Going Beyond Compliance: Taking the Next Step in Security

By Jim White, Uniloc USA

When it comes to the electric utilities industry, regulatory compliance is more than a goal for information technology departments; it’s the lifeline of the organization.

With seemingly endless solutions on the market, many utility IT departments have made significant inroads in the past few years in becoming compliant and striking a balance between attention to regulatory detail and supporting the critical projects and initiatives that keep the organization functioning.

Although it might be difficult to confront, not all IT groups in the electric utilities industry are fully compliant with information-security regulations.

The Self-certification Problem

Michael Assante, the vice president and chief security officer of the North American Electric Reliability Corporation (NERC), recently addressed the somewhat widespread misidentification of qualifying assets. In a letter to power industry stakeholders about the self-certification survey for NERC Reliability Standard CIP-002-1 for July 1 through Dec. 31, 2008, Assante wrote:

The survey results, on their surface, raise concern about the identification of Critical Assets (CA) and the associated Critical Cyber Assets (CCA) which could be used to manipulate them. In this second survey, only 31 percent of separate (i.e. non-affiliated) entities responding to the survey reported they had at least one CA and 23 percent a CCA. These results are not altogether unexpected, because the majority of smaller entities registered with NERC do not own or operate assets that would be deemed to have the highest priority for cyber protection “. Closer analysis of the data however suggests that certain qualifying assets may not have been identified as “ËœCritical.’… Although significant focus has been placed on the development of risk-based assessments, the ultimate outcome of those assessments must be a comprehensive list of all assets critical to the reliability of the bulk electric system.

In any critical infrastructure sector, the nature of self-certification means it’s easy to evade the letter of the law, however unintentionally. Even when a company is making progress toward compliance, human nature and economic pressures can lead overworked professionals to cut corners. Self-certification is not sufficient.

The Thompson-Lieberman Bill: A Harbinger of Things to Come?

Following the publication of the NERC survey results, wherein more than a third of utilities companies failed to classify even a single cyberasset as critical to the power grid, The Wall Street Journal published a story on how foreign states including China and Russia are actively studying and mapping out our national electric utilities for vulnerabilities in their cybercontrols. This quickly led to an April 9 memo by Congressman Edward Markey to the Federal Energy Regulatory Commission (FERC) calling for increased cybercontrols in the utility sector.

Shortly thereafter, new legislation from the House of Representatives was proposed in the Thompson-Lieberman bill, which calls for:

• The assessment and establishment by FERC of interim standards deemed necessary to protect against known cyberthreats to critical electrical infrastructure,
• New authority for FERC to issue “emergency rules or orders” to address cybersecurity threats once agency agreement on the threat has been established, and
• The Department of Homeland Security to investigate whether or not the security of federally owned utilities has been compromised by outsiders.

Every sector within critical infrastructure will benefit from a more proactive and thorough approach to regulatory compliance, particularly if failure to take a more rigorous approach leads to increasing regulation.

Congratulations on Compliance, Here’s Your Next Challenge

Let’s say that your organization has completed regulatory compliance boot camp, you’ve trained your employees, documented your policies and procedures, implemented your processes and are fully compliant. Kudos on your diligence; this might give your business an advantage in its marketplace, and for which you will be rewarded in your career.

Here’s some daunting news for you: Being compliant is not the same as being secure. You might already know or have suspected this, and yet this might not be top of mind as the demands of daily operations and meeting organizational goals leave your IT department stretched thin.

Being compliant in today’s threat environment isn’t enough to guarantee your organization is secure and maintaining continuous operations—or even its survival as a service provider. Industry regulations never were intended to be sufficient; they were designed to be used as frameworks within which IT groups could begin studying and outlining more rigorous security for their own, particular environments. Most challenging of all is that cyberthreats to the energy sector are growing in the number of potential attackers and scope. As Assante said in his letter to the power industry:

But as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations “. A number of system disturbances, including those referenced in NERC’s March 30 advisory on protection system single points of failure, have resulted from similar, non-cyber-related events in the past five years, clearly showing that this type of failure can significantly “Ëœaffect the reliability (and) operability of the bulk electric system,’ sometimes over wide geographic areas.

Taking this one step further, we, as an industry, must also consider the effect that the loss of that substation, or an attack resulting in the concurrent loss of multiple facilities, or its malicious operation, could have on the generation connected to it. One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance. The majority of reliability risks that challenge the bulk power system today result in probabilistic failures that can be studied and accounted for in planning and operating assumptions. For cyber security, we must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected. This is why protection planning requires additional, new thinking on top of sound operating and planning analysis.

As noted, the power industry is not alone in needing to think more broadly about genuine security. As current events illustrate, security is not simply passing the test; it is an ongoing process that must be monitored daily. Your definition should include your group’s evaluation of:

• The financial consequences to your organization after a successful cyberattack,
• The effect on the municipality, community or industry you serve, and
• The resulting effect on your own career as an IT professional and the careers of your co-workers.

The Compliance Model vs. a Risk-management Model of Security

Compliance is a state, a measurable result against a fixed requirement. Security is a process, evolving with the threat matrix and different for each enterprise based on risk.

By nature of standards, upon which compliance is based, the result must be an average consensus of a particular state in time. Compliance leads organizations to accept a requirement based on the average risk analysis for an industry or segment. There are no expectations that these regulations or standards result in security, only that a minimum framework has been put in place. Some enterprises see compliance as a get-out-of-jail-free card to avoid a penalty or fine instead of a framework to develop an ongoing process to secure their operations against evolving cyberthreats.

A risk-management model vs. compliance takes a much broader approach to security, aiming for robust business-continuity plans with meticulous, organizationwide incorporation of best practices in all processes.

The process of comprehensive network security requires the acceptance that it is part of the corporation’s fiduciary responsibility to the communities it serves and its investors. Cybersecurity should be an integral part of an ongoing business-continuity plan that is reviewed, updated, implemented and managed. It cannot and must not be an end state.

To achieve this security, the electric power sector must accept the challenge of adopting a big-picture approach that addresses small checkpoints daily. This approach would have your IT and security groups commit to:

• Ongoing evaluation and adoption of best practices and best technologies for cybersecurity,
• Continuous threat evaluation,
• Daily practice of security with rapid change in practices in response to changes in the risk environment, and
• Treatment of security as an integral part of the business, not a one-time project or exercise.

Jim White is vice president of critical infrastructure security at Uniloc USA.