If the only tool you have is a hammer...

April 22, 2008—Burt Hadlock/VP Sales and Business Development

...then you tend to see all problems as a nail. We're reminded of this old adage as we in the utility industry ponder the path to NERC CIP compliance.

Talk to the leading WAN/LAN vendors and you'll get the same old story. Buy routers, more software, change the way you operate your substations...take your time. The trouble is that these vendors fail to recognize the significant capital outlay necessary in hardware alone. They then tend to lean on utility personnel to fill in the NERC CIP reporting gaps and promote a false sense of functionality in disaster recovery scenarios.

Perhaps you've been talking to the encryption experts. While they can provide security at any cost, the reporting and functionality issues pile up. Put encryption in the line for each critical asset. The user is left to compile the collection of logs from these capital intensive hardware adds and to roll trucks for each upgrade or firmware fixes.

Each vendor class has its value but none provide the versatility and time-to-compliance advantage of Gauntlet. Putting Gauntlet software in place allows users to leverage existing assets for dial-up connectivity and is IP ready when the substation is. Unrivaled authentication coupled with the industry’s most complete and automated reporting functions are a big part of why utilities are commissioning Gauntlet on a regular basis these days.

While competitors “hammer” away their message, you must wonder why a utility would choose a vendor that demands compliance to their solution rather than a solution that is flexible and agnostically solves the NERC CIP compliance problem.

Gauntlet. Run your operation your way. Comply today–upgrade on your timeline, not theirs.

NERC CIP–All Systems Go

January 17, 2008—Mitch Barber/Product Manager

On Jan 17th, the Federal Energy Regulatory Commission (FERC) unanimously approved the eight NERC CIP standards at the commission’s monthly meeting. The security standards officially go into effect 60 days after the ruling is published in the Federal Register. With this ruling, compliance to the security standards becomes mandatory for all U.S. electric utilities. The Canadian provinces of Ontario and New Brunswick had previously adopted the standards as well.

In addition, the commission directed NERC to begin strengthening the standards. Recommended improvements include:

• Removing of the “reasonable business judgment” out-clauses
• Adding external oversight of what constitutes a critical cyber asset
• Developing accountability for exceptions based on technical feasibility or acceptance of risk
• Examination of cyber security standards by the National Institute of Standards and Technology (NIST) to “determine if they contain provisions that will protect the Bulk-Power System better than the CIP Reliability standards”

Effect on the Industry

The good news is that there are no surprises. The existing NERC CIP standards and the implementation plan were accepted unchanged. Utilities that were already moving down the path towards compliance can continue down that same path. Anyone who was waiting on the sidelines until the standards became officially mandated, however, will suddenly find themselves under the gun.

The industry is now on the clock, with a firm June 2008 deadline to be “substantially compliant.”

The better news is that the regulatory bodies are taking cyber security seriously. With this move, the existing standards were acknowledged as a good starting point, but in need of enhancements to be truly effective. The industry now has an opportunity to improve the standards and ensure the long-term security of the North American bulk power grid. To be certain, if NERC and its members do not seize the opportunity to sufficiently tighten the CIP 002–009 standards themselves, either Congress or FERC will impose another standard upon them.

Teltone has long anticipated the enhancement of NERC CIP and has diligently watched the development of other security standards, such as the recently approved Industrial Control Systems (ICS) additions to NIST 800-53. As industry security standards evolve, Teltone is committed to supporting the developments in future product releases. With Teltone Gauntlet, utilities can be confident that they are deploying a security solution fully compliant with today’s standards, and providing ongoing support for any and all future regulatory imperatives

Related Links:
FERC press release
NERC press release
Teltone Gauntlet

Send comment

Congress Weighs In

January 10, 2008—Mitch Barber/Product Manager

National media coverage of the Idaho National Labs (INL) Aurora project (see blog entry) has spurred Congress into action. On October 17, 2007, three weeks after the CNN report aired, the House of Representatives Committee on Homeland Security (http://hsc.house.gov/) held a hearing to discuss the cyber threat to the nation’s electric utility control systems. Experts representing the Department of Homeland Security, the General Accounting Office, NERC, FERC and the electric utility industry were subjected to sometimes intensive questioning.

Whether the hearing was valuable information-gathering or a public display of concern is a matter of opinion. Regardless, the committee spotlight has prompted legitimate questions and actions throughout the industry.

Industry responsibility

One of the pressing concerns from the committee was whether the industry was doing enough, quickly enough, to address the threats to the power grid. Several times, members expressed frustration about a “lack of urgency.” They also demanded to know how much progress had been made complying with the ES-ISAC advisory published earlier in the year. NERC’s response of “90% complete” seemed overly confident, to say the least. Upon further questioning, it was unclear whether the NERC survey and number of respondents was even capable of providing such a confident reply.

So, what effect will all this have on the average electric utility? The first directive emerging from the committee requires FERC and the Office of Management and Budget to collect information from the industry regarding the steps being taken to address cyber vulnerabilities. (More info: http://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=11522578)

Standards: NERC CIP vs. NIST 800-53

Other topics included a discussion of industry standards, in particular, why does the electric industry require its own security standard (NERC CIP), rather than the widely used NIST 800-53? They probed NERC CIP’s shortcomings, such as the out-clauses (“where technically feasible”, “sound business judgment,” etc.); asked why basic public welfare provisions were removed from the final drafts (beyond the legal authority of NERC or FERC), and questioned the lengthy standards development and adoption period.

We feel it is highly unlikely that there will be any changes to the NERC CIP standards or implementation plan in the near future. Even an imperfect standard is better than no standard at all. As congress deals with this issue over the long term, however, no one should be surprised if NERC CIP is substantially modified or even replaced by NIST 800-53.

Teltone is ready for this challenge. Gauntlet can help utilities achieve compliance with the NERC CIP standards today. But we don’t stop there. We are committed to keeping Gauntlet up to date and compliant with whatever standards changes occur.

New Year's Resolutions for Utilities

December 19, 2007—Burt Hadlock/VP Sales and Business Development

For most of us, the new year brings a flurry of promises and resolutions, often the result of simple acts like climbing the stairs or checking the mirror. NERC has kindly supplied utilities with all the information needed for resolution-making and goal-setting for the coming year.

With some amplification from FERC and DHS, utilities should be getting the message. NERC is suggesting in a not-so-subtle way that a great New Year’s resolution would be to become substantially CIP compliant by June 2008. While there is arguably some ambiguity in the term “substantially,” it should be clear that by then utilities must be well underway, past planning stages and well into a four-fold implementation plan:

• Begin Work: Plan approved / Begin rollout
• Substantially Compliant: Mostly complete
• Compliant: Complete but without supporting logs
• Auditably Compliant: Ready for audit

While the financial penalties may seem distant, getting to a point where a utility has begun a rollout and is “mostly complete” means acting now…or sooner! The reality is that some utilities are underway while many have not yet begun. Caught up in analysis and second guessing, these utilities will ultimately be in a full-on scramble to catch up or ask for waivers and extensions. In the meantime, their critical assets go unprotected and vulnerable, or unplugged. Those utilities that are resolved to getting to the “mostly compliant” stage will ultimately save time and money and avoid the chance that a cyber attack could cripple them functionally and financially in a very public way.

The Aurora Project as a Catalyst

December 14, 2007—Debra Griffith/CEO

Public pressure on elected representatives prompted recent congressional hearings (see blog entry), raising visibility of the extensive delays in implementing security standards in the post-9/11 and blackout era. We believe that the public would be shocked and dismayed at the current state of security of their source of electricity. Generally, they naively trust that it is under control, given the emphasis in recent years on homeland security. On the contrary, it isn’t, and utilities struggle with the needed resources to do the right thing on their own. Standards from NERC that have yet to be enforced at the federal level likely fall short of what the general public would view as acceptable.

Those of us who provide solutions for the gap in electrical grid security have an obligation to be proactive and clear with utilities as well as elected representatives about the cost-effective and easily implemented solutions available today. Ratepayers expect utilities to do the right thing, even in the difficult circumstances of responding to security requirements, green energy and a host of other industry pressures, all of course with the least possible effect on their power bill. The least we as vendors can do is make sure they understand the solutions are available.

Send comment