PCS BLOG

Hurricane Harvey has revealed many things, not the least of which is the good that exists in humanity to rally to the aid of those impacted. Another item it has reminded us of is the impact of natural disasters on control centers. We wrote about flooding of the Oroville Dam previously and discussed the benefit of having geographically diverse BES Cyber Systems and control centers. However, most companies are not able to have their own geographically dispersed control centers because their territory is too small.

One possible solution is a reciprocal agreement with another company. You could make an agreement with another company that has a control center far enough away from yours that if there is a disaster you can use their control center or backup control center, and you agree to let them use yours if they experience a disaster. This solution is not simple, however. It takes setting up and coordination, such as setting up and maintaining your own servers or loading your operational control screens on their servers. It requires maintaining physical and electronic access lists. Also, reciprocal agreements are not required by NERC Standards. It's just an idea of something your company could explore in light of recent events.

Another idea is making sure technicians and operators who are needed during a disaster are able to and are willing to arrive at work. For the "able" aspect, an example would be if the planned disaster is a snow storm, do operators have a good snow vehicles at their home? For the "willing" aspect, consider how you would feel if your family wasn't taken care of and you were asked to come into work to help with a disaster. You would be hesitant, and even if you came into work your mind would be distracted. A possible solution is to identify key disaster personnel and ask them what they would need to have done for their family in order for them to feel good about leaving them. They may want to know their family has flashlights, enough food and water for X days, and all their kids made it home from school. Instead of having the operator or technician have to do all this on their own, your company could pre-assign disaster coordinators who would ensure flashlights, food, and water are at their home ahead of time. At the start of the disaster, the disaster coordinators would assure the operator they will handle everything for their family. The disaster coordinator would then coordinate with the family to ensure everyone was safe and had all the provisions they needed and then relay that information to the operator. This would allow technicians and operators to arrive at work quicker and do a better job knowing things were good at home. This system is also not required by NERC Standards. It's just an idea we can take from Hurricane Harvey.

If your company does implement controls above the requirements of NERC Standards, be sure to write about them in your procedures and RSAWs because Regional auditors will give you kudos for them at your next audit.

The missing CIP-012 standard has now arrived - at least in development form. CIP-001 (sabotage) was retired. CIP-002 through CIP-011 still exist as well as CIP-014. CIP-013 (supply chain) is under development, and now CIP-012 is in the form of draft one. Initial ballot and comments are due September 11, 2017.

Requirement 1 states: "The Responsible Entity shall develop one or more documented plan(s) to mitigate the risk of the unauthorized disclosure or modification of data used for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring while being transmitted between Control Centers. This excludes oral communications."

Controls can be one of the following:

  • Physically protecting the communication links transmitting the data;
  • Logically protecting the data during transmission; or
  • Using an equally effective method to mitigate the risk of unauthorized disclosure or modification of the data.

Requirement 1 also includes this note: "If the Responsible Entity does not have a Control Center or it does not transmit the type of data specified in Requirement R1 of CIP-012-1 between two Control Centers, the requirements in CIP-012-1 would not apply to that entity."

Requirement 2 is very simple, requiring entities to implement the above plan except during CIP Exceptional Circumstances.

Interestingly, this is the first CIP Standard to require controls for communications outside the Electronic Security Perimeter (ESP). Requirement 1 doesn't say between the Responsible Entity's Control Centers. It's between any Control Center - whether owned by the Responsible Entity or by another Responsible Entity. Therefore, this Standard will take more coordination with other entities than most CIP Standards. Entities will need to identify which Control Centers they communicate data with for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring.

Operational Planning Analysis is defined by NERC as "An analysis of the expected system conditions for the next day’s operation. (That analysis may be performed either a day ahead or as much as 12 months ahead.) Expected system conditions include things such as load forecast(s), generation output levels, Interchange, and known system constraints (transmission facility outages, generator outages, equipment limitations, etc.)."

Real-time Assessments are defined by NERC as "An examination of existing and expected system conditions, conducted by collecting and reviewing immediately available data."

Real-time is defined by NERC as "Present time as opposed to future time. (From Interconnection Reliability Operating Limits standard.)"

The Implementation Plan for CIP-012-1 gives entities 12 months from approval.

There have been recent updates to NERC CIP Supply Chain Standard CIP-013-1, which is not yet approved but under development and subject to possible future changes and approval. The purpose of this project is to better protect BES Cyber Systems by implementing controls to reduce the risk of compromised vendor hardware and software. The following are the most important changes:

  1. Low Impact BES Cyber Systems escape! Draft 1 of CIP-013-1 had requirements for Low Impact BES Cyber Systems, but these have been removed in draft 2. While this would have been good for security, it didn't make sense to require Low Impact systems to implement these controls because industry uses a risk-based approach. Low Impact systems are Low Impact for a reason. They should have some controls but not the same as High and Medium Impact systems. High and Medium Impact systems must implement supply chain security still, however.
  2. Clarifying language was added to Requirement 2 that allows entities to follow a process rather than actually getting vendors to comply: "Note: Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract." The Standard Drafting Team (SDT) on an update call gave the specific example of having a process to ask for supply chain controls when negotiating contracts, but it won't be a violation of CIP if vendors don't agree to those controls and they fall out of the contract during contract negotiations. They also said contract language would not be in the scope of an audit - just the process. Entities are only required to have a process to try to get controls into contract language. Therefore, success for this standard will be in having the right process that covers what it needs to but doesn't go too far, which is a similar approach to the Information Protection Program in CIP-011-2.
  3. Requirement 3 (software authenticity) was moved to a new Part in CIP-010-3, Part 1.6. A question was asked on the webinar of an example of validating software source. The SDT responded that one way was to check the SSL on a webpage and validating the SSL certificate has been issued to the vendor and is still valid. For automated patching systems, you can use the automated system specifications. If the system says validates the patch prior to making it available to you, you can rely on that process and don’t have to re-validate patches. If a patch is validated once, it can be distributed to multiple machines without having to validate again.
  4. Requirement 4 (vendor remote access) was moved to two new Parts in CIP-005-6, Parts 2.4 and 2.5.
  5. Implementation was changed from twelve (12) months to eighteen (18) months, which is great news for industry. We all have more time to get ready. However, remember with all the different business units that will be affected it's never too early to start.

Remember the SDT is under tight timelines due to the FERC Order. The Deadline for filing with FERC is September. That requires NERC Board adoption in August with 2nd formal commenting and balloting through June 15. It's time to comment and ballot. The development project page is found at http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx .

NERC CIP-002-5 is the starting point for determining which Cyber Assets need CIP protections. Entities are required to evaluate their Bulk Electric System (BES) assets according to Attachment 1. The attachment lists criteria for High, Medium, and Low BES Cyber Assets. Everything appears to be very straight forward, but what about Criteria 2.11? Does non-BES generation count towards the 1,500 megawatts (MW) threshold? NERC (unofficially) says it does.

Criteria 2.11 states: "Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection."

The issue gets fuzzy in situations such as Control Centers that manage renewable generation because many solar and wind facilities do not have enough mega volt amps (MVA) to be BES facilities. The definition of BES generation is generation connected at at least 100 kilovolts (kV) with individual nameplate rating greater than 20 MVA or plant/facility aggregate nameplate rating greater than 75 MVA.

PCS has been taking the conservative approach that non-BES generation counts towards the 1,500 MW threshold. However, there has been some confusion throughout the industry. PCS had a recent phone conversation with a member of the CIP team at NERC regarding this topic. The member of NERC confirmed that non-BES generation counts and was surprised there was confusion about this. Unfortunately, the person at NERC declined to provide a written response to PCS' email, but based on the conversation with NERC, PCS suggests that entities that have Control Centers evaluate all generation within a single Interconnection, whether BES or non-BES, to see if the total is equal to or exceeding 1,500 MW.

NERC and the Regions require that the initial CIP-003-6 Low Impact Cyber Security Incident Response exercise be completed by April 1, 2017. Proven Compliance Solutions (PCS) helped its clients perform these by facilitating table top exercises. The result was better understanding of Incident Response Plans and improved inter-departmental communication for the entities.

Performing exercises often reveals lessons learned. Also, performing exercises keeps procedures fresh in the mind of Subject Matter Experts (SME) who may have to follow procedures late at night or on weekends when they may not expect to do so.

PCS has found the most difficult thing for entities to do is to plan a meaningful scenario. Often the scenario is scheduled with appropriate SMEs who arrive at the meeting and look to the meeting organizer for what to do next. They read through the Incident Response Plan and talk through a few light scenarios. While this could be considered compliant if proper notes are documented to capture the exercise, the value increases if realistic, involving scenarios are planned in advance.

To plan scenarios, entities could ask themselves the following questions:

  • Which business units and SMEs should participate?
  • What are our attack vectors? How might an attacker actually affect our CIP systems?
  • Is the attack just electronic or will it have a physical security component?
  • At what point should the scenario require communication from the person/group who sees it to the Incident Response Team?
  • At what point should the Incident Response Team notify the Electricity Information Sharing and Analysis Center (E-ISAC)?
  • Will CIP systems need to be contained, eradicated, and restored?

The same exercise performed for CIP-003-6 can also be used for CIP-008-5 for High/Medium Impact systems if the same Incident Response Plan and response teams are used.

With a meaningful scenario, entities get more value from the Incident Response exercise. If your entity did not complete a Low Impact exercise by April 1, it is best to complete one right away and file a report with your region. PCS can assist entities with these efforts.

Our Services