (CIP-006)
– Systems Security Management (CIP-007)
– Incident Reporting and Response Planning (CIP-008)
– Recovery Plans for Critical Cyber Assets (CIP-009)
These standards became enforceable July 1, 2008. FERC did not, however, approve these standards without reservations. FERC raised numerous concerns regarding the completeness of effectiveness of the version in Order 706 and therefore issued numerous directives for NERC to address.
NERC chose to address the directives in a phased manner, addressing those that required little substantive change and would meet little resistance from the ballot body, composed of industry participants, first. Consequently, the structure of the CIP standards remained largely intact with only minor substantive changes through Version 2 (approved Sept. 30, 2009, and implemented April 1, 2010) and Version 3 (approved March 31, 2010, and implemented Oct. 1, 2010) as NERC plucked the low-hanging fruits.
Under versions 1 through 3, the vast majority of responsible entities only had to develop and perform an annual risk-based assessment methodology under CIP-002 and appoint a CIP Senior Manager under CIP-003. Once those tasks were completed, most responsible entities were fully compliant with the CIP standards and were not required to implement any cyber security controls.
However, these earlier versions did not satisfy all of the concerns FERC voiced in Order 706, and FERC in its Sept. 30, 2009, order approving Version 2 directed NERC to submit a schedule to meet all of the Order 706 directives. That schedule was submitted as part of NERC’s Dec. 29, 2009, compliance filing that included Version 3 of the CIP standards. To ensure that NERC could meet all the directives within its self-imposed (and FERC-approved) timeline, NERC ran two standards development projects simultaneously, one that bolted on the new directives to the existing framework (Version 4) and one that restructured the CIP standards – Version 5. Version 4 was approved on April 19, 2012, before Version 5 was finished, but Version 4 will never be implemented by NERC because neither the industry nor regulators liked how Version 4 turned out.
CIP Version 5
On Nov. 22, 2013, FERC issued Order 791 approving Version 5 of the CIP standards. Version 5 represents the most significant changes to the CIP standards since their creation. The eight CIP standards from the earlier versions (CIP-002 through CIP-009) were replaced with 10 (CIP-002 through CIP-011). These standards still have not reached a steady state as multiple revisions to the Version 5 standards to address the Order 791 directives are under development and one new standard, CIP 014-1 – Physical Security was recently submitted to FERC for approval.
Generally speaking, Version 5 mirrors the old structure – CIP-002 remains the gatekeeper standard, CIP-003 addresses security management controls, and so on – except that CIP-010-1-Configuration Change Management and Vulnerability Assessments has been split out and expanded from its more limited role in CIP-007-3 and CIP 009-3 and CIP-011-1 – Information Protection combines elements of the old CIP-003-3 and CIP-009-3 but adds in new protections for BES Cyber System Information.
Once you look under the hood, however, you will see the changes are much more comprehensive. There are substantial changes to the terminology around the new CIP standards. The new standards use 19 new or revised definitions and eliminate two definitions (with several new definitions likely to be proposed as part of the next revisions submitted in response to Order 791). The biggest change in terminology is that there will no longer be Critical Assets or Critical Cyber Assets. Protection of BES Cyber Assets and BES Cyber Systems are now the focus of the CIP standards.
CIP-002-5 replaces the risk-based assessment methodology self-identification method with a “bright line criteria” that classifies the impact a BES Cyber System could have as High, Medium or Low Impact. All BES Facilities will be deemed to have at least a Low Impact and all registered entities will have some responsibility to achieve compliance with the new standards. The level of effort required to meet and remain compliant can be significant depending on prior experience with CIP and the designation of Facilities as High, Medium, or Low Impact.
Only the most impactful Facilities will have High Impact BES Cyber Systems. This category includes Reliability Coordinator Control Centers and large Balancing Authority, Transmission Operator, and Generator Operator Control Centers. High Impact BES Cyber Systems are subject to additional requirements as well as being held to more scrutiny by regional entities.
It is helpful to place your organization into one of the following categories of entities preparing for the imposition of CIP Version 5. Registered entities that:
1. Already have Critical Cyber Assets under CIP Version 3. These entities will almost certainly end up with High or Medium Impact Cyber Systems.
2. Have not declared Critical Cyber Assets under Version 3 but have discovered (or should have discovered by now) that they have Medium Impact BES Cyber Systems. These entities are in for a very heavy lift with a short runway.
3. Have Low Impact BES Cyber Systems. These entities will have additional distinct controls but not the full weight of all the regulations.
The first category should already be familiar with the majority of Version 5. However, there are several new or additional actions that these entities will need to take, including, but not limited to:
– Beef up their cyber security policy or policies for CIP-003;
– Ensure that their Electronic Security Perimeter (ESP) extends to the “high water mark” of their High and Medium Impact BES Cyber Systems;
– Monitor in- and outbound traffic from an ESP for malicious communications;
– Utilize encryption, multi-factor authentication, and intermediate devices for Interactive Remote Access;
– Implement a robust patch management process for tracking, evaluating and installing security patches for applicable Cyber Assets;
– Create a baseline of all ports and services;
– Bolster their change management and vulnerability assessment processes; and
– Ensure all BES Cyber System Information is properly stored or disposed.
The second category, those with the “heavy lift,” are in the worst position. These entities have less than two years to develop and implement a fully functioning CIP compliance program. This means implementing numerous specific controls and procedures that require a significant change in work, procedures and culture.
The final category, those with only Low Impact BES Cyber Systems, have more time to do less work. There is only one requirement approved for Low Impact BES Cyber Systems, that entities have a cyber security policy or policies that address cyber security awareness (i.e. training), physical security controls, electronic access controls for external routable protocol connections and Dial‐up Connectivity, and incident response to a Cyber Security Incident. However, in Order 791, FERC stated it was concerned with the “lack of objective criteria” for evaluating Low Impact protections and directed NERC to “require specific controls,” “develop objective criteria” or otherwise clarify what is expected from Low Impact BES Cyber Systems. The most recent revisions of this standard incorporate elements of CIP-004, 005, 006 and CIP-008, so the workload for Low Impact Facilities may increase substantially before the paint is dry on the Order 791 revisions.
Areas of concern
There are several areas of concern with Version 5, discussed below.
The biggest area of concern may be the “high water marking” to determine the required extent of your ESPs. This concept seeks to ensure all Cyber Assets connected to the logical controls associated with High or Medium Impact BES Cyber Systems receive the same level of protection as the BES Cyber Assets in such systems. This means your ESP must enclose all Cyber Assets networked with the BES reliability operating services such that there is a logical boundary between them and outside networks. Such Cyber Assets will be known as Protected Cyber Assets.
This concept of high water marking can become especially complex when assets are commingled with a neighboring entity or a separate function, such as water controls with power controls. While NERC has promised guidance on this topic, none has been issued. Due to the way CIP-005-5 and CIP-002-5 are written and, depending on how your neighbor defines its BES Cyber Systems and has configured its equipment, it is entirely possible your neighbor’s actions could put you into a messy situation. We advise our clients to investigate all potential high water marks regardless of their own High, Medium, or Low designation. There are ways of providing separation, but these situations need to be analyzed both by your entity and your neighbors.
Configuration change management and vulnerability assessments
There are significant new requirements for change management and vulnerability assessments under CIP-010-1. Applicable entities must develop a baseline that includes all operating systems or firmware, commercially available or open-source application software (and version), custom software, logical network accessible ports and security patches applied. You must also authorize and document every update to that baseline. Before such changes to the baseline are made, you are required to determine potential impacts to the ESP and security systems and verify and document that no adverse changes occurred.
Entities are also required to conduct a paper or active vulnerability assessment every 15 months. While vulnerability assessments were required under the old CIP-007-3, the new standards increase the level of complexity of these assessments for High Impact BES Cyber Systems.
If you haven’t begun your preparation for CIP Version 5, start now. Begin by categorizing your BES Cyber Systems in accordance with CIP-002-5 to gain an idea of how much work needs to be done. The April 1, 2016, implementation date (for Medium and High Impact BES Cyber Systems) does not provide a lot of time to prepare for compliance, especially if you are in a “heavy lift” situation. Also, you may have to perform an inventory of all Low Impact BES Cyber Systems or assets, just to make sure each asset is not part of a Medium or High Impact BES Cyber System’s high water mark.
There are lots of resources available, and you should take advantage of them:
– Attend informational sessions, webinars and outreach events by NERC, the Regional Entities and consultants.
– Reach out to colleagues and neighboring utilities to develop best practices.
– Become familiar with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the U.S. Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2).
– Contact the Department of Homeland Security. DHS formed the Critical Infrastructure Cyber Community (C3) program “to encourage use of the [NIST] Framework to strengthen critical infrastructure cybersecurity.” This program will provide training and assistance for government-owned entities at all levels.
– Hire a consultant with CIP experience. CIP compliance requires a blend of information technology, operations and regulatory expertise. Even if you have the required expertise on staff, they may not be able to get your program ready on time.
1Use of capitalization indicates a defined term from the NERC Glossary of Terms Used in Reliability Standards or Appendix 2 to the NERC Rules of Procedure: Definitions Used in the Rules of Procedure.
Andy Dressel is director of regulatory services and legal counsel with Grid Subject Matter Experts, a firm that provides support and training with North American Electric Reliability Corporation compliance.