NERC has asked FERC to dismiss a complaint brought by security activist Michael Mabee against the ERO’s critical infrastructure protection (CIP) reliability standards — in particular, CIP-013-1 (Cyber security supply chain risk management) (EL20-46).
CIP-013-1 is set to take effect Oct. 1, along with CIP-005-6 (Electronic security perimeter(s)) and CIP-010-3 (Configuration change management and vulnerability assessments). The standards were scheduled to take effect July 1, but FERC agreed to delay implementation in order to reduce compliance burdens on industry during the COVID-19 pandemic. (See FERC Agrees to Defer Standards Implementation.)
Mabee’s complaint, filed May 12, centers on President Trump’s executive order of May 1 declaring a national emergency regarding foreign threats to the bulk power system and restricting the purchase of BPS equipment from suppliers suspected of connections with “foreign adversaries.” (See Trump Declares BPS Supply Chain Emergency.) In the filing, Mabee characterized the executive order as “a vote of no-confidence in the lackadaisical and inadequate actions of FERC and NERC” to protect the electric grid.
The particulars of the complaint focus on CIP-013-1, which Mabee calls inadequate to protecting the BPS because it only covers high- and medium-impact BES cyber systems but allows individual companies to determine what systems qualify as low-impact. Citing language in the executive order that directs the secretary of energy to “identify [BPS] equipment designed, developed, manufactured or supplied” by foreign adversaries, without reference to their level of impact, Mabee said CIP-013-1 should be modified to apply to all equipment in the BPS without exception.
In addition to calling for the revamping of CIP-013-1, Mabee issued a broader critique of NERC’s cybersecurity standards, which he said have been subjected to “bureaucratic delays and [an] onerous process” of development. Referring to a report issued last year by the Government Accountability Office, the complaint also warns that the CIP standards fail to meet the goals of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
NERC Attacks ‘Logical Fallacy’
In its response, NERC said Mabee “relies on a logical fallacy” that because Trump’s executive order “covers more systems than CIP-013-1,” it must invalidate the standard. However, NERC asserted that CIP-013-1 — along with other CIP standards — deals with supply chain risks in a broad sense, while the emergency declaration “addresses specific risks from specific sources,” such as hostile governments. The two measures therefore should be understood as complementary rather than contradictory.
“Security of the BPS requires a multipronged approach, and pursuit of one action, such as the items outlined in the BPS executive order, does not mean that other actions, such as the risk assessment process under CIP-013-1, are invalidated or unnecessary,” NERC said.
The organization did acknowledge that the CIP standards should be evaluated for effectiveness and expanded when necessary but said that this evaluation is already underway through such standard development projects as 2020-03, which is specifically intended to evaluate the risks posed by low-impact cyber systems. NERC asked that the commission allow that project to continue, along with others already considering some of the changes recommended by the complaint.
Regarding NIST’s framework, NERC pointed out that it suggests voluntary actions for responsible entities and hence its recommendations must be adapted to the ERO’s purposes. Nevertheless, the organization said it “consistently relies upon” the framework to guide its standards development efforts in the realm of cybersecurity. It criticized Mabee for citing criticism of outdated versions of the CIP standards — both from the GAO report and from congressional testimony in 2008 — to imply otherwise.
NERC’s rebuttal follows FERC’s dismissal last week of another challenge by Mabee to the physical security standard CIP-014-2 (EL20-21). (See FERC Rejects Challenge to CIP Standards.) In that complaint, Mabee pointed to the lack of reported violations to indicate that the standard was inadequate and lacked enforcement. FERC said in its response that the lack of violations could just as easily “be attributed to industry compliance.”