Why is NERC CIP Scope Insufficient?

LDCs should be mandated to be NERC CIP compliant

Last week I asked if electrical utilities’ IT security is de facto guaranteed by compliance with the NERC CIP standard.

With no disrespect whatsoever intended towards NERC or their CIP standard, I continue my well intended questioning, especially after an esteemed colleague phoned me to discuss my article. So here goes.

The scope of NERC CIP does not include local distribution companies LDCs who bring electricity (or their equivalent in the natural gas industry) “the last mile” to the client. NERC CIP does mandate compliance for electrical transmission and generation utilities . Yet LDCs along with transmission and generation utilities are all capable of causing cascading network failures.

Without overdramatizing the situation, it is possible for a single node failure in any system to potentially cause successive failures to ripple through other networks to which they are connected. This concept equally applies to various types of networks including electrical, telecommunications, and of course specifically to the Internet. This concept is described in detail with accompanying graphic illustrations the article Model for Cascading Failures in Complex Networks .

The key point here is that even a small electrical distribution network can cause a major blackout by ripple effect. To keep on point, the role of control software in electrical networks is crucial to their stability. The article published by MIT “The 3 R’s of Critical Energy Networks: Reliability, Robustness and Resiliency” addresses how and why both SCADA and control software play a pivotal role in network stability. With the possibility of LDCs being possible instigators of cascading network failures I therefore suggest NERC CIP should equally apply to all LDCs.

Credit Due to Evolving NERC CIP Standards

I am impressed with three new NERC CIP standards:

CIP 001-1 — Sabotage Reporting was adopted by NERC in 2009. This standard adds pro-active elements of both identifying and reporting anomalous or suspicious events and activity, and adds real-time response to the existing standard 008-1 Incident Reporting and Response Planning. This is critically important for stopping malicious activity before it causes damage and downtime.

CIP 010 -1 cyber system categorization is pending. IT important for those responsible for SCADA security but who may have difficulty in cost justifying security budgets to senior executive. I believe this element assists the person creating the cost justification business case increase scope of their business case accordingly.

CIP 011-1 cyber system protection is pending. This standard is an excellent drill-down to the existing 005-1 Electronic Security Perimeter and 006-1 Physical Security of Critical Cyber Assets, again valuable as a tool for those creating cost justification cases. It provides for the inclusion the appropriate scope for proposed security budgets. While these standards are excellent additions to NERC CIP they still do not mandate compliance for LDCs. Have a secure week. Ron Lepofsky CISSP http://www.ere-security.ca/

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2010 IDG Communications, Inc.