Speculations and investigations related to national security have identified a growing concern: the potential exploitation of weaknesses in national infrastructure. An intrusion may be a highly unlikely one (as Nassim Nicholas Taleb may categorize them, a “Black Swan” event), and the event may be either force majeure or operationalized mal-intent of national enemies using cyber weaponry; nonetheless, as the nation becomes more dependent on highly technical and complex systems, disturbance to cyber systems can cause dramatic consequences for national and global security and prosperity.
These concerns have quickly given rise to a series of efforts by the government and private sector to invest in “cybersecurity” measures to protect the country’s “critical infrastructure” from uncertainty. Sometimes we forget that the nation’s supply of electricity is delivered on “critical infrastructure” (in fact, we can’t really think of anything MORE critical than adequate supplies of energy!).
In an effort to recognize the threat that exists to the national bulk electric system, the North American Electric Reliability Corporation (NERC) began developing Critical Infrastructure Protection (CIP) standards in 2006 to promote security of the nation’s electricity grid. NERC, a private non-profit corporation charged with ensuring reliability of the nation’s electricity grid, developed these mandatory and enforceable CIP standards to strengthen the electric system from both human and natural interruptions to the nation’s electricity.
Due to experiential developments and the constantly changing nature of the provision of electricity to the country’s nearly 146 million customers, NERC developers are continuously assessing and improving reliability standards. The CIP family of standards begets no exception.
In Order 761 issued on April 19, 2012, CIP Version 4 Standards were approved by the Federal Energy Regulatory Commission (FERC) to identify and protect “Critical Cyber Assets” for support of the reliable operation of the Bulk Power System and to introduce “bright line criteria” for the identification of said “Cyber Assets.” CIP Version 4 was assigned an effective date of April 1, 2014, and preparation for compliance with these standards began at utilities across the nation.
However, on January 31, 2013, just shy of three months before the implementation of Version 4, NERC filed a proposal for approval of CIP Version 5 to address serious concerns in its previous filing. In its filing to the FERC, NERC quoted an analogy offered by former Defense Secretary Leon Panetta when he said that the nation is facing the possibility of a “cyber-Pearl Harbor” and is “increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid….”
The Version 5 changes include some potentially dramatic adjustments. For example, Version 5 included a NIST-based approach to categorize systems and a default designation of at least “Low impact” for ALL Cyber Assets. This designation gives rise to new, minimum responsibilities for all energy companies that have control over ANY Cyber Asset. Also, Version 5 moves NERC standards enforcement to a “risk-based model,” assessing penalties only for actions that affect the security and reliability of the Bulk Power System.
The FERC conditionally approved Version 5 on November 22, 2013, recognizing Version 5 as “an improvement over the current Commission-approved CIP Reliability Standards[,]” and that “[t]he CIP version 5 Standards adopt new cyber security controls and extend the scope of the systems that are protected by the CIP Reliability Standards.” (If you have the patience to read the order, you’ll notice the FERC directives buried inside). To obtain full approval, FERC ordered NERC to revise the language that required entities to “identify, assess, and correct” certain deficiencies, to secure the “risk-based assessment model” promised by NERC in its filing. Many applicable entities commented that the language “identify, assess, and correct” might create responsibilities and oversight not envisioned by the “risk-based” model. This language was in 17 of the CIP requirements.
FERC announced that CIP Version 5 would become effective on the first day of the eighth calendar quarter after a final rule is issued, thereby making Version 4 void and unenforceable.
Despite the potentially complicated transition from Version 4 compliance to Version 5 compliance, NERC promises to make every effort to ease the burdens of change. NERC’s CIP Version 5 is a product of experience and sophistication of NERC in the area of cybersecurity protections and represents a unified effort to reduce threats to national infrastructure and security.