News on CIPv5, for Generation

Guess which one is NERCIt was a busy week for NERC CIP last week, where comments in the Notice of Proposed Rulemaking (NOPR) from FERC indicate that CIP Version 5 will be approved. CIPv5, and the potential successive versions suggested by NOPR language, are going to have a heavy impact on generators.

But before I hop into what CIPv5 means for Generation, I want to spotlight Tom Alrich and his excellent coverage of the NERC CIP development process. Tom is an active participant in both the CIP development efforts, and in some regional efforts. Since discovering his blog, I have a better understanding of not only what direction the regulations are taking, but also why they are taking that direction. He is candid, and he is thorough, and he is, what I would term, a compliance geek. Points I expand on in this post specifically for generation, Tom has made in his posts for electric power in general. Now, for some generation geekery of my own…

Major comments in the NOPR indicate that FERC wants some very specific changes to the NOPR. The big ones that will affect generation are:

  1. Technical Cyber Security Controls for Low Impact
  2. ‘Temporary’ Cyber Assets, i.e. those that are connected for 30 days or less and connect to an ESP network
  3. Clarification on what a Generation Control Center is

First off, the CIPv5 has three major categories of BES Cyber Systems, High, Medium, and Low. There are different levels of compliance expected for the different categories. From reading the NOPR, FERC wants Low Impact Assets, those that don’t fall into the Medium and High Categories, to have “specific, technically supported cyber security controls” rather than the (rather weak, IMHO) policy based controls.

The addition of technical controls will make being Low Impact a more expensive proposition for generators that haven’t needed to worry about the CIP. The Standards members have had a rough time with this one, I remember discussing at my previous job how the addition of technical controls would, given the nature of cyber security, bring into play other elements of the CIP by simple necessity. For example, addition of a network boundary would require an inventory to determine what needs to be within the boundary, ways to access it, who has access to the network and why… which sounds suspiciously like CIP-002 R2, CIP-005 R2, and CIP-004 R4, and even CIP-006 protections if you continue reading in. So, the addition of a simple firewall could spiral into compliance-gone-mad for these Low Impact sites, which negates the idea of a Low category completely.

This is especially true for generators, who can have a large network footprint, even if they are relatively small. Even small generators have a large staff and contractor base at certain times, and rely heavily on those contractors for a lot of their work. Bringing in other measures as defacto is an expensive proposition for them, simply from an administration cost (access for 100 contractors takes TIME, which means MONEY). The technical controls necessary here may require significant effort from NERC to avoid bringing in numerous compliance costs when the interest is in basic security practices. I’m wrapping my head around this one as well.

Second, temporarily connected assets (what I usually call the Technician Laptop) is a soap box issue for me. The language in the V5 definition states:

“[a] Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calender days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.”

FERC wants comment on why this clause is here, and what the outcome will be, and does so in a really sarcastic manner. Basically, they want NERC to tell them if this clause would allow “malicious code or new attack vectors”. Well, the answer to that whopper is a face-palmingly simple YES. This was a sticking point for generation folks (transmission too), because of all the support needed by outside contractors, especially for tuning operations and outages. Removal of this provision is necessary to preserve the security of a generation network, but is going to cause some aggressive discussions between generators and their vendors, vendors who are hopefully developing solutions that won’t require temporary laptops to connect. I’ll say this, roaming assets threaten the security and reliability of any automation network, and need to die a swift death. If you are a vendor who uses technician laptops like this, call me, and we’ll talk solutions.

Lastly, the definition of a Generation Control Center has been a point of contention for years, ever since I remarked that a generation control room was a Control Center due to it’s ability to control multiple BES assets (i.e. the individual units).  Whoops. Since then, there’s been a ton of effort to put a definition in place that keeps certain systems and practices out of the scope of NERC CIP.

In my experience, the reworking of the Gen Control Center definition will affect one major contingent of generators: Those that run the Bailly INFI-90 based system. This system uses a lot of non-routable protocols, and those non-routable components have no capability for cyber security. However, the best ways of getting process data out of the system DO involve routable protocols. If you are a INFI-90 owner who has avoided NERC CIP for the past 7 years, I suggest paying attention now.

Watching for direction from the SDT members on these technical controls for Low generators is going to be a priority for me over the next few months. This has the potential to bring in a lot more assets, and I’m very interested in helping those owners secure their systems.

Owners who are concerned about security, and how it can affect their generation plant, should come to my Cyber Security Training for Generation in Chicago, IL on May 17th. The training is all day long, and goes through the tasks, security practices, and concerns of securing a generation system. It’s $495 for an 8 hour session, taught by a professional engineer who has been actively involved in securing generation plants as both a consultant and a utility employee.

title photo by scottfeldstein

Leave a Reply