Friday, February 12, 2010

Seeing NERC CIP through a Software Lens

Thinking about the future grid, AMI and Smart Grid systems can get so complicated that they can be difficult to conceptualize unless you use a construct that limits the scope of what's being considered. Given that so much of the Smart Grid “smarts” involves new applications and other advances in software, an important way to think about NERC CIP and your organization is to focus on your software assets.

10 Seconds of NERC Critical Infrastructure Protection (CIP)
In 1998 Presidential directive PDD-63 introduced the concept of protecting critical national infrastructure across different sectors, from private companies to emergency responders and the DOD. PDD-63 referenced computers and cyber systems a number of times, but as a presidential directive, it was not specific about the component requirements; rather, it focused on the expected end states and the organizations and initiatives that would make them possible.

In the early parts of the last decade, there emerged the IntelliGrid, the Modern Grid, and ultimately, the Smart Grid, in 2006. After much deliberation and the recognition that cyber threats to the grid would loom increasingly large as we moved towards an increasingly networked, info-centric system, NERC’s CIP standards were born. Many of those threats were leveled at, or enabled by, software. The systems that would be providing access, that would be controlling operations, and that would be recording all of the activity were moving to software, and were moving to networks via even more software.

As we enter 2010, utilities’ compliance deadlines for NERC's CIP standards are looming and for some, more stringent deadlines requiring them to be "auditably compliant" are arriving soon. They are required to have a plan for achieving compliance, and by now, utilities must be well along the path towards achieving and maintaining compliance with that plan. What does that mean? As NERC CSO Michael Assante puts it:
“The CIP standards are accompanied by a phased-in implementation plan, designed to give asset owners and operators enough time to become compliant with the standards before they become enforceable. ‘Compliant’ means that the entities are required to comply with the standards and “self-certify” their compliance. ‘Auditably compliant’ means that regular, scheduled audits of compliance with the standards will be conducted.”
The 9 CIP Standards
For your convenience, all of the standards are linked below:
We note that software apps and tools play a role in the day-to-day management of the above domains, and software and software controls themselves are critically assessed in CIPs: 2, 3, 5 and 7-9. History has shown that software plus critical infrastructure begets regulation (see: PCI for the credit industry, HIPAAfor healthcare, DITSCAP/DIACAP for DOD, etc.). In preparation for this, utilities must plan for an uncomfortable amount of new attention to be paid to the ways in which they monitor, manage and demonstrate their compliance. In many cases this will mean certifying the security of their new and existing software, likely via even more software. This is not trivial, and a virtual industry has already sprung up around achieving CIP compliance.

NERC and NIST on Cyber Security
The focus of the NERC CIP has always been easy to see from its own name. It has always attempted to steer utilities to descisions that would enhance reliability. Current efforts underway from NIST, and their work in Smart Grid cyber security standards are different. As NERC’s own comments to the first NISTIR draft on cyber security called out:
“The CIP Reliability Standards apply to installed equipment and require security controls be applied to manage risk in the operation and maintenance of cyber assets. However, the protection goals of the Smart Grid, on the other hand, are broader, and address component security, integrity of communications, privacy and other cyber security considerations.”
So there’s plenty to consider regarding the acquisition, use and protection of software assets in a NERC CIP context. It’s a little ironic, but we note that many of the controls NERC and NIST are recommending to better secure critical cyber assets are themselves made out of software, and by definition, are susceptible to being manipulated or circumvented by determined assailants.

Focus on Critical Infrastructure Leads to Focus on Software
The Smart Grid is evolving and so are the CIP standards. We’ll be doing a CIP deep dive, one standard at a time, in subsequent posts. In the mean time, where critical and less-than-critical software systems are involved, it’s probably best to imagine what your organization will do if and when those systems are attacked and breached. That’s the nature of the cyber attack and cyber defense world these days. Best to have a Plan B warming up in the bullpen, and Plans C, D & E loosening up as well. Stay tuned.

image courtesy of: / CC BY 2.0

No comments: