Electric grid security: A closer look at CIP-014-1 standard

The FERC standard CIP-014-1 became effective, according to the Federal Register, on January 26, 2015

The electric power industry works with several federal agencies, including the Federal Energy Regulatory Commission (FERC), the Department of Homeland Security (DHS), and the Department of Energy (DOE) to improve sector-wide resilience for cyber threats. The industry also collaborates with the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC), and federal intelligence and law enforcement agencies to strengthen its cyber security capabilities.

Are the standards anywhere close enough to actually be of service? We shall soon see because last November CIP-014-1 was approved. It is the Physical Security Reliability Standard, developed by the North American Electric Reliability Corporation and approved by the U.S. Federal Energy Regulatory Commission.

In December, the House of Representatives approved unanimously H.R. 3410, the Critical Infrastructure Protection Act (CIPA). This is the first time in four years that Congress has acted to begin to protect the nation’s electrical grid, and comes on the heels of CIP-014-1’s approval.  

The bill enjoys strong bipartisan support, but it remains to be seen whether it will become law. It has been read in the Senate and referred to the Committee on Homeland Security and Governmental Affairs. Its purpose is to see that DHS:

• Include in national planning scenarios the threat of electromagnetic pulse (EMP) which would entail the education of the owners and operators of critical infrastructure, as well as emergency planners and emergency responders at all levels of government of the threat of EMP events;
• Engage in research and development aimed at mitigating the consequences of naturally occurring or man-caused EMP events;
• Produce a comprehensive plan to protect and prepare the critical infrastructure of the American homeland against EMP events.

FERC’s standard CIP-014-1, has six requirements, including

• Performing risk assessments periodically to identify weak transmission stations and substations;
• The transmission owner must modify trouble spots accordingly and implement procedures for protecting sensitive or confidential information;
• Transmission owners must let operators know there are issues so they can address them.
• Owners and transmission operators must conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each of its respective transmission stations, transmission substations, and primary control centers identified as critical under the first requirement;
• Utilities must devise physical security plans for each of their respective transmission stations, transmission substations, and their primary control center;
• Finally, they must have an unaffiliated third party with appropriate experience review its evaluation and security plan and then respond to the recommendations.

However, Todd Borandi, an industry veteran and information security architect, sees these regulations as a day late and a dollar short. He credits hackers for today’s push for regulations “because several groups made it a public point to demonstrate how easy it is to access sensitive systems and steal data, so the outcry from the private, public and even the government demanded regulations causing this whole cycle to start all over again.” The FERC standard became effective, according to the Federal Register, on January 26, 2015. It remains to be seen whether or not the boxes get checked in lieu of an improvement in physical security.

Wind - The savior?

Ironically, what might be of more help is a very simple solution: wind. LogRhythm’s Greg Foss says “Wind could be the saviour” because the Department of Energy is working on outputting windmill energy into batteries. Foss is senior security research engineer for Boulder, Colo.-based LogRhythm, a security intelligence firm.

One thing is to upgrade equipment, but as we’ve discovered that demands a huge money outlay, and as Foss says, “Right now, utilities have no real need to do this even though there have been 97 attacks against the grid so far this year.”

Foss’ company creates honeypots, which are traps for hackers. “Once they get in,” he says, “we can track them and learn.” He says that a so-called con pot is under development. It would simulate SCADA by running, for example, a gas main, a utility box or a water-heating system, which is a prime target for hackers who wish to fudge temperature readings and make things look cooler than they really are. 

His best advice is “Hire the right people, train them well and give them the tools to build solutions. Security isn’t that easy to learn and they have to have the tools to succeed.”

His company’s mantra is “not if, when,” and those words should resound loudly at all utility firms.