On April 8, 2009, the North American Electric Reliability Corporation (“NERC”) released a statement stating that although they are not aware of any known cyber attacks on the electric grid, cyber security is an area of concern for the organization. On the same day, the Wall Street Journal published an article finding breaches in the United States power grid by spies from China, Russia, and other countries.
One day prior to the press release, NERC sent a letter to industry stakeholders regarding the results of a compliance self-certification survey for the NERC Reliability Standard CIP-002-1-Critical Cyber Asset Identification (“Standard CIP-002”). This reliability standard identifies and documents Critical Cyber Assets associated with the Critical Assets (“CA”) that support the reliability of the Bulk Electric System. Congress made the reliability standards mandatory through the Energy Policy Act of 2005, and NERC was designated by FERC to enforce reliability standards for the national grid infrastructure.
In his letter to stakeholders, Michael Assante, NERC’s Vice President and Chief Security Officer, expressed his concern with the survey results. The 2008 survey results showed only 29 percent of Generation Owners and Operators identifying at least one CA and less than 63 percent of Transmission Owners identifying at least one CA. He stated “[t]here is definitely more to be done” and he went on to urge stakeholders to expand the list of considerations for evaluating cyber security. He said “[r]ather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for simultaneous manipulation of all devices in the substation or worse yet, across multiple substations.” Assante also stated a better approach to identifying CAs in the future is to adopt a “rule out” approach where every asset is assumed to be a CA until it is demonstrated otherwise.
The next time period for self-certification is from January 1-June 30, 2009, and compliance audits for Standard CIP-002 will begin July 1, 2009. NERC is taking more proactive measures in the meanwhile with NERC, along with the Regional Entities, reviewing the list of entities that reported in 2008 that they do not possess any CAs. NERC will evaluate the reasoning for reporting no CAs, and then NERC will recommend corrective actions, if necessary. NERC will also conduct its own analysis to determine whether those assets will affect system reliability or operability if the assets were destroyed, degraded, or otherwise made unavailable. Additionally, NERC will be conducting several webinars and information sessions to help Registered Entities fully understand Standard CIP-002 requirements. All stakeholders are being asked to take a fresh look at their CAs in the upcoming months.
The April 7 letter to stakeholders is available at: http://www.nerc.com/fileUploads/File/
News/CIP-002-Identification-Letter-040709.pdf, and the April 8 press release is available at: http://www.nerc.com/fileUploads/File/PressReleases/PR_0440809_Cyber-Statement.pdf.