Before Grid Hack Reports, NERC Advises Industry on Cyber Assets

Before news reports of a hack on the electrical grid in the United States began to circulate, NERC advised the industry to pay careful attention to identifying critical cyber assets. In a letter, NERC told the industry to take a fresh look at their methodology for identifying such assets with a broader perspective towards the consequences to the system if the asset is used maliciously.

The day before reports of foreign spies penetrating the U.S. electrical grid hit the news, the North American Electric Reliability Corp. advised energy companies to take a comprehensive look at how they identify critical cyber assets.

The North American Electric Reliability Corporation (NERC) is a non-profit, international company that works to develop industry standards as well as improve the security and reliability of bulk power systems in the United States, Canada and part of Mexico. In a letter addressed to the industry, NERC Chief Security Officer Michael Assante expressed concern some energy companies may not have properly identified some assets in a self-certification compliance survey for NERC Reliability Standard CIP-002-1 - Critical Cyber Asset Identification.

"Of particular concern are qualifying assets owned and operated by Generation Owners and Generation Operators, only 29 percent of which reported identifying at least one CA (critical asset), and Transmission Owners, fewer than 63 percent of which identified at least one CA," he wrote.

Only 23 percent of separate (i.e. non-affiliated) entities reported they had at least one critical cyber asset.

While Assante noted the number may be low because most smaller entities registered with the NERC do not own or operate cyber assets that would be deemed high priority, he advised companies to start with the assumption that all assets are critical and then work backwards to rule them out.

"One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber-attacker to impact multiple assets at once, and from a distance," he wrote in the letter. "The majority of reliability risks that challenge the bulk power system today result in probabilistic failures that can be studied and accounted for in planning and operating assumptions. For cyber-security, we must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected."

"This is why protection planning requires additional, new thinking on top of sound operating and planning analysis," he added.

The letter preceded news reports this week that foreign spies had allegedly penetrated the U.S. electric grid and left behind programs that could potentially disrupt the system.

Patrick Peterson, chief security researcher at Cisco, commented that NERC's risk-based approach to identifying and protecting key parts of the United States' energy infrastructure are sound.

"The most critical step to protecting critical assets is to make sure they are all identified," he said. "The critical cyber asset paradigm is new to NERC's members and the letter clearly states members need to redo their assessment with a new approach. Starting with the assumption that an asset is not critical will always tip the scale especially when staff is ever-busy and faces a deadline. The letter's request to invert the burden of proof and prove the asset is not critical will go a long way toward achieving NERC's goals."