Posts Tagged ‘NERC’

High Impact, Low Frequency Risks to the NA Power Grid

June 9, 2010 Leave a comment

NERC issued a report that speaks about the challenges posed by ‘High Impact, Low Frequency Risks’ on the Power Grid.

Although the report is not exclusive to cyber attacks, I will try and highlight the areas of interest to people like me, cyber security fanatics.

Attack Window

Attack Window

Snippet from page 10/11

The risk of a coordinated cyber, physical, or blended attack against the North American bulk power system has become more acute over the past 15 years as digital communicating equipment has introduced cyber vulnerability to the system, and resource optimization trends have allowed some inherent physical redundancy within the system to be reduced. The specific concern with respect to these threats is the targeting of multiple key nodes on the system that, if damaged, destroyed, or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria. Such an attack would behave very differently than traditional risks to the system in that an intelligent attacker could mount an adaptive attack that would manipulate assets and potentially provide misleading information to system operators attempting to address the issue.

it also adds:

While no such attack has occurred on the bulk power system to date, the electric sector has taken important steps toward mitigating these issues with the development of NERC’s Critical Infrastructure Protection standards5, the standing
Critical Infrastructure Protection Committee6, and a myriad of other efforts. More comprehensive work is needed, however, to realize the vision of a secure grid. Better technology solutions for the cyber portion of the threat should be developed, with specific focus on forensic tools and network architectures to support graceful system degradation that would allow operators to “fly with fewer controls.” Component and system design criteria should also be reevaluated with respect to these threats and an eye toward designing for survivability. Prioritization of key assets for protection will be a critical component of a successful mitigation approach.

The report reflects a significant shift in industry specific standards by referencing active security monitoring, security intelligence and specially designed forensics tools.

You can download a copy of the (120 pages) report here



NERC (CIP) for Nuclear Plants…Coming Soon

March 22, 2010 Leave a comment

Recently the U.S. Nuclear Regulatory Commission (NRC) and the North American Reliability Corporation (NERC) signed a Memorandum of Understanding supplementing a previous MOA signed back in 2007.

This new supplement is set forth to define roles and responsibilities for NERC & NRC as they are expected to work closely in enforcing the relative security standards and guides on Nuclear plants. (Video of the Meeting can be found here)



Summary of the MOA:

-NRC shall inspect digital assets including SCADA systems and networks which affect safety, security and emergency preparedness functions of a nuclear plant to ensure compliance with NRC’s cyber security requirements.(Here)

-NERC shall inspect digital assets related to the continuity of power for compliance with NERC’s CIP standard

-Both NERC and NRC agree on sharing information and to coordinate and consult to the maximum extent practicable

-Each is responsible for the taking the appropriate enforcement action in case of violations to its own standard

-Both have to mutually agree on enforcement actions and public announcements related to incidents/actions violating both standards.

This complements the recent news that the Federal Energy Regulatory Commission (FERC) approved the implementation plan for Critical Infrastructure Protection (CIP) Reliability Standards compliance by nuclear generator owners and operators in the United States.

As a result, the timeline for achieving compliance with CIP standard has begun. Compliance with two CIP Reliability Standard Requirements, CIP-002-1 Requirements R1 and R2, must be achieved within 12 months.

Compliance with the remaining Requirements is dependent on future developments, but will likely be due within 18 months.


FERC Approves Implementation Plan for CIP Compliance at Nuclear Plants
Regulatory Guide 5.71, “Cyber Security Program for Nuclear Facilities”