With growing awareness of the risks from cyber attacks, the Federal Energy Regulatory Commission (FERC) has taken steps to enhance U.S. cyber security standards. Its plan seeks to improve the resiliency of critical network operations in electric generation, distribution and transmission systems. The ripple effects of compliance is being felt throughout the U.S. electric utility sector and beyond.
The enhanced standard is Critical Infrastructure Protection (CIP) Version 5, which currently has an effective date of April 2016. Its development was driven in part by the convergence of Internet Protocol-based technology (IP) in the electric utility sector. In addition, U.S. President Barack Obama issued an Executive Order (No. 13636) directing improvements in cyber security.
The emergence of cyber based threats is in many ways tied to the recent use of industry transforming technologies, such as automatic metering and smart gridtools. In collecting and transmitting system data, these tools create potentially vulnerable access points.
“Each day we see how the expanded use of technology helps to deliver improved efficiency,” said Dan Rueckert, Associate Vice President, Black & Veatch’s management consulting business. “But it also creates new areas of risk that must be managed. Utilities must now harden expanding and increasingly complex data networks.”
CIP Compliance
Black & Veatch estimates that roughly 10 percent of utilities are fully compliant with the CIP standards laid out in Version 3. Version 4 raised the level to about 15 to 20 percent, still far from universal adoption. This leaves many critical assets unprotected.
The more active role required for utilities in Version 5 makes it difficult to project compliance levels. However, Rueckert said that for the first time, the North American Electric Reliability Corporation would have the authority to levy penalties for non-compliance.
“If there were any doubts that the era of the so-called ‘dumb grid’ is over, look no further than the recent coverage of international cyber incidents,” Rueckert said. “With Version 5, spending on cyber security will move up the list of priorities.”
“Reliability-focused investments are the focal point of capital outlay across the sector,” said Rueckert. “At the end of the day, utilities have a mandate to deliver reliable service and comply with environmental regulations.”
Given the competition for capital, many utilities will struggle to implement cyber compliance programs. They are more focused on other pressing issues, such as aging infrastructure, regulatory uncertainty and the evolution of fuel and technology.
As executives prepare to adopt Version 5, several key elements should be considered:
Additional expertise will be required to design and deploy network security. Work will focus on specific network protocols, software applications and patch management as outlined in CIP Version 5.
Version 5 identifies distinctions between a “critical” and a “protected” cyber asset. Solutions such as robust firewalls and network segmentation will be required to protect the CIP assets.
Utilities will need a full range patch management solution with a robust program for review. In addition, a detailed system to classify data is required. This will identify relevant data so that proper levels of security controls can be managed. Once achieved, information safeguards can provide protections for data at rest and in transit.
Specific vendors and solutions will need to be identified, evaluated and tested for interoperability as well as to ensure they can meet Version 5 standards.
“As utilities seek to improve their performance through enhanced data collection and do more with less, they should have a plan in place to address their weaknesses,” Rueckert said. “This includes understanding the bottom line impacts of meeting CIP standards.”
Subject Matter Expert
Dan Rueckert: RueckertD@bv.com
