Since leaving my post at a utility company and joining the Digital Bond team, my attention level to the NERC CIP saga has dropped off a bit. I’m back up to date now, though, after attending the SPP CIPWG meeting earlier this week. (SPP is the RTO and RE in my part of the country) I believe the NERC CIP standards are a good start and have experienced first hand the positive culture shift resulting from senior management’s increased attention to security concerns. The ongoing process of all the entities involved working out the details, however, can be quite painful and slow. And then there are the “security vs. compliance” issues. Call me an optimist, but I still believe that something is better than nothing. But this is an old discussion and I digress…

Here are a few things that caught my attention at the meeting:

• FERC Order 706 – The NERC Standards Committee is reworking the CIP standards as directed by FERC. They are looking for industry experts to serve on the Cyber Security SAR Drafting Team. More details are available here.
• More guidelines coming – NERC uses guidelines to help supplement standards. One of the problems has been how to keep the guideline from becoming an implied standard. To help alleviate this concern, the NERC CIPC now approves guidelines rather than the Board of Trustees. The Threat and Incident Reporting Guideline was approved at last week’s CIPC meeting and we can expect more to come. The one in which I am most interested is Critical Asset Identification. This is a weak spot in the standards that gives too much leeway in determining a risk based assessment methodology and ultimately which assets are deemed critical.
• “Aurora Vulnerability” response survey – Last year’s underwhelming response to the ES-ISAC’s survey regarding mitigation of the “Aurora Vulnerability” was followed up by a proposal from FERC to force another survey. The OMB apparently denied their proposal. A group of trade associations has now proposed a representative sample method for surveying asset owners. NERC will not be involved in the process. Is this a case of industry getting done what the government cannot? We’ll stay tuned and find out.

In addition to the NERC CIP topics, there were two guest presenters (both repeats from the SANS SCADA Security Summit back in January). Rita Wells from INL gave her presentation “Common Vulnerabilities, Recommended Mitigations and NERC CIP 002-1 through 009-1 mapping based on the 13 in lab and on-site assessments funded by the DOE-OE National SCADA Test Bed (NSTB).” It can basically be summarized like this – control systems have a lot of vulnerabilities and NERC CIP is no silver bullet. Since INL has NDAs with all the participants, asset owners will have to trust that their vendors are doing something about the vulnerabilities. Apparently some vendors and user groups are taking the results seriously so that is good news.

Tim Roxey of Constellation Energy gave an Aurora vulnerability update. I’ve heard some engineers and others downplay Aurora. I think it may be because of the lack of detailed information and their inability or unwillingness to think like an attacker. That said, I did learn a bit more about the problem from Tim’s presentation.

It was good to catch up with some old friends and make some new ones. Overall I was pleased with the meeting but it is evident that this industry still has a lot of work to do to translate standards, guidelines, and reporting processes into better security at a practical level.