Feature Article
Going Beyond Compliance: Using NERC CIP v5 as a Catalyst
For a Greater Security Strategy
Doug Wylie, CISSP
NexDefense
The North American electricity industry, including power generation and transmission is largely comprised of private organizations, yet it has shown itself to be one of the most progressive in its commitment to make measureable investments for proactive physical and cyber security. It has done so in the effort to ensure the integrity, safety and reliability of its critical assets and
operations - those that both people and business have come to depend on each and every day.
There are very good reasons why investments to better protect power generation and transmission are imperative. In the
energy sector alone, according to PwC1, the average number of detected cybersecurity incidents jumped six times from 2013
to 2014. In addition, attacks attributed to foreign nation-states, such as the one in which Russian nationalists2 are suspected of
inserting advanced malware into the networks of critical infrastructure, more than doubled.
The electricity industry has a rich history of recognizing growing risks that emerge from expanding cyber threats. Now over a
decade ago, in 2005, the Federal Energy Regulatory Commission (FERC) passed revisions to its definition of what comprises
a bulk electric system (BES). In doing so, it provided "greater
clarity, consistency and improved reliability by focusing on core
facilities that are necessary for operating the interconnected
transmission network." This action helped cement government
and industry's recognition that the electricity sub-sector had
already evolved to a highly interconnected system of systems.
In parallel to the expanded definition, FERC took an added
step to grant the North American Electric Reliability Corporation
(NERC) the authority to coordinate with BES industry partners
to develop and issue the NERC Critical Infrastructure Protection Cyber Security Reliability Standards (NERC CIP), which has
governed the industry since.
NERC CIP establishes base-level reliability standards for bulk electric power generation and transmission. But the proliferation
of advanced, sophisticated and targeted cyber threats demonstrates that power organizations must be more proactive with
cybersecurity investments, rather than fulfilling and complying with baseline requirements-checklists established by standards.
Instead, each organization serving the North American power grid, no matter the size, must learn to embrace NERC CIP as a
starting point and catalyst for a deep culture shift; one that embraces cybersecurity as a part of a greater risk mitigation strategy, and is supported by those in the highest levels of governance.
The New Era of NERC CIP Standards
In November 2013, FERC approved the NERC Critical Infrastructure Protection (CIP) V5 standards, and the requirements for
which owners and operators must conform to will become enforceable beginning in April 1, 2016. Version 5 represents the
most material changes to accountability in the electricity sub-sector in more than 10 years, which is representative of both the
changing threat landscape, and the recognition that it's time to expand upon the progress already achieved in certain portions
of the BES to more broadly mitigate cyber risks to the electric grid.
In addition, the NERC CIP V5 standards incorporate a significantly larger scope of the systems protected as compared to previous versions, and all facilities that meet the definition of BES will now be subject to comply with regulations. Because NERC
CIP V5 reaches nearly every power generation facility, come April 2016, many private organizations will be held accountable
to meet cybersecurity standards for the very first time.
Unlike most government regulations, industry regulations have many benefits, because they are often rooted in standards both
authored and influenced by its very stakeholders. Once in place, the regulations force organizations, under mandate, to make
changes to align with and conform to the standards. In the case of NERC CIP, the V5 standards will require an even broader
set of power entities to implement cybersecurity practices and controls to enhance reliability and protection of critical systems,
or risk being fined $1 million per day per violation.
14
www.RemoteMagazine.com
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - Spring 2016