FERC's Revised Critical Infrastructure Protection Demands Active Vigilance

Transcription

1 RESEARCH North America Power and Utilities Smart Grid FERC's Revised Critical Infrastructure Protection Demands Active Vigilance New Designation Includes All Cyber Assets Connected to Bulk Electric System February 22, 2016 Policy Brief Author Erin Carson Chief Policy Strategist Janis Kreilis Analyst Contact (212) Key Takeaways: The Federal Energy Regulatory Commission (FERC) has approved advanced Critical Infrastructure Protection (CIP) Reliability Standards that address the cybersecurity of the bulk electric system (BES) The new CIP version establishes new criteria for bulk electricity cyber systems, mandating compliance while requiring BES owners and operators to focus on enhancing the security of critical assets Electric utilities will need to include cybersecurity in their strategic business planning and operations Related Research State Commission Findings Influence Ongoing Net Energy Metering Valuation Debate U.S. Supreme Court Ruling Heightens Need For Demand-Response Regulatory Coordination Entities Mentioned: Department of Energy Department of Homeland Security Federal Energy Regulatory Commission Independent System Operator of New England National Cybersecurity and Communications Integration Center National Institute of Standards and Technology North American Electric Reliability Corporation PJM Interconnection Southwest Power Pool This report is for industry information only and we make no investment recommendations whatsoever with respect to any of the companies cited, mentioned, or discussed herein. Please refer to the end of this report for analyst certification(s) and other important disclosures.

2 Insight for Industry CIP Version 5 Standards Prioritize Security Needs Beyond Compliance, Expand Scope through Impact-Based Categorization On January 21, 2016, the Federal Energy Regulatory Commission (FERC) approved advancements to Critical Infrastructure Protection (CIP) Reliability Standards that address cybersecurity of the bulk electric system. The CIP version 5 standards, developed by the North American Electric Reliability Corporation (NERC), identify and categorize bulk electric system (BES) cyber structures based on whether such structures have a low, medium, or high impact on the reliable operation and set specific requirements for each category, with which categorized entities must comply. To ensure that the electricity grid--a vast and complex system of transmission and communication networks--can withstand both natural events and cyber and physical attacks, the Energy Policy Act of 2005 subjects the electric power sector to mandatory cybersecurity standards under FERC jurisdiction. The CIP Version 5 standards require that responsible entities actively consider the BES security needs beyond mere compliance with minimum standards. Notably, the tiered impact rating methodology would bring all cyber assets that could impact BES facilities into the scope of the CIP standards. The action reflects the dynamic cybersecurity environment, which is moving toward proactive efforts for flexible and timely response to threats rather than basic compliance. While mandatory standards provide protection against known threats, electric utility sector and government agencies are increasingly coordinating their activities to maintain reliability against new and evolving threats. Additional interdependence between the electric grid and other infrastructure sectors, such as water and transportation, also raise concerns over the need for similar mandatory standards in these sectors (Figure 1). The FERC action reflects the dynamic cybersecurity environment, which requires proactive efforts for flexible and timely response to threats rather than basic compliance Figure 1 Critical Infrastructure Interdependencies Source: DHS 2

3 As of now, electricity grid and nuclear generation are the only critical infrastructure sectors with mandatory and enforceable cybersecurity standards. Pursuant to the Energy Policy Act of 2005, NERC works with electric industry, regional entities, and state and federal agencies to develop reliability and cybersecurity standards that apply across the North American grid, including parts of Canada and Mexico. NERC standards are subject to FERC review and approval, and are periodically updated as potential threats evolve. Critical Infrastructure Protection (CIP) Standards Version 5 Shift Attention from Basic Compliance to Active Security The January 21 revisions (Docket No. RM15-14), issued in Order No. 822, are focused on utilities active consideration of security needs rather than merely complying with basic standards. The revisions improve the base-line cybersecurity posture of applicable entities, and the new BES designation would bring all facilities (low, medium, or high risk) under some level of the new requirements. Designating bulk electric power facilities as critical cyber assets would eliminate potential holes in BES cybersecurity. According to the National Cybersecurity and Communications Integration Center (NCCIC), the energy sector reported the highest number of cyber incidents in 2014 (Figure 2). The revisions improve the base-line cybersecurity posture of applicable entities, and the new BES designation would bring all facilities (low, medium, or high risk) under some level of the new requirements Figure 2 - FY 2014 Incidents Reported by Sector Source: ICS-CERT FERC also approved NERC s proposed implementation plan, and its violation risk factor and violation severity level assignments. Order 822 directs NERC to make additional revisions to address the risks posed by transient electronic devices to low-impact BES cyber systems; require protections for communication network components and data transmitted between control centers based on the risk posed to the BES; and eliminate the ambiguities in 3

4 the definition of low impact external routable connectivity--in simple terms, a direct device-to-device connection to a low-impact BES system from an outside cyber asset. It also requires NERC to conduct a comprehensive study on the strength of the CIP version 5 remote access controls, remote accessrelated threats and vulnerabilities, and appropriate mitigating controls. NERC developed the revised CIP Reliability Standards in response to Order No. 791, which approved CIP version 5 standards, but ordered NERC to address a number of directives. Specifically, the revisions address four areas of modifications: Removal of language that requires entities to implement the requirements in a manner to identify, assess, and correct deficiencies, to remove ambiguity; Development of enhanced security controls for low-impact assets; Development of controls to address risks posed by transient electronic devices, such as thumb drives and laptop computers used at high- and medium-impact BES cyber systems; Protection of communication networks. The January 21 Order approves seven CIP standards developed by NERC: Security Management Controls, Personnel and Training, Physical Security of BES Cyber Systems, Systems Security Management, Recovery Plans for BES Cyber Systems, Configuration Change Management and Vulnerability Assessments, and Information Protection. NERC filed the proposed CIP Reliability Standards for FERC approval in February 2015 and in July 2015, FERC issued a Notice of Proposed Rulemaking (NOPR), proposing to approve the proposal. FERC Stalls Supply Chain Cybersecurity Management Standards to Address Industry Concerns The January 21 order does not address supply chain cybersecurity requirements. FERC decided to determine the appropriate course of action after a January 28 technical conference based on a review of comments on the issue. Many commenters sought an upfront scoping and information-gathering effort through a technical conference in addition to staff-level outreach efforts, to inform and clarify the issues. In the NOPR, FERC proposed to address requirements relating to supply chain management for industrial control system hardware, software, and services. The NOPR identified a recent Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) report that described such campaign as involving malware injection while a product or service is under the control of the vendor prior to the delivery to the customer. These attacks on vendors, FERC said, indicate a gap in the protections under the CIP Reliability Standards. However, the trade groups disagreed with FERC s characterization, insisting that the campaigns sought to inject malware while a product was in the control of and in use by the customer and not the vendor, which would render mandatory requirements for supply chain management unnecessary. FERC decided to determine the appropriate course of action to address supply chain cybersecurity requirements after a January 28 technical conference based on a review of comments including trade groups opposition 4

5 The trade groups agreed on the importance of CIP and cybersecurity risks for the electric industry, but said that no events or disturbances that indicated a problem or emerging trend had taken place. Although NERC standards do not contain explicit provisions for supply chain management, the trade groups noted that transmission owners and operators already have significant responsibilities to perform under the current FERC-approved CIP standards. The trade groups also noted that FERC had no direct oversight authority over third-party suppliers or vendors and could not indirectly assert authority on them through jurisdictional entities. They also emphasized the importance of risk-based improvements to allow industry to focus on reliability and security, rather than basic compliance. The opposing trade groups include the Edison Electric Institute, American Public Power Association, National Rural Electric Cooperative Association, Electric Power Supply Association, Electricity Consumers Resource Council, Transmission Access Policy Study Group, and Large Public Power Council. Stakeholders Argue for Reasonably Scoped Standards for Supply Chain Management At the January 28 FERC technical conference, PJM Interconnection recommended cross sector coordination and collaboration with technology providers rather than focusing on crafting a technical standard for supply chain management at this point of time. PJM pointed to the highly distributed nature of the supply chain and the associated challenges, given the disparity in industry standards and the absence of well-established cybersecurity practices in supply chain. While PJM commended the move as part of a continued evolution of best practices and collaboration, it emphasized the need to continue the broader engagement with the Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), critical infrastructure sectors, technology providers, and government agencies. PJM also noted that recent cybersecurity legislation authorized increased communication and collaboration between the industry and federal agencies, providing the legal authority for FERC, working with DHS and NIST, for greater reporting and improved two-way communications. The National Electric Manufacturers Association (NEMA) recognized the need to address supply chain risks and concerns and provided recommendations from its June 2015 whitepaper that vendors can implement as they develop, manufacture, and deliver products as part of the supply chain. In its comments to the July 2015 NOPR, NERC noted the complex, multidimensional, and constantly-evolving nature of supply chains for information and communications technology and the participation of multiple entities across the globe in the development, design, manufacturing, and delivery of products purchased by a registered entity. Therefore, NERC emphasized the need for reasonably scoped standards with measures for entities to manage supply chain risks without being held responsible for actions beyond their control. The Independent System Operator of New PJM Interconnection recommended cross sector coordination and collaboration with technology providers rather than focusing on crafting a technical standard for supply chain management at this point of time NERC emphasized the need for reasonably scoped standards with measures for entities to manage supply chain risks without being held responsible for actions beyond their control 5

6 England (ISO-NE) expressed support for NERC recommendations to develop requirements addressing supply chain management. In its comments on the NOPR, Southwest Power Pool (SPP) emphasized the importance of considering specific risks against the cost of mitigation in developing standards for supply chain management, saying that a risk-based approach would consider an entity s ability to apply meaningful controls and ensure that responsible entities are not unreasonably burdened for insignificant gain. SPP recommended developing controls that are appropriate for broad implementation with minimal cost and maximum benefit, followed by additional controls to mitigate residual, unacceptable risk once the success of a basic program is demonstrated. The ISO/RTO Council put forth certain threshold issues including the multifaceted nature of the supply chain management issue and the need for coordination with other national and industry efforts, as well as the need for a reasonable scope given the many affected parties, including those outside FERC jurisdiction. The Council also recommended avoiding mandates that may expose system operators to compliance risk or liability from actions or omissions of third parties with little meaningful impact on upstream suppliers, and developing a record to ensure a comprehensive assessment of the problem and realistically achievable remedies. Government-Industry Coordination Complements Cybersecurity Standards with Information Sharing and Mitigation Strategies In recent years, cooperation between the federal government and the electric power sector has extended beyond mandatory and enforceable industry standards for the bulk electric system. To name a few examples, the Edison Electric Institute (EEI), the trade association for investor-owned electric utilities, has been engaged in industry partnerships on cybersecurity issues with federal agencies. The Electricity Sub-Sector Coordinating Council (ESCC) serves as the main liaison between the federal government and the electric power sector. The Electricity Sector Information Sharing and Analysis Center (ES-ISAC) works with DOE and ESCC for timely information sharing with the electricity sector, enhancing its ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents. In recent years, cooperation between the federal government and the electric power sector has extended beyond mandatory and enforceable industry standards for the bulk electric system Several voluntary initiatives have emerged to facilitate information sharing and cybersecurity strategies. Among the Department of Energy s (DOE) key voluntary initiatives, the National Electric Sector Cybersecurity Organization (NESCO) institutes research and analyses, and supports information sharing and collaborative programs that improve cybersecurity posture of participants. DOE s Electricity Subsector Cybersecurity Capability Maturity Model, developed with DHS, serves as a self-evaluation survey tool for organizations seeking to address cybersecurity vulnerabilities. The NCCIC has two critical branches United States Computer Emergency Readiness Team (US-CERT) and ICS-CERT. US-CERT develops timely and actionable information for distribution to federal departments and agencies, 6

7 state and local governments, private sector organizations, and international partners. ICS-CERT reduces risk to the nation s critical infrastructure by strengthening control systems security through public-private partnerships. Legislative proposals on cybersecurity address issues ranging from liability protection for infrastructure owners to information sharing and disclosure of cyber events (Table 1). In December 2015, Congress passed the Cybersecurity Information Sharing Act (CISA) of 2015 as part of the Consolidated Appropriations Act, 2016 (H.R. 2029). The CISA will make it easier for private sector companies to share information with the government and other companies. Table 1: 2015 Legislative Proposals with Information Sharing Provisions Source: CRS As the federal government does not oversee reliability of local distribution facilities, state utility regulators are responsible for grid safety and reliability within their jurisdiction and engage in ratemaking decisions to determine how utilities may pass on investments and expenses to customers and ensure reasonable rates for customers. While renewable distributed generation installations and microgrids have the potential to resist disruptions to the grid from cyber attacks or natural events, they provide additional access points for cyberattacks on the grid. The National Association of Regulatory Utility Commissioners (NARUC) has issued guidance concerning cybersecurity measures to state utility regulators, and also conducts trainings and outreach for utility regulators on cybersecurity issues, providing updates on the threat While renewable distributed generation installations and microgrids have the potential to resist disruptions to the grid from cyber attacks or natural events, they provide additional access points for cyberattacks on the grid 7

8 landscape. NARUC has passed resolutions encouraging utility commissioners to regularly review policies and procedures to ensure consistency with applicable standards and best practices, to work with regulated utilities to remain prepared for cyberattacks, and also continue to give a high priority to monitoring cybersecurity threats. While mandatory and enforceable CIP reliability standards exist for BES, electric utilities have expressed liability concerns and financial burdens from a major cybersecurity event. EEI explains that emergency mitigation costs are not included in a utility s rate base and supports cost recovery mechanisms and liability protection to prevent undue financial strain on electric utilities. While mandatory and enforceable CIP reliability standards exist for BES, electric utilities have expressed liability concerns and financial burdens from a major cybersecurity event Evolving Cyber Landscape Requires Constructive Regulations and Strategic Business Planning Operations The CIP Version 5 standards intend to alert utilities on the need to develop adequate security levels BES assets with low, medium, or high system impacts, given the currently widespread view that a major cybersecurity event has low probability. FERC also underscores that basic compliance with standards may not be sufficient for effective cybersecurity protection as most security actions have emerged in response to cyberattacks and events. As the cyber threats facing the grid are continually changing, each new intrusion or cyberattack will shift priorities in system protection. Cooperative efforts of federal and industry cybersecurity activities indicate the importance of industry partnerships in developing detection measures compared to efforts by the utility industry alone. Industry can prioritize security needs through strong public-private partnership that use stakeholder expertise for proper guidance in assessing threats, while infrastructure owners and operators can propose mitigation strategies without causing adverse impacts to utility operations or assets. A favorable regulatory environment is also important to ensure necessary investments for grid protection, considering risks and costs. Grid modernization and smart grid deployment rely on new intelligent technologies that have facilitated two-way communications and digital advancements optimized by the internet. Modernization of many systems, such as the Supervisory Control and Data Acquisition (SCADA) system, have resulted in internet connectivity. While these advances serve to improve grid efficiency and performance, they also increase its vulnerability to potential cyber attacks. Similarly, new devices, such as smart meters and increasing grid access points as in distributed renewable energy facilities introduce additional avenues for potential threats. Black Energy, which targets human machine interface, and Havex, which infects systems through phishing s or watering hole attacks, are recent examples of malware targeting SCADA systems. Moving forward, electric utilities will need to include cybersecurity in their strategic business planning and operations. Further, the electric grid is not isolated from cyber attacks on other critical infrastructure sectors on which it 8

9 depends, such as oil and gas plants, refineries and pipelines which have become digital, implying the need to consider standards for those sectors. Finally, as FERC does not have authority over distributed systems, states and utilities will have an increasing role in protecting grid access points beyond those regulated by CIP standards from cybersecurity threats. Electric utilities will need to include cybersecurity in their strategic business planning and operations 9

10 Disclosures Section RESEARCH RISKS Regulatory and Legislative agendas are subject to change. AUTHOR CERTIFICATION By issuing this research report, Erin Carson as author of this research report, certifies that the recommendations and opinions expressed accurately reflect her personal views discussed herein and no part of the author s compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this report. IMPORTANT DISCLOSURES This report is for industry information only and we make no investment recommendations whatsoever with respect to any of the companies cited, mentioned, or discussed herein. EnerKnol Inc. is not a broker-dealer or registered investment advisor. Information contained herein has been derived from sources believed to be reliable but is not guaranteed as to accuracy and does not purport to be a complete analysis of the company, industry or security involved in this report. This report is not to be construed as an offer to sell or a solicitation of an offer to buy any security or to engage in or refrain from engaging in any transaction. Opinions expressed are subject to change without notice. The information herein is for persons residing in the United States only and is not intended for any person in any other jurisdic tion. This report has been prepared for the general use of the wholesale clients of EnerKnol Inc. and must not be copied, either in whole or in part, or distributed to any other person. If you are not the intended recipient you must not use or disclose the information in th is report in any way. If you received it in error, please tell us immediately by return to info@enerknol.com and delete the document. We do not guarantee the integrity of any s or attached files and are not responsible for any changes made to them by any other person. In preparing this report, we did not take into account your investment objectives, financial situation or particular needs. Before making an investment decision on the basis of thi s (or any) report, you need to consider, with or without the assistance of an adviser, whether the advice is appropriate in light of your particular investm ent needs, objectives and financial circumstances. We accept no obligation to correct or update the information or opinions in it. No member of EnerKnol Inc. accepts any liability whatsoever for any direct, indirect, consequential or other loss arising from any use of this report and/or further communication in relation to this report. For additional information, please visit enerknol.com or contact management team at (212) Copyright EnerKnol Inc. All rights reserved. No part of this report may be redistributed or copied in any form without the prior written consent of Enerknol Inc. 10