Before news reports of a hack on the electrical grid in the United States began to circulate, NERC advised the industry to pay careful attention to identifying critical cyber assets. In a letter, NERC told the industry to take a fresh look at their methodology for identifying such assets with a broader perspective towards the consequences to the system if the asset is used maliciously.
The day before reports of foreign spies penetrating
U.S. electrical grid hit the news, the North American Electric
Reliability Corp. advised energy companies to take a comprehensive look
at how they identify critical cyber assets.
The North American Electric Reliability Corporation (NERC) is a
non-profit, international company that works to develop industry
standards as well as improve the security and reliability of bulk power
systems in the United States, Canada and part of Mexico. In a letter addressed to the industry
NERC Chief Security Officer Michael Assante expressed concern some
energy companies may not have properly identified some assets in a
self-certification compliance survey for NERC Reliability Standard CIP-002-1 - Critical Cyber Asset Identification.
"Of particular concern are qualifying assets owned and operated by
Generation Owners and Generation Operators, only 29 percent of which
reported identifying at least one CA (critical asset), and Transmission
Owners, fewer than 63 percent of which identified at least one CA," he
Only 23 percent of separate (i.e. non-affiliated) entities reported they had at least one critical cyber asset.
While Assante noted the number may be low
because most smaller entities registered with the NERC do not
own or operate cyber assets that would be deemed high priority, he
advised companies to start with the assumption that all assets are
critical and then work backwards to rule them out.
"One of the more significant elements of a cyber threat,
contributing to the uniqueness of cyber risk, is the cross-cutting and
horizontal nature of networked technology that provides the means for
an intelligent cyber-attacker to impact multiple assets at once, and
from a distance," he wrote in the letter. "The majority of reliability
risks that challenge the bulk power system today result in
probabilistic failures that can be studied and accounted for in
planning and operating assumptions. For cyber-security, we must
recognize the potential for simultaneous loss of assets and common
modal failure in scale in identifying what needs to be protected."
"This is why protection planning requires additional, new thinking on top of sound operating and planning analysis," he added.
The letter preceded news reports this week that foreign spies had
allegedly penetrated the U.S. electric grid and left behind programs
that could potentially disrupt the system.
Patrick Peterson, chief security researcher at Cisco, commented that
NERC's risk-based approach to identifying and protecting key parts of
the United States' energy infrastructure are sound.
"The most critical step to protecting critical assets is to make
sure they are all identified," he said. "The critical cyber asset
paradigm is new to NERC's members and the letter clearly states members
need to redo their assessment with a new approach. Starting with the
assumption that an asset is not critical will always tip the scale
especially when staff is ever-busy and faces a deadline. The
letter's request to invert the burden of proof and prove the asset is
not critical will go a long way toward achieving NERC's goals."