|
|
During the last several years, you have heard me speak at conferences and through outreach about how to stop chasing your tails with the next NERC CIP Standards version. Even back at my first CIP Compliance Workshop while I was at TRE in the V1/V2 days in 2008, I said that because the NERC CIP Standards were so terribly vague and inconsistently written people should start looking at things like the NIST 800 series publications. After all, NIST was then and continues to be a proven security framework that will sustain the industry much further than the very tedious NERC Standards Development Process. Coming out of the federal space at DHS and DoD, aka inside the DC Beltway, where things like NIST and FISMA were dealt with daily, I was a bit shocked to see that most of the people in that first TRE workshop had no idea what I was talking about. Since then, NIST has continued to evolve. We also have the ES-C2M2 model and the SANS Top 20 Critical Controls.
While everyone is trying to implement their CIP V5 programs ahead of what is still expected to be an April 1, 2016 Compliance Date from NERC, it is obvious to me that with regard to NERC CIP, the industry has never been more confused. Do I early adopt V5? Do I stay with V3? What do the V6 and V7 timelines look like? Fortunately, Tom Alrich has been doing an amazing job with his
blog to track and report on all of the latest in NERC CIP version changes and interpretations as well as pose some very logical questioning as to what the intent and reality are with regard to NERC CIP V5 Implementation.
All that being said, I'm a big fan of the "Keep It Simple Stupid" (KISS) philosophy. Yes- there are tons of debatable topics currently on the books with regard to NERC CIP V5's auditability and intent. If you have to focus on every last detail of the NERC CIP Framework, you are going to continue to lose your minds. April 1, 2016 is still the V5 Compliant Date. Keep that in sight. The NERC Guidelines and Technical Basis and Lessons Learned documents, while not enforceable, are the best things the industry has right now. Use them. Don't over-think it. Yes- lawyers may be insanely busy fighting Potential Violations but as a NERC-registered entity, I've got to think that if you leveraged their documented guidance, you have a better chance at winning your case than if you ignored the guidance and came up with something on your own. So. What is the solution to this NERC madness?- Controls. The NERC Reliability Assurance Initiative (RAI) was launched with, depending on who you talk to, varying levels of success. The one thing I believe RAI got right was for NERC Registered Entities to start thinking about documenting security controls and adopting a sustainable controls model that focuses on how you execute your security/operations program. I'll take it one step further by suggesting you look more holistically at defining your controls. I've given many presentations on my "Quality vs Quantity" Controls approach where I recommend looking across all of your regulatory frameworks, find the interdependencies, and create a 1-to-many control that satisfies multiple compliance verticals. For example, SSAE 16 has a Segregation of Duties (SOD) control that is far more prescriptive than a NERC requirement -- adopt the SSAE 16 control for NERC as well. If there's ever been a time for taking a more holistic approach to security controls, it's now. With everyone constantly trying to hit a moving a target with the NERC CIP, why not take a look at what other frameworks do well and adopt those controls? Defining controls up front that are security/operationally driven where compliance is a byproduct of operational/security efficiencies is the only way to bridge the huge gap between compliance and security/operations. A couple of years ago, The Anfield Group put out a mapping chart of controls to SSAE 16, Sox, NERC, ISO, HIPPA. We also did a CIP Ver 3-5 and SANS Top 20 Critical Controls poster with the SANS Institute that was extremely well received by the industry. In the coming weeks, we will be updating our controls to the NERC CIP 3, 5-7, ES-C2M2 and SANS Top 20 and be providing that to the industry. We think you will find it extremely helpful. Please stay tuned.
Chris Humphreys The Anfield Group
|
Utilities Expected to be Omitted from ISAO's
On February 13, Executive Order 13896 was signed at the White House. Its purpose is to promote private sector Cybersecurity Information Sharing. The executive order encourages the Secretary of Homeland Security to develop Information Sharing and Analysis Organizations (ISAO) for sharing information, some of it classified. At the CIPC committee meeting held March 10-11 in Jacksonville, it was announced that DHS will soon issue a RFP for defining ISAO's. It seems likely that utility companies will not be included in the ISAO's.
|
|
Cybersecurity Information Sharing Act Moves Ahead; Privacy Concerns Expressed
On March 17, the Senate Intelligence Committee released the text of its Cybersecurity Information Sharing Act which they had approved the previous week on a vote of 14-1. The purpose of the Act is to make it more difficult to launch cyber attacks similar to the one that infamously infiltrated Sony. This Act provides an opportunity for private industry to share cyber threat information while receiving expanded liability protection from the government. The bill has already received considerable opposition from groups concerned about its potential impact on personal privacy. The bill is a bipartisan effort and could quickly move to the full Senate -- maybe as soon as early April.
|
|
FERC Issues 2014 State of the Market Report
On February 19. FERC issued it's annual report on the State of the Market. It's always good to get a look at the Big Picture, so here are some highlights for the electric utility industry:
Nationally, electricity demand remained flat compared to 2013.
Residential demand rose slightly driven in part by the extreme weather in the first quarter, while industrial demand declined.
Energy efficiency measures and growth in behind-the-meter generation, such as rooftop solar, helped moderate the growth in electricity demand at utilities.
Electricity spot prices rose across the country in 2014, with regional prices reflecting, in part, variations in natural gas. The largest increases were in PJM where average on-peak-day-ahead prices at the Western Hub rose 38 percent due to price spikes in the first quarter. Prices in the Pacific Northwest. where increased hydro generation kept prices down, were the lowest in the country.
Total generating capacity increased by 10.8 GW in 2014. The largest change came in natural gas capacity which rose by 7.7 GW. Net wind installed capacity increased by 5 GW. Net utility-scale solar capacity additions plateaued at 4 GW
For a copy of FERC's 2014 State of the Market report, click here.
|
|
CIP V5 TRANSITION UPDATE
Understandably, CIP V5 transition remains a major topic of discussion for the industry. At the CIPC Committee meeting held March 10-11 in Jacksonville, committee members asked numerous questions regarding the transition. Tobias Whitney, NERC'S CIP Compliance Manager, was there to provide the latest answers.
He reviewed the current situation and reminded everyone that six entities have tested V5. Based on their experience, a series of Lessons Learned have been released for comment. Following comments, they will go to the Standards Committee for approval. He emphasized that the Lessons Learned are guidance documents only. They do not alter requirements. By following guidance, entities meet compliance. However, any violation revealed by an audit will reference a standard, not any sort of guidance provided.
NERC is communicating a risk adverse approach through the Lessons Learned -- it is conservative advice. "We are trying to provide clarity, not tell you what kind of hardware you have to use," Whitney said. In response to a committee comment that maintained that auditors were trying to tell the industry how to implement the standards and that too many auditors were involved, Whitney said he disagreed -- "auditors are important, but are considered to be performing a checklist, not writing standards." He concluded by saying April 1 remains the goal for getting out as much information as possible.
Current Lessons Learned available for com
ment are:
|
|
|
| How safe is our power grid? |
Here is CNN's recent two-minute tour of the National Cybersecurity and Communications Integration Center (NCCIC - pronounced "n-kick").
|
|
As we first mentioned back in December, The Anfield Group has been helping RedSeal Networks map their solution's NIST security controls to the NERC CIP V5 Framework. RedSeal's sweet spot with respect to NERC CIP is going to be in the areas of network architecture simulation/testing (CIP-005-5) and network configuration management (CIP-010-1). Their network visualization capabilities complement solutions like Tripwire nicely. RedSeal's focus on holistic security controls definition and design align with The Anfield Group's strategic vision of a controls-based approach to compliance and security. Based on our review, we suggest that you check out RedSeal's ability to deliver three core security controls: Visibility; Verification; and Prioritization. You can find details
here.
|
|
April 2: Energy Cybersecurity Luncheon in Houston
|
| The Anfield Group has joined with the Oracle Corporation and Deloitte to present an exclusive networking opportunity to connect with fellow energy industry executives and hear about prevalent security threats and appropriate preventative measures. This April 2 luncheon event from 11 a.m. to 2 p.m. at Houston's St. Regis Hotel will feature a very diverse audience made up of oil and gas and electric utility security experts. It provides an ideal opportunity to share the latest cyber security strategies and tactics from throughout the energy industry. The Anfield Group's presentation will focus on security and compliance best practices for ICS & SCADA owners & operators. For more Information and reservations (required), contact Elizabeth Poplawski at 703.395.2709 or elizabeth.wilson@oracle.com |
|
Mark Your Calendar: Summit Is Coming!
|
| The Anfield Group's ever-popular Technologies for Security and Compliance Summit returns August 5-6 to Barton Creek Resort in Austin! Again this year, the Summit will feature presentations by vendors selected on the basis of their ability to provide an accompanying industry representative who can describe his utility's success in using the product. Plus, SANS will conduct a two-day workshop to introduce their latest outstanding training program. Registration for the core summit is FREE. (There is a charge for the SANS workshop.) And yes, we will again offer an opportunity to play in a Summit Golf Tournament at Barton Creek -- the number one golf resort in Texas! We will provide more details soon. 
|
|
TAG's NERC CIP Version 5 White Paper Available
|
Just in case you forgot to download your free copy of our new white paper discussing the biggest challenges for utilities to overcome to implement NERC's CIP Version 5, it is still available. The white paper describes the challenges, discusses how each differs between CIP Version 3 and Version 5 and offers suggestions on how to successfully meet these challenges. For a copy of "NERC CIP Version 5: Top 10 Challenges With Suggested Solutions," simply click
here.
|
|
USA TODAY Reviews Grid Attacks
|
| Yesterday, USA TODAY featured a lengthy article on what it described as the result of its investigation into cyber and physical attacks on the nation's power grid. According to the article, the information presented was derived from working with 10 Gannett newspapers and TV stations "and drawing on thousands of pages of government records, federal energy data and a survey of more than 50 electric utilities." The article even looks at NERC's enforcement of cyber rules designed to protect the grid and asks why, at a time of increasing attacks, enforcement "has decreased in recent years"? NERC's President and CEO Gerry Cauley has a good answer. USA TODAY has 5 million readers daily. You can read this interesting article in its entirety by clicking here. |
| In last month's issue, we incorrectly credited FERC with issuing guidelines designed to help the industry meet NIST framework goals. Actually, FERC was not involved in this project. Instead, it was the Department of Energy that put the guidelines together and issued them. We would like to thank David Norton, CIP Advisor for FERC's Office of Electric Reliability in Hagerstown, MD for pointing out our error. |
|
