Today we are pleased to be introducing to this platform our very own Boyd Nation. Boyd is our Director of Compliance Services and has been working in and around the Utility industry for over 23 years now and since 2001 has been front and centre on compliance related issues for a very large power company. Suffice it to say Boyd knows his way around regulation in OT environments.
This is the first blog in a series of posts about the recently released FERC audit results report.
FERC recently released to the power utility industry a summary of the results of the FERC CIP audits that FERC staff performed during 2018. The document turns out to be worthy of close study and some in-depth discussion, so I’m going to be putting together a series of postings to call out the benefits of paying attention to the report and thinking through the implications of the recommendations and some of the ways that utilities of various sizes might go about carrying out those recommendations.
Notably, the document reads well as a description of a cooperative effort to improve the security of the power grid, with none of the adversarial tone that can sometimes mar the relationship between FERC and the industry.
There’s a lot of industry-related security material out there, but nothing FERC says in a non-emergency setting is required without a lot of steps between their saying it and you actually having to do it. So why should you pay attention to this report? In this particular case, there are a couple of reasons why you should pay attention. Your security and probable future compliance requirements depend on it..
The NERC CIP standards are a mature, nearly comprehensive, and generally clear set of standards at this point. They have progressed greatly in over fifteen years of development, and in comparison to other commonly used sets of standards, there are no major gaps in coverage of topics.
The domain that they live in – one in which there is a desire for a clear-cut line between compliant and non-compliant – leads them without a true notion of maturity levels, other than the small amount to which impact levels mimic them. They fail to leverage differing security controls which provide coverage for each other, reducing the need for fully mature implementation of all the overlapping controls. But within that framework, the standards work well.
There are still areas where the standards provide weaker coverage than the general state of the art calls for at this point in time. As it turns out, the FERC audit report provides a viewpoint into identifying most of those areas where improvement is possible.
Knowing where vulnerabilities lie are useful because those wishing to compromise your systems are not bound by the standards in identifying ways to attack you.
They’re free to work in the negative space that’s created by the shadow of the standards. Weakness is created by CIP requirements for security awareness where it is underpowered, relative to current research on the value of strong awareness programs. Gaps that open up due to the lack of a requirement for automated inventory identification tools, or any of the other areas where the CIP standards, represent a lack of new development or compromise with existing infrastructures.
Being perfectly compliant with the standards does not reduce risk, and finding awareness of those weak spots allows you to strengthen your security posture. FERC addressing those weak spots helps leverage procuring funds from your executives, making that task a little easier than one based on your expertise and a generalized claim to “best practice”.
In addition to the practical current benefits, there’s an element of “you might as well go ahead and get to work on this” to the report. While FERC does not explicitly state this, it is the message we get from reading between the lines.
CIP version 5 was approved by the NERC Board of Trustees in 2012. Implementation was staggered, but we’re reaching the point where it has been in the field for at least three years. There have been revisions, and the drafting team continues to nibble along the edges of hard problems related to new technology.
But we are likely to approach the point where FERC (and the underlying progression of time) calls for a new revision within the next couple of years; think of it as CIP 2022. Because of that maturity that I spoke of earlier, it’s unlikely that the next major revision point will represent a drastic change in approach. It will likely come from within the industry and from FERC directions to improve the areas that are identified as being weaker than desired within the current body of standards. This FERC report provides a strong glimpse into what those areas might be.