Last week, the Federal Energy Regulatory Commission (FERC) granted a motion to postpone implementation of the North American Electric Reliability Corporation(NERC) Critical Infrastructure Protection (CIP) V5 Standards from April until July 1, 2016. Ted Gutierrez, the industrial control systems (ICS) & NERC CIP Product Manager at the SANS Institute conceded that the announcement was indeed, “a head scratching move from FERC,” as the implementation of V5 is now delayed to coincide with the unveiling of V6 standards. As such, facility owners and operators may choose to disregard V5 implementation, despite financial penalty, and opt instead to prepare for the V6 standards.
In November 2013, FERC approved Version 5 of NERC CIP and the requirements for which owners and operators were to conform was supposed to become enforceable beginning in April of 2016. Version 5 represents the most material change in requirements in more than 10 years, which is demonstrative of both the expanding threat landscape, and the progress achieved in mitigating cyber risks to the electric grid. Most notably, penalties for noncompliance can include a fine of up to $1 million per day per violation.
The NERC CIP V5 standards incorporate a significantly larger scope of the systems protected, and all facilities that meet the definition of bulk electric system (BES) will now be subject to the regulations. This part of the mandate, in particular, represents a major step forward in securing the integrity of American power and utilities, and is especially important following confirmation that a malware attack crippled the Ukrainian power grid and reports that Japan’s critical infrastructure is under repeated attack.
The current CIP standards, Version 3, only comprise power facilities determined to be critical assets by their owner or operators. Because of this optionality and difficulty in determination, many facilities chose not to position themselves as critical, in order to avoid the compliance obligations. With Version 5, however, every BES facility will be subject to at least some requirements.
One of the primary additions to NERC CIP V5 is the demand of BES facilities to continuously monitor their network communications, which is something that anomaly detection and situational awareness software can help with. NERC CIP V5 also mandates systems to have one or more methods for detecting malicious communications, such as an intrusion detection system or application layer firewall. Methods of threat detection to deter, detect and prevent systems penetration from malware, attack scripts, and exploit framework, are required by NERC CIP V5, as well. In addition to more proactive detection and mitigation of threats, facility owners and operators will also be required to log cybersecurity incidents from the initial identification, to remediation and all the way through the post-event investigation.
For almost 3 years, NERC has taken a flexible compliance monitoring and enforcement approach during what it called a “Transition Period.” The goal here was to help with logistical transition, but also to educate owners and operators on the technical security requirements of NERC CIP V5. But with roughly 5 weeks until NERC CIP V5 was set to become enforceable, FERC decided to grant the petition by several electric trade organizations to postpone implementation.
This delay comes as a surprise to many in the industry who have worked so hard over the past three years to reach compliance. As Gutierrez wrote on the SANS blog:
“I’m concerned about the perception these types of decisions create. The electric industry is full of hard working, incredibly dedicated people who want to do the right thing. But that thing keeps changing. These folks will undoubtedly feel silly having to explain to their leadership how the race to April 1 wasn’t so urgent after all. Frankly it makes FERC, NERC and the industry look inept to those not close enough to understand it all. I really wish the regulators would get their act together and stop putting entities in this position. CIP really is hard enough already.”
While most agree that NERC CIP V5 will help reduce risk, there should be no mistaking the standards as a final or ‘absolute’ solution in which the majority of cyber risk will be permanently minimized. In fact, the unintended consequence of any regulation is that it can still easily lead organizations into a ‘check-the-box’ mentality. Instead, standards should be interpreted as models and guides for industries and organizations to take action rather than sit idle to admire new and existing security challenges and threats.
Only time will tell how seriously owners and operators take V5 now that V6 is confirmed to release on the same day that V5 is scheduled to take effect. Regardless, this delay underscores the need for the energy industry to create a security culture that prioritizes the mitigation of dangerous and frequent cyber threats over the politics that hinder even the most well intentioned industry standards and guidelines.
About the Author: Doug Wylie is the vice president of product marketing atNexDefense, a leading provider of cybersecurity for industrial control systems.