My last post is regarding NERC CIP V5 is the automatic ‘Low’ classification of Blackstart generation resources that do not meet bright line criteria. The committee cites compliance costs and a potential withdrawal of blackstart resources as the primary drivers for defaulting to Low. The committee states that the ‘Low’ ranking is the least detrimental option available because the withdrawal of blackstart would result in a decrease in reliability. This justification is likely based on the (usually accurate) rule that having fewer blackstart resources results in higher risks during grid restoration.
The other side of the argument is that when all else fails, there is only blackstart. During a wide area blackout, there are NERC Critical Assets that require blackstart in order to transform from hunks of steel, concrete, wiring, and fuel into beefy producers of bulk electric power. To require zero technical methods of preventing cyber security compromise to blackstart resources (i.e. the Low Impact rating) doesn’t help assure a reliable restart of the grid in the case of an emergency. Because of the critical, but limited, nature of blackstart, I’m proposing the following set of controls pulled from the NERC CIP V5 standards be applied to blackstart resources, in addition to the ‘Low’ requirements:
- Require a list of cyber assets associated with reliable operation. This has been cited in numerous cyber security publications as a minimum requirement, no matter your cyber security posture.
- Require an electronic security perimeter be established to surround those cyber assets, and limit access to only those functions and systems necessary for reliable operation. Isolation from other non-control networks, has been identified even by control system engineers as a necessary practice, so enforcing and documenting the ‘current’ isolation should not be much more difficult. If isolation is being done, of course.
- Require logging of all traffic into and out of the electronic security perimeter, but no requirement for active monitoring. While most security professionals are likely screaming, this allows root-cause analysis in case the system is found to be compromised at a later date. If you can’t prevent it, log it and point the finger later. [Read more…]