The year 2015 marked a turning point in the evolution of the U.S. electric industry’s outlook toward security. The uncertainty surrounding the transition from Version 3 to Version 5 of NERC-CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) has significantly diminished. Now utilities are making concerted efforts to identify and address security risks across electric utility system assets and their connectivity points.

Similarly, the passing of time moved physical threats to electric infrastructure out of the headlines as security hardening activities ramped up because of CIP-014, a standard NERC established specifically for transmission stations and substations.

Chip Handley, Project Manager with Black & Veatch’s power generation services business, said that interest in physical security and cybersecurity centers on the likelihood of nefarious activity targeting operational control networks and customer data, more so than electrical transformers and outside plant. As noted in Black & Veatch’s Strategic Directions: U.S. Electric Utility report, more than two-thirds of survey respondents indicated they are prepared to comply with NERC CIP-014 and general physical security standards. This would appear to reflect a combination of events, including significant media coverage in 2014 and the absence of subsequent high-profile security events.

Size Affects Security Planning

“Security planning, both physical security and cybersecurity, is often influenced by the size of the respondent’s organization or customer base,” Handley said. While more than 70 percent of respondents indicated some level of preparedness for compliance with NERC-CIP low-impact system requirements, data once again showed that in terms of security, the larger the organization, the greater the level of progress in terms of preparations, Handley noted.

Previous NERC-CIP standards tended to focus only on large generation or transmission facilities, exempting the assets of many co-ops, independent power producers and other small service providers. Larger, investor-owned utilities or public-owned utilities with bigger plants were already required to have CIP compliance plans in place and have undertaken multiple in-depth CIP audits.

“Without a mandate in place, small- to mid-size utilities felt the combination of their limited impact to the grid and the lack of staff to address cybersecurity concerns justified implementation delays,” Handley said.

Handley said service providers such as Black & Veatch are seeing an influx of requests from larger utilities that thought they were prepared to comply with NERC-CIP Version 5 deadlines, based on their level of preparation and compliance with Version 3. However, the increased industry understanding of Version 5 requirements has resulted in a dramatic increase in the number of assets that need to be reviewed and remediated, which is driving the requests for external support.

CIP Version 5 Includes Smaller Facilities

One of the biggest challenges associated with the transition from NERC-CIP V3 to V5 centers on the inclusion of smaller facilities that had virtually no CIP compliance requirements in the earlier CIP versions.

“The Version 5 standards now require a tiered classification system for those electronic systems that control and protect the electric system,” Handley said. “For some operators, this categorization has increased the number of assets accounted for in their security planning by a factor of 10 or more. For some, virtually all generation and transmission electronic systems will fall into either the low-, medium- or high-impact classification tiers.”

He noted that low-impact systems must be compliant with the new CIP Version 5 cybersecurity standards by April 2017, and medium- and high-impact systems must be compliant by April 2016.

“Greater awareness of system interconnection is forcing municipally owned utilities and co-ops that previously had been outside the scope of NERC-CIP to evaluate their network to determine whether they are compliant,” Handley said.

The Need for Trained Personnel

As new cybersecurity systems are put in place to support the drive toward NERC-CIP V5 compliance, trained personnel will be required to manage these new systems. Knowledgeable, full-time support is needed for monitoring and maintenance.

According to survey respondents, not many electric utilities are outsourcing their security support (3 percent) but are dealing with it via a central management facility (25 percent) or at the local level where each site manages its issues on its own (19 percent).

“However, there is an evolution going on in terms of managed services as small-to-midsize operators that cannot afford a chief information security officer (CISO) explore other means of adding security support,” Handley said.

Cybersecurity is an issue that will continue to evolve and become more mature as it is better understood by all utility management.

“Given the practical need to secure electric system infrastructure, manage costs effectively and achieve compliance with regulations, utilities must adopt a life cycle approach to security,” Handley said.

Published originally on Black & Veatch Solutions.