EEMag March / April 2008

Electric Energy T&D - Index

Electric Energy T&D - EEMag March / April 2008 - Index

The goals of a prudent control cyber
security program should be to help make
the utility/entity more secure, maintain and
when possible, improve system reliability
and availability, and meet regulatory
requirements. In the past, these requirements
have been met by prudent engineering
design considering all appropriate system
challenges (this includes the N-1 criteria
and appropriate redundancy), appropriate
testing, appropriate polices and procedures,
appropriate training, etc. However, cyber
threats provide new challenges that I
believe require a different approach than
that being addressed by the NERC Critical
Infrastructure Protection (CIP) cyber security
standards 1 . This paper will identify several
key areas that are often overlooked or not
properly addressed that utilities, regulators,
insurance companies, and others can use for
assessing if utility cyber security programs are
adequate to secure electric utility assets from
intentional or unintentional cyber threats.
These areas have either potentially affected,
or actually caused, control system cyber
security incidents. Consequently, adequately
addressing each of these areas is critical to
securing electric industry operational assets.
Background
There are a number of organizations and
standards for establishing a cyber security
program. These include the NIST Federal
Information Security Management Act (FISMA) 2
and associated controls document – NIST
1 NERC Cyber Security Standards, http://www.nerc.com/
~filez/StandardsStandards/Cyber-Security-Permanent.html
2 http://csrc.nist.gov/groups/SMA/fisma/index.html
3 NIST Special Publication 800-53A , Guide for Assessing the
Security Controls in Federal Information Systems Building
Effective Security Assessment Plans, December 007,
http://csrc.nist.gov/publications/drafts/800-53A/draft-
SP800-53A-fpd-sz.pdf
Special Publication (SP) 800-53A 3 and ISO
17799 4 and 7001 5 . These documents do not
provide exclusions for assets such as telecom.
The NERC CIPs have now been ratified by
FERC (with modifications). So why is there
a question of prudency? Unlike IT standards,
the NERC CIPs include specific exclusions
(distribution, non-routable protocols,
telecom, and nuclear plants). The NERC
CIPs also specify the use of a risk assessment
methodology to determine critical assets and
critical cyber assets, but provide no details.
These explicit and ill-defined requirements
have enabled utilities to minimize the number
of assets to address; in some cases ZERO
critical cyber assets. IT assets governed by
SP800-53 or ISO- 7001 are actually more
secure than our most critical operational assets
such as substations and power plants. How can
that be? Consequently, this paper addresses
key areas that may be overlooked in
establishing and/or maintaining a prudent
cyber security program. Many of these
issues were identified in the FERC Technical
Staff Assessment of the NERC CIPs 6 and
the FERC Notice of Proposed Rulemaking
(NOPR) RM06- 7 .
There are two caveats that should be noted.
There are no metrics for performing a control
system cyber security audit. The Industrial
Control System version of NIST SP800-53 8
provides arguably the best metrics. Secondly,
many control systems have no logging for
44 I March-April 2008 Issue
Key issues for Implementing a Prudent
Control System Cyber Security Program
By Joe Weiss, PE, CISM, Applied Control Solutions, LLC
4 http://17799.denialinfo.com/
5 http://www. 7001-online.com/
6 Federal Energy Regulatory Commission Staff Preliminary
Assessment of the
North American Electric Reliability Corporation’s Proposed
Mandatory Reliability Standards on Critical Infrastructure
Protection, December 11, 006 RM06- -000.
control system cyber security. Consequently,
it may not be possible to identify control
system cyber incidents or their causes.
Based on experience and actual control
system cyber security incidents, a prudent
control system cyber security program should
include the following:
Control System-Specific Cyber Security Policies
and Procedures.
The biggest payback in electric utility (and
other industry) control system security programs
is implementing comprehensive
control system cyber security policies and
procedures. In order to make sure they are
taken seriously, the adherence to these
policies and procedures should be one of the
performance goals of senior management
(per the NERC CIPs). Almost all utilities have
cyber security policies, but many are based
on traditional IT policies and technologies.
This can be a problem for the control
system’s environment. While some components
of an IT security program can be applied
to control systems, many of these
policies are not relevant to the real
time control system environment and
inappropriate when addressing legacy field
devices. For example, there have been
numerous cases where inappropriately
applying traditional IT security technologies
such as certificates, block encryption,
or even anti-virus have impacted or completely
obstructed control system operation.
7 Federal Energy Regulatory Commission Docket RM06- ,
http://www.ferc.gov/docs-filing/elibrary.asp
8 Recommended Security Controls for Federal Information
Systems, NIST Special Publication 800-53
Revision , December 007, http://csrc.nist.gov/publications/
nistpubs/800-53-Rev /sp800-53-rev -final.pdf