The North American Electric Reliability Corporation (NERC), a quasi-governmental organization charged with protecting the reliability of the nation’s power grid, is about to implement a major overhaul of some of its reliability standards.
Two authors who participated in a recent pilot program to test the standards —Michael Gianunzio and James Leigh-Kendall—wrote an article in the February 2016 edition of Western Energy to share their advice about how those affected by the new rules might improve their compliance programs. In the hope that their useful observations might reach others in the energy industry, and with their approval, this article briefly recaps some of what Gianunzio and Leigh-Kendall learned.
NERC has a mandate to protect the bulk electric system from both physical and cyber intrusions “not to mention the takeover of our transmission and generation assets by the bad guys,” as the authors colorfully put it. Part of that mandate involves development and enforcement of CIPS – critical infrastructure protection standards.
CIPS have been in place for a number of years. The fifth generation of these standards, CIP v5, a major overhaul of NERC’s existing rules, is scheduled to take effect on April 1, 2016. But plans for implementation began several years ago and included a pilot program launched by NERC in September 2013. It enlisted six utilities to volunteer – the Sacramento Municipal Utility District (SMUD), Westar, Mid-American, Dayton Power & Light and the Southern Company.
Readers with affection for the Chicago Cubs may recall Gianunzio’s name. His uncle Tony, a teenage pitching prospect before his chance at a tryout with the Cubs was derailed by World War II and his induction into the Coast Guard, made national news when, at 92, he was invited to throw out the ceremonial first pitch at a Cubs game last summer. The younger Gianunzio serves as SMUD’s chief legislative and regulatory compliance officer. Both Gianunzio and his co-author Leigh-Kendall, the director of SMUD’s internal compliance program, saw the pilot program as a great opportunity for SMUD and offer four positive takeaways from their experience with that program:
— Even when experienced compliance officers are confident they’ve correctly identified and categorized critical infrastructure assets, they may be wrong, or their interpretations may be at unnecessary and avoidable odds with those of the NERC regulators. In either case, it pays to consult with NERC and the regional reliability organization officials.
— Establishing effective access controls, even to medium impact facilities, requires not just changes in protocols, but training and reminders frequent and prominent enough to change old habits.
— Ensuring compliance with new cybersecurity measures cannot be accomplished without extensive testing, both of firewalls and of backup systems.
— Implementation, documentation, operation and maintenance of critical infrastructure security measures requires use of multidisciplinary teams. But for interdisciplinary coordination to be effective, the organization must have strong and ongoing executive-level support.
Consultation with NERC. Under prior versions of the CIP standards the regulated entities determined what constituted critical energy infrastructure, selecting what they determined were the most critical assets needing protection both from physical and cyber attacks and against system breakdowns. But CIPS version 5 now requires that each “transmission level asset” be identified as either a “high, medium or low-impact facility.” These facilities include not only the transmission facilities themselves, but assets “connected to” the grid, or bulk electric system (BES). So the rules can affect non-utilities, too.
Among the lessons SMUD learned, the authors recounted, was that NERC regarded SMUD’s distribution control center to be a high-impact facility because it could interact with SMUD’s transmission operations computers when the latter were undertaking control over certain distribution functions. This, the authors acknowledged, was a conclusion they “didn’t see… coming.”
As the authors described their conversations with NERC regulators, if there is “capability of any potential connectivity” of its distribution control center assets “to equipment or software that involves control of the BES,” NERC officials believed the SMUD’s control center assets should be treated as “high impact” facilities – even if their main function is to handle distribution service to the utility’s residential and commercial customers.
For SMUD, this determination, which SMUD accepted, was no small thing. It had just finished constructing the building that housed the control center before the pilot program had gotten underway. That probably made some of the control measures SMUD then adopted a little more expensive than they would have been had the pilot program – and NERC advice about the new standard – been available earlier. Having that early interaction with NERC, they emphasized, is of immense importance.
Effective controls over access to critical facilities. The authors also describe the changes they needed to make to safeguard medium impact substations. Substations previously accessible with a simple key are now made off limits to personnel who had not undergone training, background checks and been fingerprinted, or whose every entry and exit have been documented. But this, the authors learned, was insufficient. “Crew members,” they noted, “forgot their training,” so SMUD learned that it would need built-in reminders – more alarms, use of prominent signs, a keypad system and individual codes, card readers to track exit and entry and more security cameras.
Testing of firewalls and backup systems. The new rules, as Gianunzio and Leigh-Kendall note, expand the cybersecurity safeguards governing communications between high- and medium-impact facilities. Most of these safeguards are to ensure that only authorized data is sent or received over devices located at these two types of facilities. But to ensure a secure system, SMUD’s experience was not simply that the right protocols had to be in place; their efficacy, as well as the efficacy of the backup systems required by the CIP standards requires multiple – and expensive – rounds of testing.
Interdisciplinary coordination. The authors’ final takeaway from the pilot program was the need for an ongoing, from-the-top commitment to coordination among the utility’s business units. It became obvious to SMUD early in the pilot program that installation of equipment and software, as well as the implementation, documentation, operation and maintenance of critical infrastructure security measures, requires use of multidisciplinary teams.
But SMUD also found that many of the people involved in the process, coming from different business groups within the utility – IT, telecommunications, security, compliance, legal and budget— had relatively limited day-to-day interaction with one another outside the CIPS context. For interdisciplinary coordination to be effective, the authors found, an organization must have strong and ongoing executive-level support. This, they concluded, meant the formation of steering committees and interdisciplinary teams that would meet frequently and be empowered to make decisions and resolve disputes.
*Harvey L. Reiter is a partner in the Washington, D.C. office of Stinson Leonard Street LLP. He represents various sectors of the energy and communications industry before FERC, the FCC and the federal circuit courts of appeal. Mr. Reiter has taught energy law at Vermont Law School, is an instructor on energy law and regulation with the Institute of Public Utilities at Michigan State University and has served for the last decade as the executive articles editor of the Energy Law Journal.