William T. (Tim) Shaw
PhD, CISSP / CIEH / CPT

In 2003 when NERC took its initial steps towards securing the electric grid against a terrorist (possibly cyber) attack the focus of that effort was aimed at protecting the SCADA/EMS systems that monitor and control the grid and the individual regions and service areas of the large electric generating utilities. The standard did not specifically say that, but you could read between the lines of the requirements and come away with that interpretation. The standard merely said to identify and protect the critical cyber assets, whatever you believed them to be. There were no criteria specified to aid in making the determination of what qualified as a critical cyber asset (CCA) and so many (most?) utilities figured that it had to be the systems that monitored and controlled the grid – their SCADA/ EMS systems. The requirement asked for entities to define and establish both a physical and electronic security perimeter around those assets. That was a reasonable request if again you interpreted the requirements as being your SCADA/EMS system. It was probably located in a single facility (possibly with a backup facility located elsewhere) where you could reasonably provide physical security protections. And it was probably also reasonably straight forward to put cyber security protections in place on any external connectivity with corporate systems, regional authorities and adjacent grid entities. But because of the lack of specific definitions of ‘critical cyber assets,’ or criteria for determining what qualified as one, most utilities elected a ‘wait and see’ attitude.

A year later NERC issued an update called Standard 1300 – Cyber Security, which was intended to add clarity to the cyber and physical security requirements previously called for in Standard 1200. In that new document it clearly stated that a critical cyber asset was one that ‘performed critical bulk electric system functions such as telemetry, monitoring and control, AGC, load shedding, black start, real-time power system modeling, special protection systems, power plant control, substation automation control, and real-time interutility data exchange…’ That clearly upped the ante on the electric utilities. Now clearly the scope of the standard had been extended well beyond merely protecting the SCADA/EMS systems (although most of those criteria just listed refer to such systems). Based on this more specific set of criteria a utility might also have to look at the digital systems and devices used in its generating facilities as well as in their transmission and grid intertie facilities – a much bigger nut to crack! But like all good corporations the electric utilities had a choice to make. They could turn to their IT and engineering departments and figure out how to do what NERC wanted or turn to their legal departments and start a delaying action that could postpone the cost and manpower required for implementation for an extended period of time. I don’t think I need to tell you what most of them choose. Back in that timeframe I was working as a consultant to several utilities and most had just one question for me: what is the minimum we can do to look like we are complying so that we don’t get hit with a fine?

If you were on the front lines back then you know that there was a massive barrage of questions, complaints, requests for interpretations and for exceptions launched at NERC by the electric utilities. It became clear that the 1300 standard was being misinterpreted (possibly intentionally) by electric utilities who were trying to minimize the number of CCAs and facilities they had to deal with under the revised standard. NERC took all of this feedback and in 2006 they replaced the single 1300 standard with the eight individual CIP standards (CIP-002-1 through CIP-009-1), partially so that some portions of the requirements could be isolated from the on-going battle of words, much of which continued to focus on how to interpret the definition of CCAs so as to minimize the number of CCAs. Over the next few years, right up to the recent introduction of revision 5, the folks at NERC and the utilities have continued to argue over how to parse and interpret the meanings and intentions of the words in the CIPs in order to find (if you are a utility) or close (if you are NERC) the potential loopholes. There are actually people who have blogs dedicated to the rehashing and reinterpretation of the wording of the CIP standards. I participate in several LinkedIn® on-line chat groups and the run up to the release of the latest CIP revisions caused almost as much email and message traffic as has the reaction to and dissection of the actual revised standards. In a prior revision the standards introduced the idea of a using a given power level as a means for diving CCAs into different groupings (If the loss of a facility/CCA could impact the bulk power grid by greater than X MWs then it was a more important facility/CCA.) Rather than this aiding utilities in making a determination of what was/ wasn’t a CCA numerous utilities took this as a challenge and began trying to treat their individual units in a multi-unit generating plant as being separate, in order to fall under that power level.

Now I am all for fighting against unreasonable and useless regulations, and I respect every corporation’s right to improve their profitability by eliminating unnecessary costs. But I can’t imagine that any electric utility would actually be willing to risk being hit by a cyber attack that could cause outages, cause harm to the public, the environment or that would cause harm to their own facilities and infrastructure. So the question that arises is – do electric utilities believe that a cyber (or physical) terrorist attack on their digital systems and networks can’t happen, or that it is so unlikely to happen as to be beneath consideration? Or is it that they believe themselves to already be adequately protected against any realistic form of cyber attack? (This latter position would imply that they feel the CIPs to be excessive and [well?] beyond what is reasonable for adequate cyber/physical protection.) Electric utilities have always had to deal with reliability and availability and they have programs and procedures in place to get the power back on when bad things happen. Possibly they believe that this existing ability would be adequate to keep a cyber attack, were a successful one to actually occur, from having wide-spread, and disastrous consequences. Could a cyber attack really be any worse than a hurricane? And to date there have not been any publicized successful cyber attacks on U.S. electric grid CCAs, but lots of hurricanes, so which is really more of a threat? (Yes, I did place a couple of important intentional qualifiers in that last sentence.)

One factor that I have experienced almost universally when I discuss cyber threats and attacks with utility personnel is that they don’t really comprehend the range of potential consequences of a well-executed cyber attack. Invariably I hear them discuss the failure of systems as a result of a cyber attack (but not compromise). Utility personnel responsible for grid reliability have decades of experience and data that help them guestimate the likelihood of a major component undergoing a failure. They can tell you how many operations a circuit breaker can handle prior to failure, and even how weather can impact that figure. They can tell you how much power their conductors can handle and the maximum wind shear a transmission tower can handle. But they actually have no experience with or, in most cases, an understanding of the consequences of a cyber attack.

I like to explain cyber attack consequences to a computer-based control/ automation system as being like having an invisible, smart, homicidal maniac in the control room of an EMS/SCADA system or a generating plant, watching as operators use their graphic displays to issue control actions, and then reaching over their shoulders and pressing the buttons on the display screens to see what they can make happen. The last thing they would want is for the system to fail and end their fun. But utility personnel argue that their critical systems are isolated, or based on obsolete technologies, or adequately protected by the corporate IT folks, and thus the maniac (or malicious hacker) could never get to these systems and take such actions. Well, both I and NERC hope that is true. Point in fact, that is what the CIPs are trying to ensure. Unfortunately in all the arguments over the meaning of the word ‘facility’ the objective of keeping important systems adequately safe from cyber attack, seems to have been lost. (Of course utilities and NERC still don’t see eye to eye on the definition of the term ‘adequate’.)

There was a cigarette commercial on TV (remember those?) many years ago where actors playing dedicated smokers exclaimed that ‘they would rather fight than switch.’ As long as electric utilities feel that that the NERC CIP requirements are excessive and unrealistic I expect many will continue to argue and delay rather than comply. Of course if a major cyber incident that impacts the grid actually occurs (especially at a utility that has been fighting the CIP standards) that could change everything. But that will have to be the subject matter for a future column.

About the Author

Dr. Shaw is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (C|EH) a Certified Penetration Tester (CPT) and has been active in designing and installing industrial automation for more than 35 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems and co-author of the latest revision of Industrial Data Communications. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. Shaw has also developed, and is also an instructor for, a number of ISA courses and he also teaches on-line courses for the University of Kansas continuing education program. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation cyber security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.