Examining NERC-CIP 001-009 and NRCs 10 CFR 73.

54
Miles Histand February 28, 2014
I. I NTRODUCTION The North American Electric Reliability Corporation (NERC) governs a set of standards for power entities which make up the Bulk Electric System (BES) [1]. Within these standards, there are specic rules which help utilities and other companies working inside the grid protect their assets from compromising events. It is of paramount importance that, when it comes to malicious events relating to cyber activities for power entities, a quick and responsive plan is in place at all prime junctions to prevent any severe consequences. As we rely more and more on wireless transactions among data systems, cyber protection becomes more crucial. The Critical Infrastructure Protection (CIP) model, formulated by NERC, is a standard that entities salute to in order to effectively mitigate cyber attacks. Altough NERC defers its control over nuclear entities to the U.S. Nuclear Regulatory Commission (NRC) standards, and although a higher degree of secutity is sought for nuclear plants, the corporation offers a frame of reference for any power entities which seek cyber protection guidelines. This paper discusses the fundamentals of cyber security in the perspective of NERC-CIP, how these standards relate to NERC standards, and what NERC guidelines might miss as far as completely protecting a nuclear structure and its afliates from threats. II. I MPORTANCE OF CIP According to NERC, ...Standards CIP-002 through CIP-009 provide a cyber security framework for the identication and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. [2] In general, NERC makes sure that all entities of the BES protect assets associated with sensitive information which may be compromised during a cyber attack. CIP-002 through CIP009 uphold the following aspects: Identify each cyber-sensitive asset (CIP-002) Establish a comprehensive management process surrounding cyber-related assets (CIP-003) Ensure outside contractors working among cyber-related assets are properly trained (CIP-004) Maintain security protocols at every access point of a cyber-related asset (CIP-005) Ensure a physical security system is in place surrounding all cyber-related assets (CIP-006) Establish clear denitions for keeping all sensitive technologies secure (CIP-007) Maintain documentation, records, and mapping relating to cyber-related incidents (CIP-008) Create a recovery plan to handle situations before, during, and after a cyber-related incident (CIP-009) Not only do these regulations provide each plant with a sound security design, but they are vital for maintaining the health of the entire region. Since BES entities are strongly integrated, each facility would certainly feel the effects of a single compromised asset. Implementing NERC-CIP within a new or existing system can be costly to an entity at rst. These nancial obstacles might include funding for new NERC-certied employees, software installations, hardware replacement, and occasionally, total system restructuring. Investors and owners might nd these costs large at rst, but a reminder of the potentially unsurmountable costs of one cyber attack on the system would change their perspective [3]. By having a unied source for cyber-monitoring methodology, it is possible to update regulations standards in a single step. This is especially important as NERC-CIP protocol transitions from Version 4 to Version 5. Without a unied standard, there is a risk for entities not associated with NERC-CIP to be susceptable to advanced malware methods. In terms of a physical example, securing a door whose lock is obsolete will surely allow an adept burglar to enter the premises. Fortunately the requirement for entities to follow updated methodology is enforced. A single-source cyber protection guideline such as CIP can ensure that all facets of a highy fortied cyber protection model are implemented. Plants connected to the grid cannot afford such shortcomings from any other regulation of lesser degree, and a facility that falls short of complete cyber protection cripples the rest of the grid. By having a common basis for fortifying assets, and by implementing standardization templates provided by NERCCIS resources, each entity of the eight monitored regions of the United States can rest assured that they will be safe. It is important to keep in mind that NERC is governed by the Federal Energy Regulatory Commission (FERC), which has power over and approves guidelines set by NERC. Interestingly, recent movements have been made by FERC which suggest a desire to quicken the response to cyber attacks which might infringe on national security. this implies that FERC

Cyber Security for the Bulk Electric System:

might have the upper hand when it comes to regulation itself. Although there have been ongoing arguments over federal and state regulatory control, these issues should not impede on the original intent of the established rules. Moreover, revisions and enhancements to the set guidelines should continue without ambiguity [4]. III. N UCLEAR R EGULATION According to NRC, Each licensee subject to the requirements of [CFR 73.54] shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks. [5] The nuclear plant has a much larger life-threatening capability than other plants when pushed into an unstable condition [6]. Therefore, system security in the nuclear realm is handled at a much higher degree than other energy producing sectors. The NRC makes sure that a comprehensive cyber regulation for nuclear facilities is in place. Based on CFR 73.54, a nuclear facility must uphold these aspects: Secure data within each cyber-sensitive asset Analyze each cyber-prone asset to determine its level of security Conrm that data systems can detect and respond to any malware Train all personel afliated with data systems to handle cyber threats Maintain written logs, policies, and records pertaining to cyber activities Although nuclear regulation is handled by NRC, we can imagine that the steps for protecting a nuclear facility and protecting a geothermal plant, for exampe, might initially follow CIP guidelines. In fact, the guidelines stated in NRCs CFR 73.54 reect much of what is said in NERCs CIP procedure. This is evidently not a surprise, since data and computer assets have many similar features associated with them, such as I/O ports, wireless methods, Supervisory Control And Data Acquisition (SCADA), and many others. Figure 1 depicts the breadth of what both cyber security procedure models might involve [7]. Figure 2 shows what might be involved when implementing security systems within the hierarchical boundaries of the nuclear facility. Protecting a nuclear facility from cyber threats in the scope of NERC-CIP may be useful, but it may not be optimal. A strike against a nuclear facility can be much more difcult to contain, and it may have farther outreaching effects than other plants. Therefore, rigorous detail to the protecting technology as well as remediation and foensics after the fallout case used must be had. As written in CFR 10 73.54, incident response and emergency preparedness functions must include duties which handle technologies that govern the control rods, the uranium fuel, and the reactor vessel. In such an environment such as the nuclear reactor, proper radioactive-proof gear must

Fig. 1. Action levels of a cyber-oriented regulatory system. c 2014 Miles Histand

Fig. 2. Boundaries and sections relating to cyber protection. c 2014 Miles Histand

be on site and worn at all times before, during, and after an incident.

IV. C ONCLUSION It is important that regulatory procedures mitigate onslaught of cyber threats as well as keep entities within the BES reliable and efcient. While NERC CIP provides the fundamental guidelines which are enforced throughout the grid, it is a good reminder that a clear distinction must be made between nonnuclear and nuclear entities, simply because of the greater impact a nuclear threat might be to everyone involved. Thus, NRC provides that different standard in the nuclear realm. NERC and NRC have overlap in cyber security regulation, and this fact adds interoperability among BES, but their regulation schema arent identical. R EFERENCES
Shared, North american electric reliability corporation, Online. NERC, Cyber security - critical cyber asset identication, pp. 3031. M. Espinoza, 09a sdge nerc cip, Online. K. Rowland, Ferc versus nerc - a cyber security showdown?, Intelligent Utility, Aug 2011. [5] NRC, 10 cfr 73.54 - protection of digital computer and communication systems and networks., Mar 2009. [6] Group, Everything you want to know about nuclear power, University of Melbourne, July 2010. [7] WizNucleus, The unique nuclear power plant cyber security risk assessment solution, University of Melbourne, 2014. [1] [2] [3] [4]