NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.

----------------------------

Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

Helpful Clarifications Still Leave NERC CIP Version 4 Changes Feeling Overwhelming

If your job is to ensure your utility complies with new version 4, certainly you've been scouring info like this for a while now. But if you're a member of electric sector support or regulatory communities, including services providers and state commissioners, it'll behoove you to get a better feel for the massively numerous and often ambiguous compliance hoops through which these folks have to jump.

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

The Future of Naval Installation Energy

Posting this one for SGSB readers who might not otherwise see relevant content on the DOD Energy Blog. There's a lot to admire, and learn from what the Navy is doing in Washington DC and the surrounding region. Check it out ...
-----------------------
As projected several years ago in this great 5-minute video, paving the way for demand management, energy efficiency, microgrids, support for renewables and all manner of support-the-mission, energy security goals (with cybersecurity baked in).



From all accounts, the folks involved with this initiative are right on schedule and are meeting their objectives.  Recommend you keep an eye on this.

Alrich on Distributech's 2013 Cybersecurity Focus Panels

I couldn't make it to the panel sessions but fortunately Tom Alrich could and did. Here's are his short-takes on 3 different panels:

Substation Integration and Automation: The Cybersecurity Landscape is Changing - Didier Giarratano of Schneider Electric discussed Role Based Access Control (RBAC) and how to do good job applying RBAC to the challenges of substations. Anthony Eshpeter of SUBNET Solutions discussed “Complexities of Substation Cyber Security”. He provided a very good, lucid discussion – pointing out the need for solutions like those SUBNET sells but without ever making a sales pitch. Bradley Tips of Cisco addressed “Real-world Deployment of Network Security for NERC CIP Compliance”. A good overview of what CIP requires for a substation these days.

The Quest to Better Understand the NERC CIP Bright Lines

Tom Aldrich and Rick Kaun have written some of the best material we've seen on the topic of the evolution of the CIPs, and Tom has new piece clarifying the lack of clarity of the Bright Lines language.

This is something of interest to all utilities currently busy achieving and demonstrating compliance with version 3, and grappling with what they should do to best prepare for versions 4 and/or 5 coming at them sooner than they would probably like.

Here's Rick's intro followed by a link to Tom's article. Note: you may not like what Tom has to say, but it's better to get this news now than to go ostrich ....

Security Checklists, Compliance Cultures, and Finding a Better Way

Fixating on responding to a compliance regime is in a sense, like agreeing to not learn. You know how when you're in the passenger seat and even if you go to the same destination a hundred times, if you weren't driving you don't remember how to get there cause you never learned in the first place? Fortunately, the GPS came long just in time to save your butt.

Before I go any further, please note this is not intended as invective against the NERC CIPs. I know why they were made and why we still have to have them. Most of us wish it were otherwise, but if and until the majority of utilities are observed performing the activities the CIPs require (and more) on their own initiative, this is the way it's going to be.

Have to tip the figurative hat again to Ernie H, who once again can be counted on for spotting and forwarding the good stuff. THIS recent Dark Reading article lays bare the downside of a checkbox compliance mindset. In it, I like this analogy from security researcher Lamar Bailey:

[Security] standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game. If you can't pass them with two hands tied behind your back, your need to quit and find another game.

I could see how that might make some folks say Ouch!  Anyway, it prompted me do a search to see if
utilities were embracing or resisting some of the downsides of this mindset. Well, didn't take long before I happened upon this. Imagine you pay the salaries of dozens of folks, as many utilities do, engaged in activities described by one CIP compliance manual this way.

It begins, "Evidence is more than just documentation" and continues:

Demonstrating compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.

There have got to be better ways to run and secure a utility, no? And of course, reading to this point is worth it if it means you get to a gem of an article I posted a link to almost exactly one year ago. Once again, HERE's Stephen Flanagan of FERC, giving a keynote on what he terms compliance cultures vs. cultures of commitment, who even as an auditor, keeps this in mind: "Security, not violations, is the primary focus." Like that.

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Industrial Defender Report Highlights Control Systems Operators' Increasing Responsibility Overload

The sharp folks at ID just released a survey-based report called "Managing Automation Systems: Critical Infrastructure Operators’ Challenges & Opportunities" which is chock full of interesting findings. You'll quickly see the challenges that rose to the top of their findings include issues are much more about people and process than about technology.

Here's a sample from the overview:

• On paper responsibilities don’t align with day-to-day activities. Over the past several years, industrial automation professionals have seen their responsibility broaden from managing operations to managing security and, in some instances, managing compliance. However, there is a clear gap between the time these individuals commit to each requirement, regardless of whether they own a high degree of responsibility

• Similar management requirements exist across security, compliance and operations functions. In other words, actions and activities necessary to support a security program may be strikingly similar to what’s required for compliance management and operational management within critical infrastructure

• Infrastructure operators are constrained in their ability to manage these overlapping requirements. This is particularly true when it comes to managing multi-vendor environments with assets from a mix of industrial automation suppliers

It's a familiar story, right? Too much being asked of too few, with the quality of the work that gets done likely to be, well, sub-optimal. Sounds like some business process optimization and automation is in order ... and in the meantime, maybe pay increases for the folks who are asked to get this mountain of important work done.

Recommend you read the full report ... it's a brisk read at <10 pages.

Electric sector security evolution: forward leaning exemplars vs compliance-focused knuckle draggers

This is the last of my posts from last week's Smart Grid Security Summit West, held in an unusually damp San Diego.

OK, knuckle draggers may be a little harsh. I apologize. But there may be a whole new approach emerging, to meeting security, privacy and compliance demands in the electric sector, and, depending on where you work when you read this, it's one I think you'll like a lot.

The outlines of a new approach appeared during the security metrics panel on day 1 and continued to resonate till the end of the conference on day 2, and basically it came across like this:

While the vast majority of utilities today seek to achieve an acceptable level of security and risk reduction via compliance with version 3 of the NERC CIPS, and preparation for what looks likely to come from NERC in subsequent versions, a couple of utilities, supported by their CEOs and/or empowered by recent crises, intend to set and implement higher-level security baselines for themselves.

I won't say who they are; it's probably best if you hear that directly from them or infer it yourself. But if these 2 can get the process started, and perhaps coax another 1 or 2 to join them, then they may be able to carve a wide path that many of the precedent-following rest can follow.

Imagine an industry where mere compliance with the lowest government enforced controls is no longer considered a best, or even a good business practice. Wait, this is starting to turn into a John Lennon song. Probably a good idea to stop here, but stay tuned for more on this.

Weatherford speaks out on Compliance vs. Security

There's a lot to like in NERC CSO Mark Weatherford's new GovTech column on compliance vs. security in the energy sector, but my favorite part was the final paragraph:

Achieving a high level of security maturity and being compliant within a regulatory environment requires one fundamental component — a strategic vision for security. A strategic plan for achieving both your compliance mission and the overall corporate security goals should be complementary. But that’s a topic for a future column.

"Strategic plan" that melds security and compliance - absolutely yes. Make one or get one if you don't already have one. But "security maturity"? Let's have more on that. Definitely will be keeping an eye open for Mark's future piece.

The full article is HERE. And BTW, if you didn't catch it last month, a much longer and yet brilliant talk was given on this topic by a gentleman from FERC. Go HERE for a link to the SGSB post on it, as well as for the full transcript.

The Best Talk Ever on NERC CIPs and Grid Security ... Period

I've read some good stuff over the years, though never at work. In the classics department my favorites are The Heart of Darkness, Moby Dick and The Invisible Man. For somewhat shorter, if not lighter fare, I like Haruki Murakami and the Raymonds: Chandler and Carver.

But the line between pleasure reading and work reading has been big, bright and until recently, very, very bold. That is, until I found Stephen Flanagan's mature (by his own reckoning) perspective on the Critical Infrastructure Protection standards (CIPs), the culture of utilities, and the difference between compliance and commitment:

I have a problem with this term “compliance.”  In fact I think it’s bad terminology for the CIP program and gets us into the entire wrong mindset from the get-go. And why do I think this? Well although the term “compliance” has a more or less precise legal definition, its use among the uninitiated does not have the same connotations.  I fear that when many hear the term they look more to Webster than Black as the dictionary of choice.  And in Webster one is likely to find the word defined as: Compliance: –noun, 1. the act of conforming, acquiescing, or yielding. 2. a tendency to yield readily to others, especially in a weak and subservient way.

He asks "How does that grab you?" and continues:

... in my opinion, for reliability, and I stick CIP into the reliability program as a whole in this discussion, I think the better term would be “commitment” rather than “compliance.” Why “commitment” you may ask. Well again Mr. Webster provides some helpful insights: Commitment: –noun, 1. the act of committing, pledging, or engaging oneself. 2. a pledge or promise; obligation. 3. engagement; involvement. 

Flanagan concludes with "Now doesn’t that sound a whole lot better?" Yes, it sure does.

I've never heard the compliance vs. security conundrum more eloquently and simply put. Compliance mentality is an organizational, cultural disease that undermines real proactive security attitude and action. I'll take engagement and involvement every time.

There's a whole lot more to savor and appreciate in this learned, witty, irreverent article. You may find the occasional typo, and maybe the title's a bit alarmist, but that's likely because this isn't actually a work of great literature. However, in my experience, and in our space, Stephen Flanagan's keynote address is one for the ages ... a grid and Smart Grid security masterpiece.

You can read the whole thing HERE.

Mid 2010 Snapshot: Utilities in Security and Compliance Double Bind

If you're not the head honcho for security at a medium-to-large utility company in the USA these days, you should consider yourself fortunate that, regardless of your profession, your life is much less complicated than theirs. If you are in such a position, you have my sympathy, and depending on how you're managing, my respect.

Seems to me you are in a damned if you do, damned if you don't situation. On one hand, you must do everything you can to keep the processes in place that have kept the customers' lights on 24/7/365 over the past decades of your career. Moving too far too fast with new technology or methods puts that number one metric at risk. On the other hand, in order to put your organization in position to pass its NERC CIP compliance audits and avoid fines and other negative fallout, you're having to substantially upgrade and update the security controls on some of your most important systems.

Like the oft-referenced complex challenge of repairing an airplane in flight, you face the dilemma above in a time of unprecedented change in an industry ill equipped organizationally to make fast changes. For example:

• In a sector largely insulated from competition, deregulation (in some regions) now adds that factor to the mix. And some of the competitors are from another planet, culturally speaking (see: Google, Microsoft, etc.)
• AMI and Smart Grid initiatives are encouraging you to connect systems that were once protected, in part, through isolation
• Business models look like they're in position to turn inside out and dis-intermediation is a real possibility
• The FERC/NERC CIP cyber security regulatory regime is moving fast; you're given a scant 2 years to turn your ship in the right direction (impossible for some), and rumors of more stringent and burdensome standards coming abound
• And last but not least, what about the GRID Act? Its passage looks like a near certainty. You only thought you had compliance problems before !!!

Just writing this list makes me gets me all worked up. Time to turn to the timeless wisdom of the Ramones; "I wanna be sedated". OK, better now.

So, in this climate, should you err on the side of doing too much? Moving your org rapidly towards better security and compliance but adding an unknown amount of reliability risk even as you seek to reduce it? Or lean towards preserving the steady state status quo and do too little, and risk getting slammed by fines ... or worse (Stuxnet anyone)? Often there's a middle path you can construct that gives you a nice balance of risk and reward, but I'm not sure that's the case here. But whatever you choose, the rest of us on this blog appreciate the tight spot you're in and will do as much as we can to make your world a little simpler.

Changing of the Guard: Weatherford Replaces Assante as NERC CISO

Just so you know, there was a shift in the force recently as Michael Assante stepped down from the CISO position and NERC sought an able replacement. This post (and this NERC announcement) informs you that, happily, the new CISO has been installed and we're back on track.

Good thing too, cause the electricity generating, transmitting (if not yet, distributing) industry is being pulled in two seemingly opposing directions: on one hand, the desire the demonstrate compliance with CIPS 002-009; while on the other, high anxiety that:

• CIPS 010 and 011 are much different than 002-009 (see summary from James Holler here) and unless they're phased in VERY gradually, that means trouble
• The new CIPS are based largely on security control standards like those in NIST SP 800-53 "Recommended Security Controls for Federal Information Systems and Organizations." Again, a whole different enchilada in terms of detail than what's in 002-009
• This will force huge changes (and likely, commensurate new expenses) for utilities trying make the best of limited human resources, time and funds

Maybe there's a loose connection of sorts here. I recall that the SP 800-53 controls are referenced in DOD 8500.x security policies (see DITSCAP and DIACAP). Michael Assante was a Naval intel officer and seems to me he did a great job during his tenure at NERC. Now Mark Weatherford, recently the CISO for the states of California and Colorado, also comes to the office with a solid Navy pedigree. From the NERC announcement on him:

Weatherford began his career as a Naval Cryptologic Officer, where he led the Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team. Weatherford has a bachelor’s degree from the University of Arizona and a master’s degree from the Naval Postgraduate School.

One thing we've seen in our talks with CISOs and other security professionals in the utilities and ISO/RTOs is the prevalence of prior military (though not always Naval) experience, including folks who did crypto and other cyber security related jobs when they were slightly less "seasoned."

Well, as you'll see from Holler's summary, if not your own hands-on experience in the compliance trenches, it may well be a rough ride moving from the relatively light-weight original CIPS, which really just went fully live on 1 Jan of this year, to the industrial strength 010 and 011. I for one am pulling for Mark to do a great job and wish him every success. We all have a job to do, but his is a key role in this.