FERC, NERC and Business Blackout: New CIP Standards and Fictional Cyber Attacks
The Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) July 16, 2015, proposing to approve various Critical Infrastructure Protection (CIP) reliability standards proposed by the North American Electric Reliability Corporation (NERC) and further proposed to direct NERC to develop a new CIP reliability standard to protect the bulk electric system (BES) supply chain. Comments on the NOPR are due Sept. 21, 2015.
The NOPR reflects FERC’s heightened attention to the cyber security of the BES by demanding the expansion of the scope of CIP standards and wielding its authority under section 215 of the Federal Power Act (FPA) to order NERC to develop a new standard, while laying out the purpose and parameters of such standard. If adopted, the NOPR will undoubtedly require responsible entities to devote resources to additional CIP compliance and elicit further debate regarding the cost-benefit analysis of NERC reliability standards. Lending potential credence to the 'benefit' side of the equation, Lloyd’s and the University of Cambridge Centre for Risk Studies recently published an Emerging Risk Report, titled Business Blackout: The Insurance Implications of a Cyber-attack on the US Power Grid. The report posits that a large-scale cyber attack on the U.S. power grid could cost the US economy trillions of dollars. A summary of the NOPR and Report follows.
FERC’s CIP NOPR
The CIP NOPR follows NERC’s submission of seven CIP standards on Feb. 13, 2015 in compliance with Order No. 791, which addressed “Version 5” of the CIP standards. FERC concluded that NERC satisfactorily complied with most mandates of Order No. 791. Specifically, NERC removed language stating a responsible entity must “identify, address, and correct” compliance deficiencies from seventeen CIP requirements that FERC found did not meet the “clear and unambiguous” objective of reliability standards. NERC explained that the original intent of the language would nonetheless be satisfied via procedural revisions to its Compliance Monitoring and Enforcement Program.
NERC also addressed FERC’s concern that there were no objective criteria for evaluating compliance for “Low Impact” cyber systems. As amended, NERC’s proposed new “High, Medium or Low Impact” tiered approach to classifying cyber systems now assigns enumerated controls for Low Impact cyber systems, including the requirement to develop management-sanctioned cyber security policies for Low Impact cyber systems. This will be significant to entities that previously did not have any cyber assets covered by the reliability standards. Not only must these entities now assess and classify all cyber systems, but must further designate resources to develop policies meeting certain minimum requirements to protect such assets.
FERC advocated for further protection of Low Impact cyber systems in the NOPR with respect to NERC’s proposed controls for transient devices, including thumb drives and portable laptop computers. NERC developed controls for transient devices in response to Order No. 791 (along with a new Glossary Term defining such devices), but explained resources would be best allocated by only applying the requirements to Medium and High Impact cyber systems. FERC directed NERC to either provide adequate justification for the exclusion of Low Impact cyber assets or risk being sent back to develop requirements that appropriately accommodated such assets.
FERC also directed NERC to revisit changes it made affecting communication networks. FERC perceives a reliability gap in NERC’s proposal to create controls for “nonprogrammable components of communication networks within the same Electronic Security Perimeter.” The exclusion of programmable and nonprogrammable communication network components that exist outside an Electronic Security Perimeter leaves “real-time data passing between Control Centers outside of a facility” unprotected. FERC thus directed NERC to revise the requirements of CIP-006-6 to protect inter-Control Center communications. FERC also specifically requested comment on whether it should consider additional protections for remote access to cyber systems.
The NOPR steps outside the bounds of NERC’s compliance filing to propose the creation of a new Reliability Standard to address supply chain protection. Citing to guidance provided by the Department of Energy, the Department of Homeland Security, and the National Institute of Standards and Technology, FERC explained that “the global supply chain also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to the end user.” The new Reliability Standard would only apply to entities under the jurisdiction of FPA § 215, yet would need to consider the entire supply chain. At a minimum, FERC stated the standard “should accommodate … an entity’s: (1) procurement process; (2) vendor relations; (3) system requirements; (4) information technology implementation; and (5) privileged commercial or financial information.” FERC acknowledged that this would be a “significant undertaking” and requested comments on the proposal to facilitate stakeholder input at the standard’s inception.
Lloyd’s Emerging Risks Report
Lloyd’s and the University of Cambridge Centre for Risk Studies recently published Business Blackout: The Insurance Implications of a Cyber-attack on the US Power Grid, an assessment of the insurance implications of a large-scale cyber attack on the U.S. power grid. The assessment relied upon a fictional scenario developed by subject matter experts drawing from historical examples and plausible technological exploits. The report depicts actions of sophisticated attackers who engage in methodical planning and reconnaissance, and deploy a variety of tactics to penetrate the security of the electrical grid. These tactics include social engineering, hacking of remotely accessed controlled systems, physical intrusions, and the deployment of malware. The malware ultimately infects multiple electricity generation control rooms, allowing attackers to control them remotely, forcing them to overload and burn out, causing fires, explosions and sustained outages. The Lloyd’s report estimates such an attack could deprive millions of individuals and businesses of power for sustained periods, and cost the U.S. economy between $243 billion to $1 trillion in the most extreme version of the scenario.
The scenario addresses three attributes of cyber risk that distinguish it from other types of risk. The first is the systemic exposure caused by connected digital networks and shared technologies. The second is the “intangible” nature of a cyber attack – it is usually surreptitiously deployed and often not detected for months or even years after the event. The third is the dynamic and evolving nature of technology driven by human creative intelligence. Although the fictional scenario depicted in the Lloyd’s report is improbable, it is technologically possible. Business Blackout demonstrates that if such an attack occurred, the effects would be wide ranging, impacting not just power generation, transmission and distribution companies, but literally every aspect of our critical infrastructure and economy. The report estimates that the insurance industry would face cyber attack-related claims ranging between $21.4 billion up to $71.1 billion in the most extreme version of the scenario. It nonetheless asserts that insurance can be a valuable tool for managing and responding to cyber risk.