There’s been a lot of discussion since the NERC CIP V5 standards were voted down last month.  Fortunately, most of that talk has been optimistic.  No one is giving up, and that’s good.  But the pace of success is still slow, considering the current vulnerability to cyber attack of most power grids worldwide.

For a quick background, NERC CIP (North American Electric Reliability Corporation, Critical Infrastructure Protection) standards are designed to protect critical cyber assets (CCAs) of the North American Bulk Electric System (BES) from attack.  That sentence indicates the scope:  NERC CIP is only applicable in the U.S. and Canada, and the Bulk Electric System is defined as grids operating above 100 kV and control systems managing more than 1500 MW of generation.  The CIP standards are designed to ensure a minimum level of protection for the CCAs but should not be considered equal to full cyber security, which is unique for every business entity.  What exactly is or is not a CCA has been a topic of prolonged discussion throughout CIP’s lifetime.  This continues with v5.

The question now is what this might mean in terms of a) the likelihood that v5 will ever be adopted and b) if so, when.  My own view of this topic is stuck somewhere between pessimism and ambivalence. 

One of the direr comments on a LinkedIn thread was:  “In the cyber world where bugs, Trojans, and malware proliferate overnight, and in the real world where Iran seems to be itching to get even with someone, ANYONE, for Stuxnet, NERC’s effective date of ‘two years from now’ for the security of our national grid can be seen as more than appalling.”

Seven Year Itch

I fear that this comment may be right, if a bit optimistic.  I have blogged, and continue to believe, that Stuxnet may have been developed in late 2007, and certainly no later than the middle of 2008.  Picture yourself as the Stuxnet project manager and lay out all the tasks that had to be accomplished so that Stuxnet could have done its job sometime in mid-2009, as later observed by international inspectors.  If you work backward from a mid-2009 payload, early 2008 is the absolute latest you could have begun.

If that’s correct, then Stuxnet is now three-and-a-half years old.  It would take heroic assumptions to believe that nothing worse has been developed during the intervening 42 months.  If nothing else, lots of potential attackers have had the Stuxnet source code for over a year.  Now we must wait at least another 24 months for CIP v4 to take effect – 66 months after Stuxnet was completed.  And NERC CIP v4 is what? – inclusive language to identify more critical cyber assets.

The best-case scenario (to which some commentators assign a low probability) is that version 5 will be approved at the next vote.  If that happens, there would be a short delay until the NERC Board approves v5, then it goes to FERC (Federal Energy Regulatory Commission) for implementation.  Let’s remember that we are closing in on 13 months since the NERC Board approved v4, and it’s still not FERC approved.  So there’s another year.  Yes, there are extenuating circumstances around v4, but it was somewhat truncated so that it could be enacted quickly and that hasn’t happened.  Then we’ll wait another two years after that for v5 compliance to be required.  In round numbers that looks like like another 40 months from now as the earliest date for v5 compliance.  So, nearly seven years after Stuxnet was created, NERC CIP v5 compliance may be in force.  Does that qualify as “relevant”?  Ferrari purchasers finance their 599s over a shorter term.  Okay, most of them pay cash, but you know what I mean.

Attackers of enterprise systems thought they had it made when, in the mid-1990s, we started requiring all software changes to go through CMM (Capability Maturity Model) and ISO9001 processes before they could be deployed.  They’ve got it even better on the control side.  Forget real-time software patches – when are we going to have meaningful standards in the same decade when they’re needed?