Security: organic effort required for cyber security
EPRI expert offers guidance on issues, how to proceed
Editor's note: This articles is the first installment of a three-part series that runs today and Monday and Tuesday next week.
A few mantras, deconstructed, might serve to introduce a conversation with Annabelle Lee, a technical executive for cyber security at the Electric Power Research Institute (EPRI) and formerly a senior cyber security strategist at the National Institute of Standards and Technology (NIST).
Mantra: "Compliance does not equal security." Deconstruction: Though there's a mandate to comply with critical infrastructure protection (CIP) measures issued by the North American Electric Reliability Corporation (NERC), those apply to generation and transmission, not distribution. Implementation of best-practice security processes, procedures and countermeasures does equal security.
Mantra: "Think end-to-end security." Deconstruction: Utilities need a holistic approach to cyber security and a "turbines-to-toaster" (that is, "G" and "T" and "D") approach will help.
Mantra: "Don't reinvent the wheel." Deconstruction: Utilities can begin to develop cyber security measures by using their existing risk management framework and security strategy.
Before I lose you, let's take the plunge with Lee, who guided and coordinated the creation of the NISTIR 7628: "Guidelines for Smart Grid Cyber Security," which is available from NIST in Volume One, Volume Two and Volume Three. (Below this column we provide links to other recent cyber security columns from Intelligent Utility Daily.)
At the outset, I asked her: What can you tell utilities and regulators about implementing cyber security when standards remain in flux? Her candor was bracing.
Lee referred to the enabling legislation, the Energy Independence and Security Act of 2007 (EISA 2007), which required NIST to create an interoperability framework for the smart grid. The EISA 2007 said that when NIST developed "sufficient consensus," the Federal Energy Regulatory Commission (FERC) would post standards and invite comment.
According to EISA 2007, FERC could then "adopt" standards without enforcing compliance with them. So, much hinged on what "adopt" meant, according to Lee.
In a Jan. 31 meeting with panelists from utilities and the private sector, FERC Chairman JonWellinghoff explored whether there existed "sufficient consensus" around standards identified by NIST. The answer: "No."
"This left everyone up in the air," Lee told me.
Subsequently, FERC sought two rounds of comments on the issue (on April 8 and 22) in order to resolve the issue, but Lee acknowledged that this state of affairs has left state public utility commissions pondering how to move forward.
This anecdote merely underscored Lee's argument that a non-prescriptive approach to cyber security is an important strategy. The NISTIR 7628 is guidance that requires heavy lifting by every utility to protect critical assets. Guidance allows flexibility and innovation, while mandates tend to be inflexible. A one-size-fits-all approach cannot account for the variation among individual utilities' legacy systems and unique risk profiles.
It's difficult to deploy tools while utilities watch as standards are developed and vendors race to provide solutions, Lee acknowledged.
"This is another area where the IT, telecom and electric sector communities need to come together to figure out how to use these standards in the electric sector," she said. "There are some real restrictions in the electric sector that you don't have in IT. The electric sector has remote devices, limited bandwidth and processing constraints. When you consider IT/telecom-based solutions, you have to think about that.
"To correctly address cyber security, one needs to look at it end-to-end," Lee continued. "It requires examining the technical, physical, and administrative procedures. Even if FERC had adopted a specific family of standards, that would not have been the entire solution. Those would be standards designed to be applied in very specific ways. One needs to look at the entire range of security that's needed. One may have a good technical solution, however if a person is allowed to enter your building and log onto your system, you don't have good security."
In Lee's view, it is most effective for each utility to designate a cyber security leader, who may have to educate upwards to develop executive support for protecting critical assets.
"Part of the problem in approaching cyber security is that many organizations don't have people who understand this," Lee said. "Utilities don't always know the questions to ask when vendors and integrators get involved. It helps to have a person dedicated to this task, and clearly this is not something one learns overnight."
One argument that's both substantive and convincing is that cyber security addresses business-continuity vulnerability, which is a reliability and productivity issue.
One way to "sell" cyber security to executive management is to point out that a loss of business continuity is really a reliability issue, a traditional pillar of the industry, and that its loss would hurt the bottom line and the brand.
"Reliability is No. 1," Lee said. "And cyber security supports reliability. I like to tell people 'We think we're at the top of the totem pole, but we're not.' We need to support cyber security. Typically, when organizations do a generic risk assessment, cyber security is one component, not the only component. Utilities need to look at the business case, the cost, and make business-based decisions."
"The point that I emphasize about a risk management framework is that business continuity is a form of risk management," Lee concluded. "You have to make decisions on where to spend resources. What's most critical to maintain the operation of the business?"
Cyber security will be on the agenda this fall at Energy Central's Knowledge2011 conference in Amelia Island, Florida, Nov. 7-9.
Readers may also be interested in:
"Wanted: Mature Cyber Security Response Plans"
"Cyber Threats Grab Headlines"
"Cyber Security: Drivers and Inhibitors"
Phil Carson
Editor-in-chief
Intelligent Utility Daily
pcarson@energycentral.com
303-228-4757
