Aaron Clark-Ginsberg and Rebecca Slayton Industrial control system cybersecurity regulations: what can we learn from history? Aaron Clark-Ginsberg and Rebecca Slayton September 15th 2016 aaroncg@stanford.edu This material is based upon work supported by the U.S. Department of Homeland Security. The views and conclusions contained in this material are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. The author would like to thank the U.S. Department of Homeland Security for its support.
Background and overview Project objective: to examine the impacts of cybersecurity standards on the resilience of the power grid and other critical infrastructures Session objectives: Present early findings on the history of cybersecurity regulations for the electric sector (the good, the bad, the ugly!) Engage in discussion to learn from from other industrial control system industries Audience questions: What is the impact of the NERC CIP cybersecurity standards on the power grid? How can the NERC CIP standards-setting and enforcement process be improved? What can we learn from experience in other industrial control systems?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards Consensus standards for the bulk electric system developed by industry (NERC) with federal oversight (FERC), enforceable since 2008 Effectiveness is a matter of debate: including scope (what they cover), functionality (effect on utilities), and adaptation (rate of change) Historical development: concerns emerge over electric grid cybersecurity (1980s/1990s); mandatory standards develop (early 2000s); expertise, organizational focus develops (late 2000s) Findings: NERC CIP increased resources and executive-level attention toward ICS security, but the process of setting and enforcing standards could be improved
CIP Standards
CIP Standards Determination of CIP applicability (H/M/L) Identification of BES Cyber system and associated assets Implementation of physical security parameter Implementation of electronic security parameter Securing cyber assets Monitoring and training of staff and visitors Incident reporting and response Planning and policy development Information protection CIP compliance management
1980s/1990s: growth of electric grid cybersecurity critical infrastructure concerns Government and policy communities develop critical infrastructure protection concept that included cybersecurity: Infrastructure is a complex and threatened ‘system of systems’ (including cyber) requiring everyone’s cooperation, private sector expertise, and no regulations But utilities do not take ICS cybersecurity seriously: Cybersecurity is embedded within IT (not OT), executives and engineers are unaware of OT cybersecurity, and security expertise is lacking NERC has voluntary standards and is pushing to make them mandatory
As systems grow more complex, the volume and speed of information flow needed to control them grow until only computers can cope with these demands. Computers' undiscriminating willingness to do what they are told, however nonsensical, increases control vulnerability further. –Amory Lovins, 1982 Today, the right command sent over a network to a power generating station’s control computer could be just as devastating as a backpack full of explosives, and the perpetrator would be more difficult to identify and apprehend. –President’s Commission on Critical Infrastructure Protection, 1997
…this could not be another ‘Big Government’ unilateral effort …this could not be another ‘Big Government’ unilateral effort. Government must set the example, but the owners and operators are key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and have experience in responding to disruptions -General Tom Marsh, chair, President’s Commission on Critical Infrastructure Protection
Early 2000s: Mandatory cybersecurity standards develop 9/11, Enron, 2003 blackout challenges self-regulatory approach 2003: NERC cybersecurity standards proposed based on Appendix G of FERC’s failed Notice of Public Rulemaking 2005: Energy Policy Act includes reliability and security provisions NERC becomes electric reliability organization, with oversight from FERC Developing mandatory cybersecurity standards is difficult for NERC Disparate stakeholders, lack of knowledge, and no precedence
FAIL!
there are terrorists and other malicious actors who have the capability to conduct a malicious cyber-attack with potential to disrupt the energy infrastructure --2003 blackout investigation report FERC Chairman Pat Wood, “frustrated” that electric utilities “consistently failed to learn” from blackout events, states “I’ll push reliability authority as far as I can until they [Congress] stop me” FAIL!
IT OT PHYSICAL SECURITY SPOILERS GENERATION TRANSMISSIONDISTRIBUTION REGIONAL GRID DIFFERENCES CORPORATE STRUCTURES TECHNOLOGICAL STRUCTURES SPOILERS
2005-present: development and consolidation of expertise and norms Standards improve upward and cross-sectional communication Standards help identify and segment critical systems A compliance, not security focus, emerges (lawyers/paperwork!) Auditors ‘lubricate’ standards, but challenges in attracting skilled staff Industry cyber and regulatory expertise and knowledge grows Standards continue to be revised and strengthened
Conclusion: how the NERC CIP standards affect cybersecurity The good: CIP standards provided a ‘push’ for cybersecurity (functionality) CIP standards improved upward/downward/sideways communication (functionality) CIP standards have improved over time (adaptation/functionality) The bad: CIP standards change slowly (adaptation) CIP standard incentive structures can be misaligned (functionality) The ugly: Standards seem necessary to incentivize cybersecurity…and security (functionality) Lead times between regulations and expertise can be substantial (functionality) Jurisdictional issues and contingencies will always be present (scope/adaptation)
Concluding questions Are regulations an effective means to building industrial control system cyber-resilience? Are they necessary for industrial control system security, or are there alternatives? How we can support learning within and between industrial control system intensive industries? What tools, guidelines, or processes might be developed to help improve regulatory effectiveness? Project website: http://cisac.fsi.stanford.edu/docs/regulation-and-power-grid-resilience CIRI website: http://ciri.illinois.edu/