Friday, April 7, 2017

5 Things About the Electric Industry

Amy Thomas, Government Relations Director, American Public Power Association blogged "Five Things You May Not Know about Cybersecurity in Electricity" back on February 24th.


The public may not know these things about the Electric Utility Industry, but insiders do and it's not ALL puppies and sunshine:
  1. The electric utility sector is the only critical infrastructure sector (besides nuclear power plants, which are a part of the overall sector) that has mandatory and enforceable standards in place for cybersecurity.
{emphasis in original} 

That's certainly interesting. It sort of begs for a couple questions to be asked. Why don't the other critical infrastructures have mandatory standards? Also, is the Electric sector now generally acknowledged to be more secure than these other sectors? (Not risk, but result.) If so, is this increased reliability directly attributable to these mandatory standards?
  1. The regularly updated, highly technical cybersecurity standards that govern electric utilities are drafted by the North American Energy Reliability Corporation, approved by the Federal Energy Regulatory Commission, and enforced by fines of up to $1 million per day per infraction.
It's true the standards have been updated several times. Version 3 was in place from 2010 to 2016. I'm not sure that this meets a practical definition of “regular updates” given the pace of change in information technology.

3. The process for crafting cybersecurity standards for utilities has provided, and continues to provide, a solid foundation for strengthening the industry’s security posture and allowed standards to evolve with constantly changing threats.

Lest we forget, these standards are reliability standards. Cybersecurity (protection from attack) is an aspect of reliability. It's good that the process exists to update these standards, however slow and cumbersome it may be.

4. Standards alone are not enough to protect the grid. That’s why the American Public Power Association and our member utilities have worked to develop close partnerships with others in the industry and the federal government. We share threat information to prepare for and respond to cyber attacks.

Amen, preach it! Standards rely upon voluntary compliance (even in mandatory schemes, you can't possible enforce everything without a great deal of goodwill and honest effort from the participants in the system).Too, standards are always compromised by conflicting interests. They must be a low bar to be universally applicable, and must be universal to be legal (but your specific circumstances or mine may really need more than just a minimal approach).

5. The Association recently signed a three-year cooperative agreement with the Department of Energy for up to $7.5 million to help public power utilities better understand and implement cybersecurity protections, resiliency, and advanced control concepts.

Training is always a good idea. Even better is cross-training. The electric utility industry seems to have a “not-invented-here” mindset that dismisses lessons and parallels from outside of the niche industry. We also have a reluctance to modify the approach to cyber-physical “operations technology”. Vendors have slipped behind in providing security controls for these types of devices, and the time-sensitive nature of some functions makes it problematic to add more devices in front of them.

To address the not-invented-here problem, NERC can work to incorporate NIST's work and that of other standards bodies into the standards drafting process. As the only mandatory, enforceable regulatory scheme in the Critical Sectors, it's tough to proceed without sometimes nailing down precise definitions and meanings, because lawsuits and immense fines may hinge upon a misplaced comma or an incautious throw-away phrase. However, “inside baseball” jargon should be avoided whenever possible. NERC needs to avoid adding terms to the NERC glossary which don't match commonly-understood usage in other IT security contexts. An IT Security professional who comes from outside the electric utility industry should be able to understand and apply CIP standards without an historical dissertation for context, or learning a new language of tortured and twisted definitions.

I like that "resilience" (corrected for the terrible sin against grammar) is mentioned in the article, but oddly enough this term, which is ubiquitous in disaster and business continuity planning disciplines across the world, doesn't feature in NERC CIP standards. FERC's approach to risk management doesn't really address that, at least not in NERC CIP Cybersecurity standards. 

Indeed, as I've had pointed out to me multiple times by NERC staff, FERC's position is that acceptance of risk is not allowable at the entity level (FERC Order 706, Section 139, Para. 154). However, an integral part of widely accepted resilience strategies is to acknowledge residual risks and plan for their possible occurrence with graceful failure modes and scope limitations as a risk mitigation tactic. It doesn't seem practical to get the ERO or Regional Entities to approve residual risk- there's no incentive for them to do so. They bear none of the costs of compliance and (impossible to achieve) risk elimination, but could be (almost certainly would be) blamed for a security breach that appears to be related to an explicitly accepted risk.

Things that make you go "Hmmm... "

No comments:

Post a Comment