The security of the U.S. electrical generation and transmission system is being called into question. Revelations of past cyber attacks are being scrutinized by Congress, the Obama Administration and the national media. Owners and operators of generation and transmission assets now face increasing liability as cyber security concerns have been publicly disclosed, putting all owners and operators on notice of the problem. This makes clear the need for a formal review by such entities and the implementation of formal company policies and procedures consistent with requirements of the cyber standards of the North American Electric Reliability Corporation (NERC).
In response to a series of public disclosures, including a front-page article in the Wall Street Journal on April 8, NERC (the organization charged with establishing and enforcing standards for protecting the cyber assets of the U.S. electric grid) expressed public concern that many generation and transmission assets that qualify as "critical assets" or "critical cyber assets" under NERC standards are not being properly identified and protected. Michael Assante, NERC's chief security officer, voiced particular concern about a recent survey in which 71% of generation owners and generation operators did not identify a single critical asset in their portfolio. In part as a result of media attention on this lapse in industry focus, NERC and the U.S. government are increasingly focused on enforcing existing cyber security compliance requirements.
NERC Reliability Standard CIP-002-1 - Critical Cyber Asset Identification requires generation owners and operators, subject to the NERC requirements, to implement a risk-based assessment methodology to identify their critical assets and associated critical cyber assets. Such entities must identify and document risk-based assessment methodologies, apply such methodologies annually, review their lists of critical assets and critical cyber assets at least annually, and have senior managers approve and sign the lists annually. Once an entity has identified critical cyber assets, NERC Standards CIP-003 through CIP-009 impose required procedures for ensuring the protection of the assets, including: (1) appointing a senior manager to oversee implementation of the CIP standards; (2) raising and maintaining the awareness of screening and training personnel; (3) establishing electronic and physical safeguards; (4) establishing change control procedures; and (5) creating response and recovery plans.
NERC recently issued guidelines for determining what generation resources qualify as critical assets. For example, a single unit, or a group of units in common mode failure, should be considered critical if: (1) its output exceeds the contingency reserve determined by the Regional Reliability Organization; (2) its failure can be predicted to cause voltage or frequency collapse of the bulk power system; or (3) its operation is essential to system restoration. Evaluation under such risk-based assessment methods must be supported by reasonable bases, such as: (1) engineering assessments based on system simulations or informed professional judgment; (2) authoritative studies, such as regional transmission planning studies; or (3) specific equipment uses or designations that signify critical support to the bulk power system, such as generation output exceeding the contingency reserve for the area. Finally, in performing these assessments, NERC is suggesting that generation owners and operators consider: (1) using a "rule out" approach (i.e., assuming every asset is critical unless demonstrated otherwise) instead of an "add in" approach (i.e., starting with the assumption that no assets are critical); and (2) that cyber assets might not merely fail but be manipulated and misused—perhaps across a network of cyber assets.
The scrutiny of the cyber security of the U.S. electrical grid is expected to intensify in the coming months. On July 1, 2009, NERC will begin conducting audits to confirm broad compliance with CIP-002. Penalties for violations of NERC Standards CIP-002 through CIP-009 could reach as high as $1 million per violation per day, depending on the damage caused by the violation. Given this increased scrutiny and level of penalties, we strongly urge you to review your company's current compliance with the NERC CIP standards and ensure that you have a properly developed policy for ensuring cyber security protection.