Requirements or recommendations? Sorting out NERC CIP, NIST, and DOE cybersecurity

Abstract

Oil and gas, water and electric power — all of these essential services rely on SCADA (supervisory control and data acquisition), protection, and monitoring systems that use communications networks. The use of communications networks makes these systems potentially vulnerable to cyberattack. Over the past decade, faced with an increase in computer hacking and the recognition of the importance of these services to health and welfare, economic stability, and national security, the United States federal government has been increasingly involved in efforts to assist utilities in improving their security posture. Smart grid has become synonymous with asynchronous, nonmission-critical information exchange applications. Smart grid infrastructure describes the existing, yet largely unrecognized, mission-critical control applications that enable generation and delivery of power. Smart grid infrastructure applications require deterministic and synchronous message exchange, including automation and teleprotection. Today, utilities are faced with a confusing array of cybersecurity guidance, standards, and regulatory requirements. Electric utilities operating bulk power system assets must comply with eight NERC (North American Electric Reliability Corporation) CIP (Critical Infrastructure Protection) standards that are in the process of being revised. Federal entities are required by the FISMA (Federal Information Security Management Act of 2002) to comply with NIST (National Institute of Standards and Technology) standards. Under the Energy Independence and Security Act of 2007, Congress gave NIST the task of developing a framework of interoperability and cybersecurity for smart grid applications. To date, the framework has been primarily focused on smart grid information exchange applications that use asynchronous data flow, including metering, demand response, and the near realtime elements of substation and distribution automation. These automation elements and other smart grid infrastructure applications that require deterministic synchronous data exchange, including teleprotection and synchrophasor state measurement, remain a future endeavor. This paper discusses various cybersecurity requirements and presents a clear picture of work being done by NIST to explain what is required and recommended and what utilities should expect to see in the near future as NERC and NIST work continues.