Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aaron Clark-Ginsberg and Rebecca Slayton

Published byMagnus Victor Cameron Modified over 6 years ago

Similar presentations

Presentation on theme: "Aaron Clark-Ginsberg and Rebecca Slayton"— Presentation transcript:

1 Aaron Clark-Ginsberg and Rebecca Slayton
Industrial control system cybersecurity regulations: what can we learn from history? Aaron Clark-Ginsberg and Rebecca Slayton September 15th 2016 This material is based upon work supported by the U.S. Department of Homeland Security. The views and conclusions contained in this material are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. The author would like to thank the U.S. Department of Homeland Security for its support.

2 Background and overview
Project objective: to examine the impacts of cybersecurity standards on the resilience of the power grid and other critical infrastructures Session objectives: Present early findings on the history of cybersecurity regulations for the electric sector (the good, the bad, the ugly!) Engage in discussion to learn from from other industrial control system industries Audience questions: What is the impact of the NERC CIP cybersecurity standards on the power grid? How can the NERC CIP standards-setting and enforcement process be improved? What can we learn from experience in other industrial control systems?

3 The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards Consensus standards for the bulk electric system developed by industry (NERC) with federal oversight (FERC), enforceable since 2008 Effectiveness is a matter of debate: including scope (what they cover), functionality (effect on utilities), and adaptation (rate of change) Historical development: concerns emerge over electric grid cybersecurity (1980s/1990s); mandatory standards develop (early 2000s); expertise, organizational focus develops (late 2000s) Findings: NERC CIP increased resources and executive-level attention toward ICS security, but the process of setting and enforcing standards could be improved

4

5 CIP Standards

6 CIP Standards Determination of CIP applicability (H/M/L)
Identification of BES Cyber system and associated assets Implementation of physical security parameter Implementation of electronic security parameter Securing cyber assets Monitoring and training of staff and visitors Incident reporting and response Planning and policy development Information protection CIP compliance management

7 1980s/1990s: growth of electric grid cybersecurity critical infrastructure concerns
Government and policy communities develop critical infrastructure protection concept that included cybersecurity: Infrastructure is a complex and threatened ‘system of systems’ (including cyber) requiring everyone’s cooperation, private sector expertise, and no regulations But utilities do not take ICS cybersecurity seriously: Cybersecurity is embedded within IT (not OT), executives and engineers are unaware of OT cybersecurity, and security expertise is lacking NERC has voluntary standards and is pushing to make them mandatory

8

9 As systems grow more complex, the volume and speed of information flow needed to control them grow until only computers can cope with these demands. Computers' undiscriminating willingness to do what they are told, however nonsensical, increases control vulnerability further. –Amory Lovins, 1982 Today, the right command sent over a network to a power generating station’s control computer could be just as devastating as a backpack full of explosives, and the perpetrator would be more difficult to identify and apprehend –President’s Commission on Critical Infrastructure Protection, 1997

10 …this could not be another ‘Big Government’ unilateral effort
…this could not be another ‘Big Government’ unilateral effort. Government must set the example, but the owners and operators are key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and have experience in responding to disruptions -General Tom Marsh, chair, President’s Commission on Critical Infrastructure Protection

11 Early 2000s: Mandatory cybersecurity standards develop
9/11, Enron, 2003 blackout challenges self-regulatory approach 2003: NERC cybersecurity standards proposed based on Appendix G of FERC’s failed Notice of Public Rulemaking 2005: Energy Policy Act includes reliability and security provisions NERC becomes electric reliability organization, with oversight from FERC Developing mandatory cybersecurity standards is difficult for NERC Disparate stakeholders, lack of knowledge, and no precedence

12 FAIL!

13 there are terrorists and other malicious actors who have the capability to conduct a malicious cyber-attack with potential to disrupt the energy infrastructure blackout investigation report FERC Chairman Pat Wood, “frustrated” that electric utilities “consistently failed to learn” from blackout events, states “I’ll push reliability authority as far as I can until they [Congress] stop me” FAIL!

14 IT OT PHYSICAL SECURITY SPOILERS GENERATION TRANSMISSIONDISTRIBUTION
REGIONAL GRID DIFFERENCES CORPORATE STRUCTURES TECHNOLOGICAL STRUCTURES SPOILERS

15 2005-present: development and consolidation of expertise and norms
Standards improve upward and cross-sectional communication Standards help identify and segment critical systems A compliance, not security focus, emerges (lawyers/paperwork!) Auditors ‘lubricate’ standards, but challenges in attracting skilled staff Industry cyber and regulatory expertise and knowledge grows Standards continue to be revised and strengthened

16

17

18 Conclusion: how the NERC CIP standards affect cybersecurity
The good: CIP standards provided a ‘push’ for cybersecurity (functionality) CIP standards improved upward/downward/sideways communication (functionality) CIP standards have improved over time (adaptation/functionality) The bad: CIP standards change slowly (adaptation) CIP standard incentive structures can be misaligned (functionality) The ugly: Standards seem necessary to incentivize cybersecurity…and security (functionality) Lead times between regulations and expertise can be substantial (functionality) Jurisdictional issues and contingencies will always be present (scope/adaptation)

19 Concluding questions Are regulations an effective means to building industrial control system cyber-resilience? Are they necessary for industrial control system security, or are there alternatives? How we can support learning within and between industrial control system intensive industries? What tools, guidelines, or processes might be developed to help improve regulatory effectiveness? Project website: CIRI website:

Download ppt "Aaron Clark-Ginsberg and Rebecca Slayton"

Similar presentations

Reliability Provisions of EPAct of 2005 & FERC’s Final Rule

Reliability Provisions of EPAct of 2005 & FERC’s Final Rule
Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.
NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.

NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.
Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP 002 - 009 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP 002 - 009.

Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP
August 14, 2003 Blackout Final Report

August 14, 2003 Blackout Final Report
Standards Development: Update to IMO Regulatory Standing Committee May 14, 2003.

Standards Development: Update to IMO Regulatory Standing Committee May 14, 2003.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.

Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.
NERC and Regional Efforts to Ensure Reliability Dave Nevius, NERC Sr. VP David Cook, NERC VP & General Counsel Louise McCarren, WECC CEO Don Benjamin,

NERC and Regional Efforts to Ensure Reliability Dave Nevius, NERC Sr. VP David Cook, NERC VP & General Counsel Louise McCarren, WECC CEO Don Benjamin,
BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.

BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.
Greg Shaw 202-994-6736 How do we turn private sector preparedness into an investment rather than a cost of doing.

Greg Shaw How do we turn private sector preparedness into an investment rather than a cost of doing.
Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.

Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
High-Level Meeting of Regional Energy Regulatory Associations of Emerging Markets Sergey Novikov Head of the Federal Tariff Service (FTS of Russia) April.

High-Level Meeting of Regional Energy Regulatory Associations of Emerging Markets Sergey Novikov Head of the Federal Tariff Service (FTS of Russia) April.
Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:

Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
City of Leesburg Electric Department Internal Compliance Program (ICP)

City of Leesburg Electric Department Internal Compliance Program (ICP)
Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.

Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Similar presentations

Ads by Google