CIP-002-4 “Bright Line” Secures 163 Plants, Max

(This article was originally published on the Findings From the Field blog.)

In the 2009 statistics, the latest available, NERC tracked some 10,500 generators with a nameplate capacity of 0.1 MW or higher, at about 5700 sites. The new NERC CIP-002 version 4 "bright line" rule says NERC-CIP applies to only those generating sites with "an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW in a single Interconnection." How many locations/plants is that? According to NERC, only 163 sites have a nameplate generating capability of 1500 MW or greater, and there is no word yet on how many of those plants are exempt because they feed less than 1500 MW into any one interconnection.


The most recent NERC figures report nearly 5700 generating sites, but the vast majority of these sites - over 4600 - are small sites with a nameplate capacity of less than 250 MW. More than half of those small sites have a capacity of less than 10 MW each. If we look only at medium-to-large-sized plants, NERC reports some 1055 plants with a nameplate capacity of 250 MW or higher in 2009.

The size distribution for these plants is illustrated at right. 163 plants had a nameplate capacity of 1500 MW or higher - that's 15% of the 1055 medium-to-large sized plants. In fact CIP applies to fewer plants than the 163 - the rule only flags plants which feed 1500 MW or more into a single interconnect. I don't have the data on how many plants have greater than 1500 MW capacity, but feed less than 1500 MW to any one interconnect.

Introducing a new version of the CIP standard to secure only 15% of North America's medium-to-large sized plants does not seem like a big change, but maybe that's unfair. Do the largest plants generate a disproportionately large fraction of North America's power?

If we add up all the nameplate ratings of power plants of 250 MW and higher capacity, we get a total generating capacity of 943 GW. The plants 1500 MW and higher account for 355 GW or 38% of this total, as illustrated at right. Does this change if we put the 4600 small facilities of less than 250 MW each (not illustrated) back into the equation? Those facilities account for another 177 MW. With those facilities counted, the fraction of total capacity covered by CIP drops to 32%, or roughly one third of North America's generating capacity.

Attack Profiles

Is this what we expected from CIP-002-4? 15% or fewer of North America's medium-to-large sized plants secured, representing about one third of the total generating capacity? Maybe - let's look at cyber threats to the grid.

Attacks by disgruntled insiders at a power plant, or a power-generating utility, generally affect only one plant. In cases where more than one plant is at risk, it is because the insider has access to multiple plants at one utility. If we assume that CIP-regulated plants can repel attacks by disgruntled insiders, then the result of an attack by such insiders most likely impairs generation in at most a handful of medium-sized plants not covered by CIP. The enormous physical redundancy in the bulk electric system is designed to to deal with such outages, though there are occasional and spectacular design and implementation failures.

The sophisticated botnets used by organized crime do not yet target power plants specifically - those actors do not yet reliably make money from targeting power plants. Any compromise of control systems is going to be accidental. For "drive by download" type malware, where an unwitting insider infects a machine by visiting a compromised website, protecting only the largest generators may be enough. Most commonly, compromising a control system host will impair the control system enough to trigger a fail-over to a secondary system. Less commonly, such compromise will trigger a safety shutdown of one or more generators. In the worst case, a downloaded worm may propagate to control systems for other non-CIP-secured sites in the utility. This is equivalent to the insider scenario above, and so should be tolerated by the grid as a whole.

Where we start to see problems is when we consider worms which spread aggressively. Every few years a worm is released which spreads very aggressively, through a wide variety of enterprise networks. If such a worm had the unfortunate and even unintended side effect of impairing power plant control systems, it could impair a great many control systems simultaneously. If we assume CIP protects the largest generators, how many of the medium-sized generators would need to be impacted before the Bulk Electric System is affected? Could an aggressive worm impair a large fraction of non-CIP-secured sites?

Even worse, is anyone worried about advanced threats simultaneously targeting a great many of the medium-sized sites? I think this was the point of Joe Weiss' controversial remarks of a few weeks ago.

Looking Forward

Nobody likes regulation and the threat of fines - they produce utilities preoccupied with compliance rather than security. The problem is that without regulation, many utilities would do very little to secure their control system assets.

The protections specified in the CIP standards are much better than nothing, and more powerful defenses are readily available in the marketplace for utilities with a real commitment to security. As a citizen, I would be happier if a clear majority of the power my society relies on were secured from at least opportunistic cyber-attacks. The new "bright line" rule will not bring this about.

No comments:

Post a Comment