“Cybersecurity: The energy industry case”
Inside Counsel 07/23/15 By Adam T. Margolin
The North American electric power grid is sometimes described as the largest machine ever built. Given its size and interconnected nature, the grid traditionally has been viewed as particularly vulnerable to physical disruption from weather-related damage, intentional attacks, human error and aging equipment. However, as the grid modernized through increased automation and communication, it became necessary to consider cyber threats alongside those more traditional concerns. The industry responded, both through regulation and by establishing voluntary information-sharing networks.
The energy sector's method of preparing for cyber threats and promoting appropriate regulation is instructive in planning for the inevitable "cyber regulation" of other industries such as manufacturing, transportation, and communications. This article discusses the "lessons learned" from the energy sector and helps explain how those lessons could apply to other industries.
Cyber Regulations for the Electric Grid
The need for federal leadership to protect the cyber elements of the electric grid was recognized in the late 1990s, when President Bill Clinton issued a presidential directive aimed at protecting critical infrastructure. After nearly a decade of industry debate and consideration, the North American Electric Reliability Corporation (NERC), a quasi-governmental organization charged with ensuring the reliable operation of the North American grid, obtained regulatory approval of the first version of its Critical Infrastructure Protection (CIP) regulations. The CIP regulations established a minimum set of cyber controls and protections for entities that play a key role in the generation and transmission of power. Those initial regulations necessarily were limited in both scope and detail, but have continued to evolve.
Who Is Covered by NERC CIP?
NERC CIP — now with its sixth version already in the works — applies to a range of entities that "materially impact" the reliability of the North American power system. This includes owners and operators of generation facilities, as well owners and operators of transmission lines (i.e., the wires that connect generators to the distribution systems for customers). It also includes NERC itself, and the independent system operators (ISOs) and regional transmission organizations (RTOs) that are responsible for coordinating, controlling and monitoring electric grid operations on an intrastate or interstate level. As with most regulations, NERC CIP contains exemptions relating to both the entities and the assets that are covered. For example, nuclear plants are exempt from NERC CIP coverage; other exemptions apply depending on energy generation levels and engineering configurations.
What Do the NERC CIP Standards Require?
NERC CIP requires covered entities to first identify their "critical cyber assets" that support the operation of the grid and then take measures to protect those assets from physical and cyber harm. The regulations have become more detailed over the years, currently consisting of "standards" that cover topics such as network security, personnel and training policies, physical security of cyber assets, incident reporting and response plans and disaster recovery.
Each NERC CIP Standard then includes multiple individual requirements. For example, the first Standard, Critical Cyber Asset Identification, requires covered entities to document a risk-based methodology that can be used to identify the organization's critical assets, and have a senior manager with overall responsibility for NERC CIP compliance annually "sign off" on that methodology and the assets that have been identified. Notably, NERC CIP does not prescribe the precise assets that covered entities must include (a point that generates some criticism), and instead refers to broadly defined categories of assets.
What Are the Penalties for NERC CIP Non-Compliance?
NERC periodically audits to assess compliance with the CIP regulations, issuing data requests, conducting interviews, and executing spot checks. From the outset, NERC adopted a "zero tolerance" policy and created the potential for severe penalties for non-compliance — as high as $1 million per incident. In practice, most fines tend to be in the range of several tens of thousands of dollars to several hundred thousand dollars. Common violations relate to non-compliance with the NERC CIP standards regarding physical security, systems security management and network security.
As cyber attacks grow in number and sophistication, similarly situated companies are looking to share the most current information regarding their attackers' methods, in order to collectively develop better defense mechanisms and mitigate risk. In the energy industry, the primary information-sharing program is the Electricity Sector Information Sharing and Analysis Center or "ES-ISAC," which provides a forum for energy companies to collect and share with one another critical cyber threat information, including vulnerabilities, analyses, warnings, and protective strategies.
Although participation can potentially serve as a beneficial piece of a company's overall cybersecurity strategy, it is not without risk. Prior to participating in an information-sharing program, a company should ask:
- Will cyber threat information shared by the company serve as the basis for regulatory agency sanctions or expose the company to civil liabilities?
- Will confidential information shared by the company be released to other program participants or the public?
NERC has clarified that ES-ISAC has no responsibility for NERC CIP compliance, and has prohibited ES-ISAC personnel from conveying to compliance personnel information regarding potential NERC CIP violations. Whether this "safe harbor" approach lasts or applies in all circumstances remains to be seen. For example, legislation applicable to all information-sharing initiatives (beyond the energy industry) has been introduced and debated in Congress (e.g., the Cybersecurity Information Sharing Act (CISA); the Protecting Cyber Networks Act (PCNA)). These proposed laws would create new liability protections for the sharing of information and new exceptions to public disclosure laws.
What's Next for Cybersecurity Regulation in the Energy Sector?
It appears likely that grid cybersecurity will continue to be addressed most actively at the federal level, most immediately through an updated version of NERC CIP that contains a new framework for classifying grid assets. However, given the oft-cited criticism that NERC CIP fails to cover a large portion of grid assets, including customer meters that are becoming more cyber-dependent, we also expect increased state-level cybersecurity oversight. This is already occurring in a number of states, including California and Illinois.
What Does Cybersecurity Regulation for the Energy Sector Teach Other Industries?
Though relatively young in and of itself, cybersecurity regulation for the grid is more mature than in many other industries. While models inevitably will vary in their details as applied to the different "machines" that other industries rely upon, the experience with energy cybersecurity regulation suggest that leaders in other sectors should anticipate:
- cyber regulations that are spurred by governmental actors responding to perceived obvious gaps, rather than comprehensive, detailed legislation;
- constantly evolving cyber regulations that expand the applicability of the original regulations in response to increases in the frequency and sophistication of cyber attacks and changing technology, while retaining the structure of the initial regulations;
- financial penalties — even in essentially self-regulating scenarios — that result in companies focusing as much upon avoiding non-compliance as improving security;
- struggles to find "safe" forums to share information about both emerging risks and best practices; and
- additional state regulation, which may be more aggressive than the federal regulations.