PCS BLOG

NERC CIP supply chain management will be upon us in the near future. FERC issued Order 829, http://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=14313640, on July 21, 2016, which requires NERC to file a CIP supply chain Standard (or amend an existing Standard) with FERC by September 2017.

What does this mean for the electric utility industry? The new (or amended existing) Standard must address these topics:

  • Software integrity and authenticity;
  • Vendor remote access;
  • Information system planning; and
  • Vendor risk management and procurement controls

This feels a lot like it might turn out like CIP-014 where FERC wanted the industry to do something, so it created a Standard which could be applied lightly or with great intensity. Entities will probably have to cover the above topics in their plan, but they will probably have the flexibility to decide how to implement and to what degree.

A big challenge with this concept is that a large portion of the security work must be done by third party suppliers, while the NERC Standards are not applicable to those parties, but to the registered entities. Another challenge is that of single-source providers. If a third party is the only provider of a widget and they don't want to play by the rules, there must be provisions that it's OK to use that third party because it's better to maintain operations.

Stay tuned in the coming months for a draft Standard, comments, and voting.

Reliability First, a Regional Entity tasked with compliance audits and enforcement, recently revealed more details on the highest penalty ever levied on an electrical registered entity for violations not related to an event. The penalty was for $1.7 million.

The largest penalty to date is the $25 million whopper issued to Florida Power & Light Co. (FPL) for the February 2008 blackout where millions of people in South Florida lost power for several hours. That was for actual society impact. This penalty was for the risk of actual impact; nothing bad actually ever happened, but the risk was high. The Ukraine attack probably didn't help decrease this fine. The December 2015 cyber attack caused 225k customers to be without power for several hours and is the first publicly acknowledged power outage caused by a cyber attack in the history of the world. That event has caused increased awareness of the importance of cyber controls, such as CIP, and the appetite for stronger fines and sanctions for non-compliance.

The entity in violation was not specifically named because it was CIP related, and potential cyber vulnerabilities could attract attackers. However, there is much to be learned from this situation.

  • RF conducted a CIP audit in 2011 and found 19 violations. RF conducted another audit in 2014 and found 36 CIP violations (only 43 CIP Requirements existed). The entity submitted Mitigation Plans in between those audits, but obviously they didn't sufficiently address the root causes.
  • RF found the entity thought of compliance separate from security. The compliance department lacked the sufficient authority and power to effect change - a sign of a poor culture of compliance. This led to issues such as 3 Physical Security Perimeter doors being altered so they didn't lock so people could enter without the "burden" of security.
  • RF found the entity didn't have the proper expertise to identify and fix issues. This could have been prevented by increasing internal resources or engaging outside help.
  • RF found the entity had abnormally high business silo difficulties. This led to issues such as having separate training, personnel risk assessment, and access provisioning/revoking programs (9 different violations in this case). This exists to some extent at all companies by nature, but this company lacked the correct coordination and central oversight to minimize it.
  • The entity didn't file Mitigation Plans until 8 months after the 2014 audit, and it filed plans that didn't properly mitigate the issues. The entity was late completing milestones, and was found by RF to not have completed 4 plans it said it did.
  • The RF president met with the entity's president, prompting change in senior leadership awareness, resource amounts, and organizational structure.

We have all seen these issues in some form or other - in some degree or other. They aren't unique to any one company but shared by all. This is a good reminder of the financial and reputational blows that can come from non-compliance. Many companies are working with Proven Compliance Solutions for help in establishing solid, achievable compliance programs as well as perform gap analyses, mock audits, and deliver training.

See https://www.rfirst.org/Pages/Newsletter.aspx for the May June 2016 Reliability First newsletter (pg. 7-8).

See https://www.ferc.gov/media/news-releases/2009/2009-4/10-08-09.asp for $25 million fine details.

 

 

fish

SANS and the E-ISAC released a report on the 2015 Ukraine power outage. This has garnered a lot of attention as it is the first known, or publically acknowledged, power outage caused by hackers. On December 23, 2015, about 225,000 customers lost power for several hours.

Bad actors got in by sending targeted emails, also known as spear phishing emails, to Ukraine power company personnel. Phishing is an attempt to get sensitive information by pretending to be a trustworthy source. Spear phishing is targeted phishing. Think of phishing as casting a wide net, while spear phishing is targeting only a select number of people.

Hackers sent these emails about six months prior to the outage, appearing to be from a reputable source with Excel and Word attachments containing BlackEnergy 3 malware. We all love to open Excel and Word documents, right? Once opened, users were encouraged to enable macros, something we also like to do, which allowed the install of BlackEnergy 3. This allowed attackers to steal login credentials and then remotely login and open breakers to cause the power outage.

There are many morals to the story, but the one of interest here is that spear phishing is perhaps the greatest threat to a good cyber security program. If someone opens a malicious attachment, your anti-virus tools may or may not catch it. The best defense is a well informed and disciplined user.

Tips:

  • Don’t open attachments from untrusted senders
  • If you see an unusual email from a trusted sender, call them to verify they really sent it to you. Trust your instincts. You'll notice something off in the spelling, tone of voice, or the action they want you to take


There has been some confusion as to when entities need to complete CIP Version 5 testing. Well, it's actually CIP-004-6, but let's just call it CIP v5 as that's what the new group of Standards are commonly called. 

There have been some reports, such as in this article by Curricula, that entities must re-train on CIP v5 topics by July 1, 2016 or else they will be in violation. They argue that because v5 introduces new topics, if a person was training on v3 topics in January 2016 and is not retrained by July 1, 2016, they will have missed some v5 training topics.

A review of the NERC Petition for CIP v5 submitted to FERC on January 31, 2013, page 654 of the PDF, page 3 of Appendix B - Implementation Plan, reveals that CIP-004-5, Part 2.3 is not due until 12 calendar months after the Effective Date, which would be by July 31, 2017. This is a screenshot:

 

I checked with WECC CIP auditors this morning. Their audit approach is in line with the Implementation Plan and is similar to their approach on personnel risk assessments (PRA). If a PRA is completed prior to July 1, 2016, it is grandfathered in and another wouldn’t be needed until seven years from the last one. Similarly, if a person received CIP v3 training prior to July 1, 2016, that training would be good for another 15 calendar months. Any person newly receiving CIP access on July 1, 2016 or after would obviously be required to have CIP v5/6 training prior to gaining access.

This highlights the importance of being close to auditors in your Region.

 

The title of this blog is commonly associated with old age and keeping our loved ones safe, but it is also associated with a feeling of helpless and being alone. Many compliance professionals and SMEs that I have spoken with have communicated just that when talking about their daily tasks and experiences. As a team member of Proven Compliance Solutions, I recently attended an industry reliability compliance workshop along with about 400 other eager participants. As I was diligently listening to the featured speaker, I was reminded of a quote that my good friend Brad voiced several years ago while discussing the duties associated with a majority of his compliance activities. Simply stated, he said a lot of what he does is, “Documenting the obvious…” Sitting through presentations can be enlightening and informative, but they can also be a bit wearing as I think of all the people around me listening to a speaker tell them about another new process, method, or formula to mix, measure, and validate their program. I remember some time ago hearing that there would be fewer standards and fewer requirements and that compliance would get easier. That, my friends, is not what I’m seeing out there. If you haven’t explored the Standards Under Development page on the NERC site, you may not be aware of the boat load of activities going on.

I am fortunate in that I work with a group of individuals who live NERC/Regional reliability compliance on a daily basis and we have the opportunity to divide up the responsibilities of tracking and understanding all of the rules and regulations and the constant changes that are associated with keeping up with an Industry that is responsible for the security and reliability of the BES. We attend regional meetings and webinars, participate in various committees, read everything we can get our hands on, and track standards under development, committee activities, and reliability compliance activities in each Region, at NERC, and at FERC to keep our clients informed and on top of their programs. Our client reports are customized to each entity’s NERC registered functions, current and standards under development that are applicable to their functions and operations, activities related to regional standards, recent webinars and meetings, and any other associated information. For each of the standards addressed in our tracking matrices, our PCS experts provide information relevant to our client’s operations and offer opinions and specific action items related to their reliability compliance program.

Gathering this information can seem like a monumental task, but the process of doing so keeps us informed to the highest degree possible and it also keeps us on our toes!! So many times I have talked with individuals trying to manage their programs who are exhausted and overwhelmed. It is not uncommon that reliability compliance is just a portion of their jobs. I definitely understand their situation and see their need for a team of individuals like PCS to help them out. That’s what we’re here for and what we love to do! So, if you’re reading this and want to find out what we can do to make your job easier, I hope you’ll get in touch with us to find out more.

Our Services