CIP-002-4 Is Coming

(This article was originally published on the Findings From the Field blog.) NERC announced earlier this month that long-debated changes to the NERC CIP-002 standard have passed ballot and are being submitted to the NERC board for approval. The changes introduce a "bright line rule" defining Critical Assets and Critical Cyber Assets. The rule eliminates the discretion NERC entities had in versions 1-3 to define their own risk-based assessment methodologies to identify Critical Assets. The changes should result in a much larger pool of assets being identified as critical and so subject to CIP standards. It remains to be seen though, whether utilities will take this opportunity to strengthen their security programs in light of recent advanced threats to control systems. Ambiguity In principle, Critical Assets are those components essential to the reliability of the Bulk Electric System, and Critical Cyber Assets are cyber components essential to Critical Assets. The NERC-CIP standards apply only to Critical Assets, Critical Cyber Assets and, to a degree, other equipment inside the physical and electronic security perimeters protecting those assets. In practice though, there was serious ambiguity as to what "essential" meant, and even debate as to what "Bulk Electric System" meant. Concerns about this ambiguity were highlighted in 2008 in FERC order 706 and in 2009 in then-NERC-CSO Michael Assante's letter to NERC entities. In his letter Assante asked whether it was reasonable that 73% of CIP table 3 and table 4 entities had identified no Critical Assets whatsoever in their operations. If an entity could establish a definition for Critical Assets that did not describe any of their physical assets, then that entity needed only a token security program: bits of documentation proving that there really are no Critical Assets or Critical Cyber Assets to protect. New Rules To eliminate these ambiguities, a new CIP-010 was opened to ballot in May of 2010 to replace CIP-002. CIP-010 would have replaced the terms Critical Asset and Critical Cyber with high, medium or low impact ratings for all assets. A new CIP-011 would have included updated requirements from CIP-003 through CIP-009 in one document for easier reference. The response to these proposals was over 900 pages of comments from reviewers. NERC responded with CIP-002-4, keeping the Critical Asset terminology, but eliminating most discretionary decision-making when deciding which assets were critical. The CIP-002-4 approved in the ballot uses a "bright-line" rule to define the term Critical Cyber Asset. "Bright-line" is a legal term describing a decision process. A "bright-line" rule: "...is a clearly defined rule or standard, generally used in law, composed of objective factors, which leaves little or no room for varying interpretation. The purpose of a bright-line rule is to produce predictable and consistent results in its application." That is, a "bright-line" rule is one which can be decided by looking at facts and measurements. This is in contrast with, say, a "fine-line" rule in which decision-makers exercise judgement to try to distinguish between two very similar positions on a gray scale, or a "balancing test" rule, where decision-makers must evaluate many very different kinds of factors in reaching a conclusion. In summary, CIP-002-4 defines assets as critical if they are essential to the reliable operation of: transmission lines operating at greater than 300-500 KV, depending on their connectivity, reactive power assets larger than 1000 MVAR, generation sites larger than 1500 MW in a single interconnection, certain assets essential to blackstart capabilities, assets able to automatically shed load of 300MW or more, and a number of types of control centers. This new, uniform definition of a Critical Asset is expected result in most utilities with generation or transmission assets identifying a fair number more Critical Assets than they did under CIP-002 versions 1-3. Looking Forward FERC's concern for the security of the bulk electric system is understandable. While the electric system as a whole is protected by many physical redundancies, the system is currently designed to deal with "random" failures. The concern is that advanced threats to the electric system are developing the ability to sabotage industrial control systems and potentially cause widespread, coordinated failures. These threats are not "boasting-rights" hackers or even organized crime, but rather nation-state intelligence agencies and militaries. Preserving the reliability of the electric system in light of these threats demands that cyber assets controlling the grid are adequately protected from deliberate attack. The new CIP standards represent an opportunity for utilities to recognize these emerging threats, and to invest in real security programs to protect the security and reliability of the electric system for the public at large.