Responses to FERC’s Notice of Inquiry on potential gaps in NERC’s Critical Infrastructure Protection (CIP) standards reveal widespread reluctance on the part of industry stakeholders toward the commission’s suggestion of enhancing the standards (RM20-12).

FERC issued the NOI in June, citing concerns that the current version of the standards do not adequately address the rapidly evolving landscape of cybersecurity threats. (See FERC Starts Inquiry on CIP Standards.) Specifically, the commission based its questions on a review of the National Institute of Standards and Technology’s (NIST) Cyber Security Framework, with it asking stakeholders whether the standards provide sufficient protection in the fields of cybersecurity risks pertaining to data security; detection of anomalies and events; and mitigation of cybersecurity events.

The commission also asked for comments on the danger of a coordinated cyberattack against geographically distributed targets, and whether FERC should take action to address this threat.

Separate Spheres for NIST, CIP

Responses to the first part of the inquiry were mostly negative, with several commenters objecting to FERC’s comparison of the CIP standards to the NIST framework. For example, the Large Public Power Council and the American Public Power Association pointed out that organizations are supposed to customize the NIST framework to their specific needs. Moreover, the framework is entirely voluntary, making the idea of “compliance” a contradiction.

In a joint comment, Jason Christopher, principal cyber risk adviser for industrial security firm Dragos, and Tim Conway, industrial control systems curriculum director for cybersecurity training organization at the SANS Institute, noted that FERC’s inquiry seems to share themes with a white paper it published at the same time proposing an incentive framework for cybersecurity investments. (See FERC Seeks Comments on Cyber Investment Incentives.)

In particular, they pointed to the paper’s assertion that “the standards development process does not lend itself to addressing rapidly evolving cybersecurity threats” as indicating a crucial misunderstanding of the way the NERC standards and the NIST framework complement each other.

“While this may be an easy soundbite, the truth is more nuanced,” Christopher and Conway said. “The requirements themselves may have issues, but the ability to adapt to new threats is based on applying new and specific technologies or techniques used for compliance — not necessarily in the ability to comply with specific requirements themselves. … The what to achieve, regardless of how a technology may be deployed, is relatively timeless, independent of evolving threats.”

Arguments for Unified Standards

Supporters of the commission’s desire to reform the standards included the U.S. Army Corps of Engineers and the Bureau of Reclamation, which in a joint comment argued that “maintaining a competing set of standards for critical infrastructure” — referring to the CIP standards — is dangerous for grid stability compared to “[leveraging] the comprehensive set of published NIST standards.” The organizations urged FERC to follow the lead of other federal agencies and adopt a regulatory framework that is objective-based, rather than compliance-based.

“The focus should not be on what is wrong with the CIP standards, or how to better align them to NIST, but what is right with the NIST standards and how a convergence on a single set of standards would improve [bulk electric system] resilience and security,” the agencies said.

The New Jersey Board of Public Utilities also stepped forward to back the commission’s comparison of the CIP standards to the NIST framework, citing specific differences between the two structures to bolster the claim that NERC’s standards have serious deficiencies. Examples include the CIP standards’ lack of a mandate for monitoring data in transit for anomalies and continuity of operations, along with the lack of security requirements for low-impact BES cyber systems to match those for high- and medium-impact systems.

Multiple Defenses Against Mass Attacks

The security implications of unaddressed low-impact systems were a significant factor in FERC’s second area of inquiry, concerning coordinated cyberattacks. The commission’s key concern is whether “smaller, geographically distributed generation resources” such as rooftop solar panels and battery storage facilities — classified as low-impact systems — could provide entry points for an attacker, especially given the exclusion of such assets from NERC’s reliability standards.

Responses largely characterized the current standards as sufficient. NERC itself, commenting jointly with the regional entities as the ERO Enterprise, said that it “recognizes the emerging threat of a coordinated cyberattack” and highlighted a number of processes that it said provided an “in-depth approach to risk mitigation.” Among the tools cited was the NERC Alert process, through which the organization provides “concise, actionable information” to the industry, and forums such as the Reliability Issues Steering Committee that identify emerging risks to the BES.

Southern Co. joined NERC’s defense of its standards, asserting that multiple currently effective CIP standards, as well as several more under development, contain adequate controls for “identifying, preventing and mitigating coordinated cyberattacks.” In reference to low-impact cyber systems, Southern acknowledged the potential for harm in leaving them unaddressed but recommended that future CIP requirements aimed at securing such assets take aim at “the external connectivity that connects them together” rather than the systems themselves.