Hostname: page-component-8448b6f56d-qsmjn Total loading time: 0 Render date: 2024-04-24T21:29:37.881Z Has data issue: false hasContentIssue false
  • English
  • Français

ENVIRONMENTAL REVIEW & CASE STUDY: NERC's Cybersecurity Standards for the Electric Grid: Fulfilling Its Reliability Day Job and Moonlighting as a Cybersecurity Model

Published online by Cambridge University Press:  14 September 2011

Zhen Zhang
Zhen Zhang*
Affiliation:
Environmental Law Center, Institute for Energy and Environment, University of Vermont Law School, South Royalton, Vermont
*
Zhen Zhang, Environmental Law Center, Institute for Energy and the Environment, Vermont Law School, 164 Chelsea Street, PO Box 96, South Royalton, VT 05068; (phone) 802-831-1151; (fax) 802-831-1140; (e-mail) zzhang001@gmail.com
Get access

Abstract

The electric industry is experiencing notable changes with the implementation of communication and automation technology, many of which are part of the smart grid movement. Similar to other critical infrastructure industries such as banking, transportation, and the cross-sector critical information infrastructure industry, the electric industry must protect itself from intentional and unintentional security breaches and incidents to ensure uninterrupted operations of essential services. Of the critical infrastructure industries, the electric industry is the only private-sector industry subject to government-enforced mandatory cybersecurity standards. This article presents an overview of the eight mandatory cybersecurity standards by the North American Electric Reliability Corporation. As an example of how standards are evolving, it discusses CIP-002 (Critical Cyber Asset Identification) in depth because it establishes whether the remaining seven standards apply. This article then compares the North American Electric Reliability Corporation regulatory framework against critical information infrastructure goals. The comparison finds that, at least on a basic level, the electric industry's mandatory cybersecurity standards meet the critical information infrastructure goals and work to secure information networks, resources, and systems from cyber and physical threats. The mandatory cybersecurity standards promote an increase in technological products, better security management, personnel and public education, and trust in the industry. Even though the electric industry's mandatory standards are imperfect, the fact it satisfies the goals of the cross-sector critical information infrastructure indicates that the framework is sound. The electric industry's experience with mandatory cybersecurity standards is a valuable source of information, and the regulatory framework itself can be a helpful model for other industries looking to develop their own security protection systems.

Environmental Practice 13:250–264 (2011)

Type
Features
Information
Environmental Practice , Volume 13 , Issue 3 , September 2011 , pp. 250 - 264
Copyright
Copyright © National Association of Environmental Professionals 2011

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

American Public Power Association. n.d. Comments of the American Public Power Association on the NERC Draft Three-Year ERO Performance Assessment Dated April 27, 2009. American Public Power Association, Washington, DC, 14 pp. Available at http://www.appanet.org/files/PDFs/CommentsonApril272009DraftNERC3YearAssessment052909.pdf (accessed August 3, 2011).Google Scholar
Assante, M. 2009, April 7. Letter to Industry Stakeholders (regarding Critical Cyber Asset Identification). North American Electric Reliability Corporation (NERC), Princeton, NJ, 3 pp. Available at http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf (accessed August 3, 2011).Google Scholar
Burr, M.T. 2008. CIP Goes Live—Utilities Are Gearing Up for Cyber Security Compliance: Will the Standards Prove Worthy? Public Utilities Fortnightly 146:3638. Available at http://www.fortnightly.com/display_pdf.cfm?id=01012008_CyberAttack.pdf (accessed August 3, 2011).Google Scholar
Committee on Homeland Security (CHS). 2009. Securing the Modern Electric Grid from Physical and Cyber Attacks. Hearing on H.R. 2195 before the House Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, 111th Congress, 1st Session (Testimony of Joseph McClelland, Director, Office of Electric Reliability, Federal Energy Regulatory Commission). CHS, Washington, DC, 147 pp. Available at http://www.ferc.gov/eventcalendar/Files/20090721140215-Joe%20McClelland%20Testimony.pdf (accessed August 3, 2011).Google Scholar
Energy Bar Association (EBA). 2010, October 1. A Conversation with Gerry Cauley, NERC President and CEO. EBA, Washington, DC.Google Scholar
Federal Energy Regulatory Commission (FERC). 2008. Order 706: Mandatory Reliability Standards for Critical Infrastructure Protection. 122 FERC P 61,040. Docket No. RM06-22-000. Federal Register 73(26):73687477. Available at http://www.ferc.gov/whats-new/comm-meet/2008/011708/E-2.pdf (accessed August 3, 2011).Google Scholar
Gjelten, T. 2010, April 7. Cyberattack: U.S. Unready for Future Face of War. National Public Radio, Washington, DC. Available at http://www.npr.org/templates/story/story.php?storyId=125598665 (accessed August 3, 2011).Google Scholar
Greenberg, A. 2008, May 22. Congress Alarmed at Cyber-Vulnerability of Power Grid. Forbes.com. Available at http://www.forbes.com/2008/05/22/cyberwar-breach-government-tech-security_cx_ag_0521cyber.html (accessed August 3, 2011).Google Scholar
Jacobs, A., and Helft, M.. 2010. Google, Citing Attack, Threatens to Exit China. New York Times, January 12. Available at http://www.nytimes.com/2010/01/13/world/asia/13beijing.html (accessed August 3, 2011).Google Scholar
Meserve, J. 2009, March 20. ‘Smart Grid’ May Be Vulnerable to Hackers. CNN.com. Available at http://www.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/ (accessed August 3, 2011).Google Scholar
National Institute of Standards and Technology (NIST). 2010a. Guidelines for Smart Grid Cyber Security. NIST IR 7628. Smart Grid Interoperability Panel Cyber Security Working Group. NIST, Gaithersburg, MD. Introduction, 20 pp. Volume 1: Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, 289 pp.; volume 2: Privacy and the Smart Grid, 69 pp.; volume 3: Supportive Analyses and References, 219 pp. Available at http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628 (accessed August 3, 2011).Google Scholar
National Institute of Standards and Technology (NIST). 2010b. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0. NIST, Gaithersburg, MD, 145 pp. Available at http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf (accessed August 3, 2011).Google Scholar
National Research Council (NRC) and National Academy of Engineering (NAE) of the National Academies. 2003a. Increasing the Flow of Information. Chapter 2 in Critical Information Infrastructure Protection and the Law: An Overview of Key Issues, Personick, S.D. and Patterson, C.A., eds. National Academies Press, Washington, DC, 1734. PDF available for download at http://www.nap.edu/catalog.php?record_id=10685 (accessed August 3, 2011).Google Scholar
National Research Council (NRC) and National Academy of Engineering (NAE) of the National Academies. 2003b. Introduction and Context. Chapter 1 in Critical Information Infrastructure Protection and the Law, Personick, S.D. and Patterson, C.A., eds. National Academies Press, Washington, DC, 816. PDF available for free download at http://www.nap.edu/catalog.php?record_id=10685 (accessed August 3, 2011).Google Scholar
National Research Council (NRC) and National Academy of Engineering (NAE) of the National Academies. 2003c. Liability for Unsecured Systems and Networks. Chapter 3 in Critical Information Infrastructure Protection and the Law: An Overview of Key Issues, Personick, S.D. and Patterson, C.A., eds. National Academies Press, Washington, DC, 3560. PDF available for free download at http://www.nap.edu/catalog.php?record_id=10685 (accessed August 3, 2011).Google Scholar
National Research Council (NRC) and National Academy of Engineering (NAE) of the National Academies. 2003d. Moving Forward. Chapter 4 in Critical Information Infrastructure Protection and the Law: An Overview of Key Issues, Personick, S.D. and Patterson, C.A., eds. National Academies Press, Washington, DC, 6174. PDF available for free download at http://www.nap.edu/catalog.php?record_id=10685 (accessed August 3, 2011).Google Scholar
National Research Council (NRC) and National Academy of Engineering (NAE) of the National Academies. 2007a. Executive Summary. In Towards a Safer and More Secure Cyberspace, Goodman, S.E. and Lin, H.S., eds. National Academies Press, Washington, DC, 112. PDF available at http://www.nap.edu/catalog.php?record_id=11925 (accessed August 3, 2011).Google Scholar
National Research Council (NRC) and National Academy of Engineering (NAE) of the National Academies. 2007b. What Is at Stake? Chapter 2 in Towards a Safer and More Secure Cyberspace, Goodman, S.E. and Lin, H.S., eds. National Academies Press, Washington, DC, 1950. Available at http://www.nap.edu/catalog.php?record_id=11925 (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2006. Frequently Asked Questions (FAQs) for Cyber Security Standards, CIP-002-1: Cyber Security—Critical Cyber Asset. NERC, Princeton, NJ, 8 pp. Available at http://www.nerc.com/fileUploads/File/Standards/Revised_CIP-002-1_FAQs_20090217.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2007. Top 10 Vulnerabilities of Control Systems and Their Associated Mitigations: 2007. NERC Control Systems Security Working Group and US DOE National SCADA [Supervisory Control and Data Acquisition] Test Bed Program, Princeton, NJ, 10 pp. Available at http://www.nerc.com/docs/cip/2007_Top_10_Final_Approved_by_CIPC.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2008a. Appendix 4B: Sanctions Guidelines of the North American Electric Reliability Corporation. NERC, Princeton, NJ, 22 pp. Available at http://www.nerc.com/files/Appendix4B_Sanctions_Guidelines_Effective_20080115.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2008b. Electricity Sector Steering Group Charter 1. NERC, Princeton, NJ, 5 pp. Available at http://www.nerc.com/docs/essg/ESSG_Charter.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009a. Categorizing Cyber Systems: An Approach Based on BES Reliability Functions [Draft]. NERC, Princeton, NJ, 33 pp. Available at http://www.nerc.com/docs/standards/sar/Concept_Paper_Categorizing_Cyber_Systems_2009July21.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009b. CIP-002-2: Cyber Security—Critical Cyber Asset Identification. NERC, Princeton, NJ, 4 pp. Available at http://www.nerc.com/files/CIP-002-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009c. CIP-003-2: Cyber Security—Security Management Controls. NERC, Princeton, NJ, 4 pp. Available at http://www.nerc.com/files/CIP-003-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009d. CIP-004-2: Cyber Security—Personnel and Training. NERC, Princeton, NJ, 4 pp. Available at http://www.nerc.com/files/CIP-004-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009e. CIP-0052: Cyber Security—Electronic Security Perimeter(s). NERC, Princeton, NJ, 5 pp. Available at http://www.nerc.com/files/CIP-005-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009f. CIP-006-2: Cyber Security—Physical Security. NERC, Princeton, NJ, 5 pp. Available at http://www.nerc.com/files/CIP-006-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009g. CIP-007-2: Cyber Security—Systems Security Management. NERC, Princeton, NJ, 6 pp. Available at http://www.nerc.com/files/CIP-007-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009h. CIP-008-2: Cyber Security—Incident Reporting and Response Planning. NERC, Princeton, NJ, 3 pp. Available at http://www.nerc.com/files/CIP-008-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009i. CIP-009-2: Cyber Security—Recovery Plans for Critical Cyber Assets. NERC, Princeton, NJ, 3 pp. Available at http://www.nerc.com/files/CIP-009-2.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009j. Comments of the North American Electric Reliability Corporation in Response to the Commissions March 19, 2009 Proposed Smart Grid Policy Statement. Docket No. PL09-4-000-11. NERC, Princeton, NJ, 26 pp. Available at http://www.nerc.com/files/NERCSmartGridPolicyStatementComments.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009k. Compliance Analysis Report, CIP-004-1: Personnel and Training. NERC, Princeton, NJ, 30 pp. Available at http://www.nerc.com/files/CIP-004_Combined_FINAL.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009l. Draft Guidance for the Electric Sector: Categorizing Cyber Systems. NERC, Princeton, NJ, 10 pp. Available at http://www.nerc.com/docs/standards/sar/CIP-002-4_Guidance_Doc_2009Dec29.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009m. NERC and Electric Industry Continue Efforts to Address Cyber Risk [Press release]. NERC, Princeton, NJ, 2 pp. Available at http://www.nerc.com/fileUploads/File/PressReleases/PR_061709_Cyber-Update.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009n. Standard CIP-002-4: Cyber Security—BES Cyber System Categorization [Draft]. NERC, Princeton, NJ, 16 pp. Available at http://www.nerc.com/docs/standards/sar/CIP-002-4_2009Dec29.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009o, December. Statistics. NERC, Princeton, NJ, 8 pp. Available at http://www.nerc.com/files/2009_December_Statistics.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009p. Three-Year ERO Performance Assessment Report. NERC, Princeton, NJ, 96 pp. Available at http://www.nerc.com/files/NERC_3-year_Assessment_report_7-01-09.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2009q. Unofficial Comment Form for Project 2008-06: Cyber Security Order 706, Draft CIP-002-4 Informal Review. NERC, Princeton, NJ, 8 pp. Available at http://www.nerc.com/docs/standards/sar/Unofficial_Comment_Form_CIP-002-4_2009Dec29.doc (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010a. Appendix 4D to the Rules of Procedure: Procedure for Requesting and Receiving Technical Feasibility Exceptions to NERC Critical Infrastructure Protection Standards. NERC, Princeton, NJ, 19 pp. Available at http://www.nerc.com/files/Appendix4D_TFE_Procedures_01212010.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010b. CIP-010-1: Cyber Security—BES Cyber System Categorization [Draft]. NERC, Princeton, NJ, 10 pp. Available at http://www.nerc.com/docs/standards/sar/CIP-010-1_2010May3.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010c. CIP-011-1: Cyber Security—BES Cyber System Protection [Draft]. NERC, Princeton, NJ, 28 pp. Available at http://www.nerc.com/docs/standards/sar/CIP-011-1_2010May3.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010d. NERC Notice of Penalty regarding PPL Electric Utilities Corporation. FERC Docket No. NP10-_-000. NERC, Princeton, NJ, 117 pp. Available at http://www.nerc.com/filez/enforcement/FinalFiled_NOP_NOC-074.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010e. Project 2008-06, Cyber Security Order 706. NERC, Princeton, NJ. Available at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security.html (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010f. Project 2008-06: Cyber Security Order 706 Phase II. NERC, Princeton, NJ. Available at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010g. Project 2010-15: Expedited Revisions to CIP-005-3. NERC, Princeton, NJ. Available at http://www.nerc.com/filez/standards/SAR-Urgent_Action_Revisions%20to%20CIP-005-3.html (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010h. Secure Remote Access Draft. NERC, Princeton, NJ, 38 pp. Available at http://www.nerc.com/docs/standards/sar/Secure_Remote_Access_Reference_Document_clean_20101105.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010i, updated October 20. Standard CIP-002-4: Cyber Security—Critical Cyber Asset Identification [Draft]. NERC, Princeton, NJ, 5 pp. Available at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_redline_revised_Oct_19.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010j, updated November 5. Standard CIP-005-4: Cyber Security—Electronic Security Perimeters(s) [Draft]. NERC, Princeton, NJ, 6 pp. Available at http://www.nerc.com/docs/standards/sar/Proposed_CIP-005-4_redline_to_last_approval_20101105.pdf (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). 2010k. Unofficial Comment Form for Project 2008-6: Cyber Security Order 706, Draft CIP-002-4 Informal Review. NERC, Princeton, NJ, 15 pp. Available at http://www.nerc.com/docs/standards/sar/Unofficial_Comment_Form_CIP-010_CIP-011_2010May3.docx (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). n.d., a. Reliability Readiness Program: Examples of Excellence. NERC, Princeton, NJ. http://www.nerc.com/page.php?cid=6|76|77 (accessed August 3, 2011).Google Scholar
North American Electric Reliability Corporation (NERC). n.d., b. Reliability Standards. NERC, Princeton, NJ. http://www.nerc.com/page.php?cid=2|20 (accessed August 3, 2011).Google Scholar
Office of the President. 1998. Presidential Decision Directive/NSC-63. President Bill Clinton, White House, Washington, DC, 18 pp. Available at http://www.fas.org/irp/offdocs/pdd/pdd-63.htm (accessed August 3, 2011).Google Scholar
Sergel, R.P. 2008. Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid. Testimony of Richard P. Sergel, President and CEO of North American Electric Reliability Corporation (NERC), before the House Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. NERC, Washington, DC, 21 pp. Available at http://www.nerc.com/docs/docs/testimony/Rick-testimony.pdf (accessed August 3, 2011).Google Scholar
Tutmarc, E. 2004. The War on Cyberterror: Why Australia Should Examine the U.S. Approach to Critical Infrastructure Protection [Comment]. Pacific Rim Law & Policy Journal 13:743, 765–66, 768–769.Google Scholar