Part Two: The Audit Report
The audit report released by the Department of Energy’s Office of the Inspector General (OIG) in January 2011 raised a number of issues, including:
1) Problems with the Critical Infrastructure Protection (CIP) standards themselves:
- One of the report’s biggest complaints is that the standard that sets the agenda for all the others: a framework for identifying a “critical asset” – is too vague. “Lack of stringent requirements for defining critical assets contributed to significant under reporting of these assets,” the report charged. For example, in April 2009, more than 70 percent of power plant owners and operators did not identify any of their assets as critical on a self-certification compliance survey.
Long before the audit report had been released, there was consensus among government and industry that under-reporting needed to be addressed – and it is being addressed, said Mark Weatherford, North American Electric Reliability Corporation’s chief security officer: Under a new version of the standards, commonly known as Version 4, all assets are considered critical; they will be assigned a descriptor of low, medium, or high. “Before, entities could essentially opt out, saying they didn’t have any critical assets,” said Weatherford. “Now they have to make a decision about where the asset fits into those categories.” Federal Energy Regulatory Commission (FERC) is scheduled to issue an order on the new standard within the next two or three months.
- The CIP standards, the report charged, “did not always include controls commonly recommended for protecting critical information systems.” As an example, OIG pointed to the requirements established for password and login protection – which are weaker than is common for government and industry systems: Passwords may be a minimum of six characters, and changed at least annually. FERC’s own security policy, by contrast, requires passwords to be at least 20 characters long and changed every 60 days.
Such a charge, industry insiders claim, is a false equivalence. Annabelle Lee, a technical executive at the Palo Alto-based Electric Power Research Institute (EPRI) and a CIP adviser to the FERC, says that a dynamic IT system, with equipment that lasts two or three years before it’s obsolete, laid over a control system comprised of equipment that is often 40 years old, presents a “challenging opportunity.”
Weatherford, regarding the password-protection standard, puts it more concretely: “Some of these old systems never even required passwords. At some point, they’ve had to go back and put in compensating controls or mitigations to protect those pieces of equipment … In my last job, we had an old system where we couldn’t require more than a six-character password, because the application simply would not accept that. So that’s the situation we’re in.”
2) Problems with the way the standards are implemented:
- The standards implementation regime, the report charged, was illogically organized. Entities were not required to comply with the CIP standards at the same time, even though they may have encountered similar threats.
- The implementation schedule for CIP standards did not place a higher priority on the greatest risks to information systems – for example, documentation (paperwork completion) was required before implementation of technical controls related to system access, patch management, and malware prevention. “Concentrating risk-based efforts on strong technical controls,” the report stated, “rather than on creating documentation could have helped strengthen early implementation efforts.”
- Overall, the implementation schedule for CIP cybersecurity standards didn’t ensure that systems-related risks to the power grid were mitigated or addressed quickly. “While we recognize that there are inherent delays associated with the current regulatory structure,” the report stated, “we found that the timeliness of the standards development and approval process was also impacted because the commission did not take advantage of existing authority.”
These procedural issues raise an important question: Is the complexity of the new regulatory regime, and its necessary focus on process, detracting from the purpose of the CIP standards themselves – to identify and mitigate vulnerabilities to the power grid? The question leads directly to perhaps the OIG’s biggest problem with FERC’s oversight, which is ultimately a problem of jurisdiction.