Cyber Security is taken seriously by North American Power Generator
May 8, 2015
The applications of modern automation and ever increasing use of internet have created new threats to reliable power generation. To address related cyber threats, North American Electric Reliability Corporation (NERC) published Critical Infrastructure Protection (CIP) – Cyber Security standards CIP-002-1 through 009-1, which most generator owners and operators were required to comply with starting January 1, 2010.
Interpretation and application of the new, comprehensive standards can be confusing and may result in misinterpretations. Mr. James Batug with PPL Generation, LLC, in Allentown, PA and Mr. Paul Taylor with Valmet, Automation business line, in Lansdale, PA have carefully studied CIP - standards and clarified some of the cyber security related issues in their paper given in the ISA POWID/EPRI Controls & Instrumentation Conference in Summerlin, NV, USA in 2010. The authors explain the meaning of the requirements, and how responsibilities between the vendor and the end user/operator could be distributed in design, fabrication, and assembly of a control system in order to achieve and sustain compliance with the CIP standards. In following, a short summary of the paper is presented.
Introduction
The current standards are applicable to Critical Assets with Critical Cyber Assets (CCA) that support reliable operation of the Bulk Electric System. The intent of the standards is to institute procedures and processes that protect the control and monitoring systems from cyber attacks and/or security incidents that might threaten the reliability of the national grid (Bulk Electric System). NERC holds the generator operator or owner as the Responsible Entity (RE) and ultimately accountable to comply with the standards. The RE´s compliance with the standards is subject to frequent audit by Regional Reliability Organizations (RRO) under the contract with NERC. Violations may be penalized with fines.
Once a generating plant is identified as a Critical Asset, plant control and monitoring systems are often identified as critical to operation and the cyber assets fall under CIP regulation. Examples are the burner management, combustion control and turbine-generator control, monitoring, and protection systems.
The authors concentrated on following NERC CIP standards and specifically on CCA related requirements:
- CIP-002 Critical Cyber Asset Identification: R1,R2 & R3
- CIP-003 Security Management Controls: R4, R5 & R6
- CIP-004 Personnel and Training: R1, R2, R3 & R4
- CIP-005 Electronic Security Perimeters: R1 – R5
- CIP-006 Physical Security of CCA: R1 – R6
- CIP-007 Systems Security Management: R1 – R9
- CIP-008 Incident Reporting & Response: R1 & R2
- CIP-009 Recovery Plans for CCA: R1 – R5 where R1, R2, etc. refers to the applicable requirement of the standard
Secured Grid Elements. Secure communication flows
CIP Standards 002 through 009
Standards (CIP-002) require RE to develop and use Risk based Assessment Methodology (RBAM), in order to define the Critical Assets and Critical Cyber Assets (CCA) in the plant. To fulfil the requirements, a vendor may provide supporting information to assist with the identification of the CCAs, like network highway or LAN topology diagrams, Bill of Materials, and similar details.
According to the Security Management Control of the standard (CIP-003) RE is responsible to assure that Critical Cyber Asset Information (CCAI) is protected. This means that the access to CCAI is strictly controlled, which is vitally important in the case of retrofit, when the cyber assets may or may not be part of the vendor´s scope of supply. Co-operation between RE and vendor on these issues is needed.
Personnel and training standard (CIP-004) requires that the applicable personnel are annually trained on cyber security issues. In addition, certain individuals are required to have a Personal Risk Assessment (PRA). Also, a record must be maintained of the individuals with access to CCAs and their access rights, and these access rights must be removed when they are no longer required. Both the RE’s employees and Vendor personnel must have a PRA and annual training on the RE’s cyber security policies and procedures in order to have physical and/or logical access to the RE’s Critical Cyber Assets.
Standard (CIP-005) concentrates on the establishment, implementation, and documentation of the electronic security perimeter (ESP), the access process and control at ESP access points to protect its CCA. The related documentation required by the standard must be reviewed at least annually and updated. To fulfill the requirements of standard CIP-005 requires intensive support by the vendor.
Standard (CIP-006) requires development, documentation, implementation, and maintenance of the Physical Security Plan (PSP) to guarantee the protection of cyber assets, including 24x7 monitoring and documentation of all physical access. The primary Vendor role is to work with the RE’s technical staff to produce a system and network design that minimizes the number or Electronic and Physical Security Perimeters.
System security management standard (CIP-007) is effectively applicable to all cyber assets within an ESP. RE needs to take care of numerous tasks to ensure the systems security.
These tasks include among other things;
- testing that new Cyber Assets do not affect existing cyber security controls,
- only those ports and services required for operation are enabled,
- security patch management process is in use,
- the anti-virus and malware prevention and detection tools are used,
- to minimize the risk of unauthorized access,
- to ensure that all Cyber Assets within the ESP implement automated tools to monitor and log system security events,
- to monitor and alert for detected Cyber Security Incidents,
- to have formal means of proper disposal or redeployment of Cyber Assets located within the ESP,
- to organize an annual cyber vulnerability assessment of all cyber assets within the ESP, and
- to review documentation at least annually.
The vendor’s responsibility in fulfilling these tasks is vital and extensive.
All Cyber Security Incidents need to be reported and responded to at least annually according to the standard (CIP-008). Vendor may be called on to assist in the event of an incident.
Standard CIP-009 requires the RE to have recovery plans for Critical Cyber Assets. The requirements cover the creation and review of recovery plans and exercising those. Changes in the plans has to be made a result of exercises or an actual incident. The vendor should provide a plan and the necessary information for backup and recovery for any cyber asset within the CIP standard required ESP that the vendor supplies.
New developments
Since the 2010 paper, FERC has approved Version 5 of the CIP standards which represents significant progress in mitigating cyber risks to the Bulk Electric System (BES). NERC initiated a program to help industry transition from CIP Version 3 to CIP Version 5. Mr. Joe Roscioli of Valmet*) in Lansdale, PA has been following these new developments.
There are two new CIP standards: CIP-010: Cyber Security - Configuration Change Management and Vulnerability Assessments. It’s purpose is to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.
CIP-11: Cyber Security - Information Protection. It’s purpose is to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Conclusion
Responsible Entity (RE) must meet all of the CIP standards requirements in order to be in compliance with NERC / FERC regulations. In order to meet the requirements the RE will depend on the Vendor, who will brings to the table the knowledge and support about the products and services that it provides.
“The RE and the Vendor must partner throughout the life cycle of the Critical Cyber Assets. From the automation system’s conceptual design phase; the engineering phase; the production phase and factory acceptance; site commissioning and acceptance; continuing operation and maintenance; to the retirement of the Assets, the RE and vendor have complementary roles in meeting the CIP requirements”, the authors conclude in their meritorious paper.
For more information: Steve Colwell, Senior Product Engineer
steve.colwell (at ) valmet.com
Abbreviations:
BES Bulk Electric System
CCA Critical Cyber Assets
CCAI Critical Cyber Asset Information
CIP Critical Infrastructure Protection
CMP Change Control & Configuration Management
CSIRP Cyber Security Incident Response Plan
CSVA Cyber Security Vulnerability Assessment
DCS Distributed Control System
ESP Electronic Security Perimeter
FERC Federal Energy Regulatory Commission
LAN Local Area Network
NERC North American Electric Reliability Corporation
RBAM Risk Based Assessments Methodology
RE Responsible Entity (Generator, Owner, User)
PRA Personal Risk Assessment
RRO Regional Reliability Organization
TFE Technical Feasibility Exception
UTM Universal Threat Manager
2FA two factor authentication