IEEE Power & Energy Magazine - September/October 2016 - 54
Security
Management
Controls CIP-003
Critical Cyberassets
CIP-002
* Low, Medium, High
Criteria
* 15-Month Review
* Cyber Policy for
Low/Medium/High
* Leadership
* Document Delegates
Systems Security
Management
CIP-007
* Ports and Services
* Security Patch
* Malicious Code
Prevention
* Event Monitoring
* Access Controls
Incident Reporting
and Response
Planning CIP-008
* Cyberincident
Response Plan
* Implementation
and Testing of
Response Plans
* Response Plan
Review
Personnel and
Training
CIP-004
* Awareness
* Training
* Risk Assessment
* Access Program
Electronic Security
Perimeters
CIP-005
Physical Security
CIP-006
* Electronic Security
Parameter
* Remote Access
Management
* Plan
* Visitor Control Plan
* Maintenance and
Testing
Recovery Plans for
BES Cyber Systems
CIP-009
Configuration Change
and Vulnerability
Assessment CIP-010
Information
Protection
CIP-011
* Recovery Plans
* Plan Implementation
and Testing
* Plan Review,
Update, and
Communications
* Configuration
Change
Management
Process
* Monitor and Control
* Vulnerability
Assessment
* Information
Protection Process
* Bulk Electric
System
Cyberasset
Reuse and
Disposal
figure 2. Current NERC CIP standards as of March 2016.
as BlackEnergy be removed. The Aurora vulnerability has
been proven as a risk for any electric substation without the
proper protection hardware. Most facilities still do not have
the safeguard installed, yet the NERC CIP standards do not
require this mitigation. While compliance to the CIP standards is a move in the right direction, there is certainly more
that utilities can, and should, be doing to protect themselves,
their assets, personnel, customers, and the environment.
The president and CEO of a large U.S. electric utility
recently called on the private sector to "play offense" when
it comes to federal policies and regulations on cybersecurity and acknowledged that a recent cyberattack resulting
in widespread power outages has put utilities around the
globe on edge. When asked for his view on the overall grid
resiliency though, this utility leader responded, "Is the U.S.
grid 100% insulated from threats? Absolutely not." Then he
concluded, "But are we safe? Yeah." Complacency and mere
compliance to standards are not sufficient. Vigilance with
a stronger commitment to practical cyberprotection of ICSs
should be initiatives sponsored by utility industry leadership.
Robert M. Lee, a former cyber warfare operations officer for
the U.S. Air Force has a more sobering viewpoint. When
asked about the U.S. power systems' vulnerability after the
Ukrainian attack he said, "Despite what's been said by officials in the media, every bit of this is doable in the U.S. grid."
Perhaps the risk impact is simply too unthinkable, too
expansive, and too expensive to contemplate. Leading cybersecurity insurance underwriters are certainly struggling
with this. Some have severely restricted market capacity
of business interruption insurance (coverage for lost profits
from operational downtime) precisely because they lack the
confidence that utilities are doing enough to address cyber
risk associated with their ICSs and because models are nonexistent to accurately describe the extent of lost profits. Even
with respect to conventional cybersecurity coverage, leading
54
ieee power & energy magazine
insurers have become adept at hiring information security
experts to thoroughly assess for themselves an insured's
cybersecurity risk posture (based on global standards and
frameworks such as NIST-800 and ISO 27001:2013), before
even considering extending coverage.
But neither of these standards was developed with an
understanding of the unique ICS cyberissues and challenges,
and that presents the industry with a problem. Insurance overage for physical damage, injury, and environmental consequences are some of the least common offered, showing that
cyberthreats to operational technology (OT), the controls systems for physical processes, are not as well recognized and
in demand as IT threats. This concerns the insurance industry because a number of cyberattacks have been reported on
utility companies. Some power companies reported that they
experience thousands of attempted cyberattacks every month,
with some being associated with ransom demands.
What Can Be Done Now?
An important first step is to have the organization, from senior
management through operations and IT, understand ICS cybersecurity issues and perform a thorough evaluation and assessment of their current threat and vulnerability environment.
The next step is to establish a cross-functional/cross-discipline
team representing operations, maintenance, engineering, IT,
forensics, telecom, risk management, and public relations to
correlate and address ICS cybersecurity in context of the organization's mission. There also needs to be adequate resources
and reporting to the C-level and the board, two proven accelerators of maturity in cyberstature. A "living" ICS cybersecurity
program should be established that develops and employs ICS
cybersecurity policies and metrics. To know what to protect,
utilities need to know what at-risk assets they have deployed
enterprise-wide, including all equipment located in the field.
Consequently, a thorough review of all installed systems,
september/october 2016
�
Table of Contents for the Digital Edition of IEEE Power & Energy Magazine - September/October 2016
IEEE Power & Energy Magazine - September/October 2016 - Cover1
IEEE Power & Energy Magazine - September/October 2016 - Cover2
IEEE Power & Energy Magazine - September/October 2016 - 1
IEEE Power & Energy Magazine - September/October 2016 - 2
IEEE Power & Energy Magazine - September/October 2016 - 3
IEEE Power & Energy Magazine - September/October 2016 - 4
IEEE Power & Energy Magazine - September/October 2016 - 5
IEEE Power & Energy Magazine - September/October 2016 - 6
IEEE Power & Energy Magazine - September/October 2016 - 7
IEEE Power & Energy Magazine - September/October 2016 - 8
IEEE Power & Energy Magazine - September/October 2016 - 9
IEEE Power & Energy Magazine - September/October 2016 - 10
IEEE Power & Energy Magazine - September/October 2016 - 11
IEEE Power & Energy Magazine - September/October 2016 - 12
IEEE Power & Energy Magazine - September/October 2016 - 13
IEEE Power & Energy Magazine - September/October 2016 - 14
IEEE Power & Energy Magazine - September/October 2016 - 15
IEEE Power & Energy Magazine - September/October 2016 - 16
IEEE Power & Energy Magazine - September/October 2016 - 17
IEEE Power & Energy Magazine - September/October 2016 - 18
IEEE Power & Energy Magazine - September/October 2016 - 19
IEEE Power & Energy Magazine - September/October 2016 - 20
IEEE Power & Energy Magazine - September/October 2016 - 21
IEEE Power & Energy Magazine - September/October 2016 - 22
IEEE Power & Energy Magazine - September/October 2016 - 23
IEEE Power & Energy Magazine - September/October 2016 - 24
IEEE Power & Energy Magazine - September/October 2016 - 25
IEEE Power & Energy Magazine - September/October 2016 - 26
IEEE Power & Energy Magazine - September/October 2016 - 27
IEEE Power & Energy Magazine - September/October 2016 - 28
IEEE Power & Energy Magazine - September/October 2016 - 29
IEEE Power & Energy Magazine - September/October 2016 - 30
IEEE Power & Energy Magazine - September/October 2016 - 31
IEEE Power & Energy Magazine - September/October 2016 - 32
IEEE Power & Energy Magazine - September/October 2016 - 33
IEEE Power & Energy Magazine - September/October 2016 - 34
IEEE Power & Energy Magazine - September/October 2016 - 35
IEEE Power & Energy Magazine - September/October 2016 - 36
IEEE Power & Energy Magazine - September/October 2016 - 37
IEEE Power & Energy Magazine - September/October 2016 - 38
IEEE Power & Energy Magazine - September/October 2016 - 39
IEEE Power & Energy Magazine - September/October 2016 - 40
IEEE Power & Energy Magazine - September/October 2016 - 41
IEEE Power & Energy Magazine - September/October 2016 - 42
IEEE Power & Energy Magazine - September/October 2016 - 43
IEEE Power & Energy Magazine - September/October 2016 - 44
IEEE Power & Energy Magazine - September/October 2016 - 45
IEEE Power & Energy Magazine - September/October 2016 - 46
IEEE Power & Energy Magazine - September/October 2016 - 47
IEEE Power & Energy Magazine - September/October 2016 - 48
IEEE Power & Energy Magazine - September/October 2016 - 49
IEEE Power & Energy Magazine - September/October 2016 - 50
IEEE Power & Energy Magazine - September/October 2016 - 51
IEEE Power & Energy Magazine - September/October 2016 - 52
IEEE Power & Energy Magazine - September/October 2016 - 53
IEEE Power & Energy Magazine - September/October 2016 - 54
IEEE Power & Energy Magazine - September/October 2016 - 55
IEEE Power & Energy Magazine - September/October 2016 - 56
IEEE Power & Energy Magazine - September/October 2016 - 57
IEEE Power & Energy Magazine - September/October 2016 - 58
IEEE Power & Energy Magazine - September/October 2016 - 59
IEEE Power & Energy Magazine - September/October 2016 - 60
IEEE Power & Energy Magazine - September/October 2016 - 61
IEEE Power & Energy Magazine - September/October 2016 - 62
IEEE Power & Energy Magazine - September/October 2016 - 63
IEEE Power & Energy Magazine - September/October 2016 - 64
IEEE Power & Energy Magazine - September/October 2016 - 65
IEEE Power & Energy Magazine - September/October 2016 - 66
IEEE Power & Energy Magazine - September/October 2016 - 67
IEEE Power & Energy Magazine - September/October 2016 - 68
IEEE Power & Energy Magazine - September/October 2016 - 69
IEEE Power & Energy Magazine - September/October 2016 - 70
IEEE Power & Energy Magazine - September/October 2016 - 71
IEEE Power & Energy Magazine - September/October 2016 - 72
IEEE Power & Energy Magazine - September/October 2016 - 73
IEEE Power & Energy Magazine - September/October 2016 - 74
IEEE Power & Energy Magazine - September/October 2016 - 75
IEEE Power & Energy Magazine - September/October 2016 - 76
IEEE Power & Energy Magazine - September/October 2016 - 77
IEEE Power & Energy Magazine - September/October 2016 - 78
IEEE Power & Energy Magazine - September/October 2016 - 79
IEEE Power & Energy Magazine - September/October 2016 - 80
IEEE Power & Energy Magazine - September/October 2016 - 81
IEEE Power & Energy Magazine - September/October 2016 - 82
IEEE Power & Energy Magazine - September/October 2016 - 83
IEEE Power & Energy Magazine - September/October 2016 - 84
IEEE Power & Energy Magazine - September/October 2016 - 85
IEEE Power & Energy Magazine - September/October 2016 - 86
IEEE Power & Energy Magazine - September/October 2016 - 87
IEEE Power & Energy Magazine - September/October 2016 - 88
IEEE Power & Energy Magazine - September/October 2016 - 89
IEEE Power & Energy Magazine - September/October 2016 - 90
IEEE Power & Energy Magazine - September/October 2016 - 91
IEEE Power & Energy Magazine - September/October 2016 - 92
IEEE Power & Energy Magazine - September/October 2016 - Cover3
IEEE Power & Energy Magazine - September/October 2016 - Cover4
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091020
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070820
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050620
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030420
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010220
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091019
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070819
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050619
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030419
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091018
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070818
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050618
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030418
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091017
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070817
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050617
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030417
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091016
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070816
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050616
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030416
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010216
https://www.nxtbook.com/nxtbooks/ieee/powerenergy_010216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091015
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070815
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050615
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030415
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111214
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091014
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070814
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050614
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030414
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010214
https://www.nxtbookmedia.com