It’s that time again. Another version of the NERC Critical Infrastructure Protection (CIP) standards is going through the final steps in the long process of becoming a mandatory and enforceable regulation for the electric industry. We are now on version 5 with a high probability of a version 6 right around the corner. For an industry that moves at glacial pace under normal circumstances, the frequency with which the CIP standards have changed has caused whiplash for the sector. For many critical infrastructures, making swift changes to security models and architectures can have very costly and potentially disruptive effects. Especially in sectors with any significant age (read: legacy equipment still humming along just fine). As such, many have been struggling with the impacts of this latest iteration. The problem: we might actually be looking at leapfrogging two versions of the standard.
How did this happen? Well, there’s long and rich history here but I’ll keep it brief.
Version 3 of the CIP standards is currently in effect. Version 4 is approved and set to be effective on 4/1/2014. NERC has submitted version 5 to FERC for approval – with the urgent flag set – in the hopes that FERC can turn the battleship in the bathtub and get it approved fast enough to supersede version 4. Why the rush? To minimize some of that impact I mentioned above. Too many changes too quickly causes very real problems. If version 4 goes into effect, and then a short time after that, version 5 is adopted, then we end up with a messy situation. It is hard to implement and enforce this many versions of a standard. By this, I mean it affects everyone in the regulatory mix, the utility asset owners and the enforcement authorities as well (FERC, NERC and the Regional Entities).
The underlying challenge here is that the difference between versions 4 and 5 is the most significant change in the history of the standards. It is a step function shift in the direction, coverage and implementation of these security regulations. FERC was very clear about their concerns regarding the version 5 changes in their recent comments back to NERC. FERC proposed they would approve the standards, but with some required modifications, based on how the industry at-large comments on their areas of concern. This means that the industry would then send FERC a new version of the standard, modified to meet their requirements, and ask for yet another speedy approval. Maybe even approval before version 5 becomes effective. This would take us from version 3, straight to version 6. It may sound crazy, but believe it or not this makes good sense and would actually have the least impact on the industry.
Now, the odds on whether or not this happens is something even the Vegas experts would enjoy. There are wildcards to be factored in as well. Things such as the recent Executive Order on Cybersecurity, the Presidential Policy Directive 21, the Congressional cybersecurity bill/legislation factory and of course, the ever present security threat against the grid. Any of these “influences” can alter the course in ways we don’t yet fully understand. Our industry is surrounded by signs of change. We don’t like change. Change is bad. It’s not just a negative, do-nothing attitude though (despite what some would have you believe). Rather, the industry’s position is based on experience and maturity only obtained by successfully managing the most complex and reliable system ever built by human beings: the North American power grid.
All of this uncertainty is bad as well. It causes the industry to react like a deer in headlights. Most are afraid to move because any move may be the wrong one, based on all of the potential shift in their regulatory landscape. And the wrong move may be an expensive move to correct. More importantly, this isn’t the best mindset from a security perspective. It is reactive, not proactive. It spreads precious and expensive security resources too thin.
So, put on your seatbelt because the road gets even bumpier ahead. But at the same time, stop worrying about which regulation is coming your way and start building a solid security program. If you can get your security operations as well-oiled as your field operations for electric delivery, then you’re probably going to be fine when it comes to regulations – and more importantly, when it comes to reliability (which is what it’s all about after all). Compliance through good security is the most effective and least expensive (long term)