Archive for the 'Smart Grid' Category

Mar 30 2011

What is NERC CIP Compliance?

One of the biggest challenges I find talking to customers about Smart Grid/AMI deployments is answering the question “Is your solution/architecture NERC CIP compliant?”  It’s somewhat frustrating since there’s no certification (which is typically the direction the question originates from) that I can point to – you know, something like a UL or Windows Hardware Quality Lab (WHQL) testing – that says the solution or architecture is NERC CIP compliant.  In many cases I have to spend a fair amount of time resetting customer expectations in what NERC CIP (and in many cases what the NIST IR 7628) really requires.

The NERC CIP is a subset of the NERC Reliability Standards and is comprised of a group of nine standards specifying security requirements utilities must meet.  The standards include the following:

Version 3 of the NERC CIP standards is currently in effect.  The above links actually point to the version 4 documents of the standard as they have passed the ballot vote although a mandatory effective date has not been set yet.

Each standard covers a different domain but the common feature among them is that the standards are focused more on process and policy versus actual technology.  Does that mean that they don’t touch the technology?  No…by no means.  In fact some of the requirements in specific CIP standards (specifically we’re talking about CIP-002, CIP-003, CIP-005, CIP-007 and CIP-009) can be met based on the technical capabilities in the Smart Grid/AMI system being deployed.  That being said, however, the standards do not specify specific technologies that are required.  For example, the PCI-DSS standard requires that organizations use firewalls and anti-virus as part of their technical controls.  That’s a clear case where the standard specifically states what technical controls an organization must use in order to be compliant. NERC CIP does not do that directly.

NERC CIP is written more broadly than standards like PCI-DSS.  In many cases the wording leaves it up to the utility or the industry to decide how the standard is applied and interpreted.  But as far as technical controls mapping directly – while there are ways to claim that an AMI or Smart Grid system meets specific requirements within the NERC CIP standards based on those technical controls, there is no way to simply say “yes, it is NERC CIP compliant.”

2 responses so far

Mar 24 2011

Smart Grid Security Vulnerabilities?

Published by under Security,Smart Grid

I’ve been working for Itron for the past 14 months of which the last 5 have been as the Security Engineering Team lead for the company.  I need to keep abreast of current security trends in terms of the Smart Grid industry (I’m not going to go into the discussion of Smart Grid vs. AMI at the moment) and every so often I come across some rather glaring mistakes in information that, if not corrected, can lead to significant, unnecessary concerns about the security of Smart Grid or AMI deployments.  Normally I’m not that picky about correcting such mistakes but this one, in my opinion, needed some response as opponents of Smart Grids could use this as part of their arguments against Smart Grid technology and deployments.

Case in point is Guido Bartels‘ “Combating Smart Grid Vulnerabilities” article in the March 2011 issue of the Journal of Energy Security.  On the whole, this article is spot on.  I think Mr. Bartels does an excellent job in laying out the case for the efforts being done to secure Smart Grid deployments by utilities and by vendors as well.  I only have one small issue with the article and that is the incorrect use of a graph titled “Number of New Smart Grid Vulnerabilities”.  This graph, developed by IBM‘s X-Force can also be found here.  This graph is actually a histogram of the number of new vulnerabilities identified by IBM’s X-Force Research and Development team over the period of 2000 to the first half of 2010.  Unfortunately it is incorrectly labeled in the article and I hope that the editors will do their readers a kind service by correcting the faulty title of the graph.

No responses yet