By Kathleen Davis, Senior Editor
The North American Electric Reliability Corp.’s (NERC) critical infrastructure protection (CIP) standards deadline is on the horizon. On July 1, all U.S. utilities must be compliant with CIP standards 002-009. To find out what that means for utilities, we went straight to the source—NERC.
In late May, Utility Automation & Engineering T&D spoke with Michael Assante, vice president and chief security officer for NERC, and the one-man connection for all things CIP. He talked about visions, standards, deadlines and enforcement.
UAE: NERC’s mission is to ensure the reliability of the bulk power system in North America. How do you envision the NERC CIP standards advancing that mission?
Assante: Cybersecurity and critical infrastructure protection are key components of reliability, just like vegetation management and communications between system control centers. The standards are designed to lay a sound foundation of security practices that, if properly implemented, will develop the capabilities needed to secure critical infrastructure from cybersecurity threats.
UAE: Utilities must be compliant with CIP standards 002-009 by July 1. What happens on that day?
Assante: On July 1, scheduled audits for compliance with an initial set of 13 requirements in the CIP standards will begin for certain registered users, owners and operators of the bulk power system.
UAE: What teeth do you have at your disposal to use against the noncompliant?
Assante: In the United States, NERC has the authority to fine entities found in violation of our standards up to $1 million per day per violation.
UAE: Compliance is required by July 1, but utilities have until summer 2010—another full year—to be “auditably compliant.” Can you explain the difference between “compliant” and “auditably compliant”?
Assante: The CIP standards are accompanied by a phased-in implementation plan, designed to give asset owners and operators enough time to become compliant with the standards before they become enforceable. “Compliant” means that the entities are required to comply with the standards and “self-certify” their compliance. “Auditably compliant” means that regular, scheduled audits of compliance with the standards will be conducted. As a point of clarification, certain entities must be “auditably” compliant with the first 13 requirements specified in the implementation plan by July 1, 2009. Deadlines for additional entities and requirements will occur over the next 18 months.
UAE: Looking specifically at T&D, what would you say are the major three objectives of the NERC CIP standards?
Assante: NERC’s standards have a single objective—to ensure the reliability of the bulk power system in North America. It’s important to note that NERC standards only cover the “T” component of T&D and do not cover distribution-level assets.
UAE: What suggestion do you have for any utility that is aware—maybe more than aware, maybe worried—it will not be compliant by the deadline?
Assante: NERC’s compliance process allows entities to self-report violations of the standards. This proactive willingness to address reliability issues will be taken into account in NERC’s compliance and enforcement proceedings.
UAE: Looking at some worst case scenarios, what would happen if the utility chooses not to pay fines? Is there a next step in the noncompliance process?
Assante: In the United States, fines assessed by NERC are mandatory and carry the force of federal law. NERC has a detailed appeals process, whereby an entity can appeal an enforcement decision, but once penalties are assessed, they are required.
UAE: Is it possible, given the layout of your compliance process, that it may be cheaper for a utility to simply remain noncompliant, that some utilities will choose to pay fines rather than follow the required guidelines?
Assante: No. With the ability to assess fines up to $1 million per day per violation, we believe we have sufficient authority to ensure registered users, owners and operators of the bulk power system follow NERC standards. Entities found in repeated noncompliance with the standards will be subject to more stringent penalties.
UAE: How do you respond to critics who complain that the CIP standards don’t go far enough, that they are lightweight? One blogger stated in fact that CIP “needs a protein shake.”
Assante: NERC and the electric industry recognize the CIP standards can be improved and are working to do so. In fact, the first phase of revisions to the standards were just approved by NERC’s board of trustees on May 6, 2009. We look forward to completing work on the more substantial phase two revisions in 2010.
UAE: After these eight CIP standards are put to bed and checked on regularly, what area will NERC focus on next?
Assante: Critical infrastructure protection and cybersecurity are long-term issues for NERC and the electric industry. We plan to continue our focus on this area. NERC also has a number of other efforts underway—including work on the integration of variable resources like wind and solar into the power system, possible power system impacts of solar storms, and deployment of “smart grid” devices like synchro-phasors on the transmission system. We also have a significant effort underway to improve the performance of system protection systems.
UAE: IEC 61850 is all the rage in Europe and the Middle East and is gaining a toehold here in the United States and Canada, with the prediction that its popularity will continue to blossom. Are the NERC CIP standards and IEC 61850 fully compatible? Are there any problem areas?
Assante: All registered users, owners and operators of the bulk power system must comply with NERC standards, regardless of the technology or structure used. We would expect that compliance with NERC standards would be a design requirement for any new technology deployment.
UAE: At press time, there will be only a few weeks between this issue landing in mailboxes and inboxes and the deadline for the CIP standard compliance. Is there any last-minute advice you’d give our readers—many of whom are T&D project managers, transmission managers and substation engineers—about the CIP standards?
Assante: Cybersecurity is fundamentally different than other reliability concerns. I strongly encourage entities to bear that in mind and thoroughly consider the implications this may have to their traditional way of doing business. The power system, like any other infrastructure that relies upon information technology, is vulnerable. No doubt about it. The good thing is that we’re seeing the industry taking steps in the right direction to improve preparedness and response to potential cyberthreats.
Relative to the standards, as I said in a letter to the industry dated in April, asset owners and operators should take a fresh, comprehensive look at their risk-based methodology with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors. Protection planning requires additional, new thinking on top of sound operating and planning analysis.
Michael J. Assante is vice president and chief security officer of the North American Electric Reliability Corp. In this position, Assante has formally established critical infrastructure protection as one of NERC’s program functions and serves as the single point of contact for the industry, NERC’s Electric Sector Steering Group, and government stakeholders seeking to communicate with NERC on cybersecurity and infrastructure security matters.
Prior to joining NERC in September 2008, Assante held a strategic leadership position at the Department of Energy’s Idaho National Labs. Prior to this role, Assante was a vice president and chief security officer at American Electric Power, one of the largest generators of electric power in the U.S. Assante served as a sitting member of the Commission on Cyber Security for the 44th Presidency of the United States.
CIP-002: Critical Cyberasset Identification
Standard CIP-002 requires the identification and documentation of the critical cyberassets associated with the the reliable operation of the bulk electric system.
CIP-003: Security Management Controls
Standard CIP-003 requires that responsible entities have minimum security management controls in place to protect critical cyber assets.
CIP-004: Personnel and Training
Standard CIP-004-2 requires that personnel having authorized cyber or authorized unescorted physical access to critical cyberassets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training and security awareness.
CIP-005: Electronic Security Perimeters
Standard CIP-005 requires the identification and protection of the electronic security perimeter(s) inside which all critical cyberassets reside, as well as all access points on the perimeter.
CIP-006: Physical Security of Critical Cyberassets
Standard CIP-006 is intended to ensure the implementation of a physical security program for the protection of critical cyberassets.
CIP-007: Systems Security Management
Standard CIP-007 requires responsible entities to define methods, processes and procedures for securing those systems determined to be critical cyberassets, as well as the noncritical cyberassets within the electronic security perimeter(s).
CIP-008: Incident Reporting and Response Planning
Standard CIP-008 ensures the identification, classification, response, and reporting of cybersecurity incidents related to critical cyberassets.
CIP-009: Recovery Plans for Critical Cyberassets
Standard CIP-009 ensures that recovery plan(s) are put in place for critical cyberassets and that these plans follow established business continuity and disaster recovery techniques and practices.
Final note from NERC: Responsible entities should apply standards CIP-002 through CIP-009 using reasonable business judgment.