With growing awareness of the risks from cyber attacks, the Federal Energy Regulatory Commission (FERC) this past April took steps to enhance U.S. cyber security standards. Their plan seeks to improve the resiliency of critical network operations in electric generation, distribution and transmission systems. The ripple effects of compliance will be felt throughout the U.S. electric utility sector and beyond.

The new enhanced standard is Critical Infrastructure Protection (CIP) Version 5.  Its development was driven in part by the convergence of Internet Protocol based technology (IP) in the electric utility sector. In addition, U.S. President Barack Obama issued an Executive Order (No. 13636) directing improvements in cyber security.

The emergence of cyber based threats is in many ways tied to the recent use of industry transforming technologies, such as automatic metering and smart grid tools. In collecting and transmitting system data, these tools create potentially vulnerable access points.

“Each day we see how the expanded use of technology helps to deliver improved efficiency,” said Dan Rueckert, Associate Vice President, Black & Veatch’s management consulting division.  “But it also creates new areas of risk that must be managed. Utilities must now harden expanding and increasingly complex data networks.”

Black & Veatch estimates that roughly 10 percent of utilities are fully compliant with the CIP standards laid out in Version 3. Version 4 raised the level to about 15 to 20 percent, still far from universal adoption. This leaves many critical assets unprotected.

The more active role required for utilities in Version 5 makes it difficult to project compliance levels. However, Rueckert said that for the first time, the North American Electric Reliability Corporation would have the authority to levy penalties for non-compliance.

“If there were any doubts that the era of the so-called ‘dumb grid’ is over, look no further than the recent coverage of international cyber incidents,” Rueckert said.  “With Version 5, spending on cyber security will move up the list of priorities.”

Despite rising public awareness, cyber security ranked No. 6 on the industry’s Top 10 list of concerns, according to the 2013 Strategic Directions in the U.S. Electric Industry report. The survey of industry leaders also showed only 1.7 percent of respondents stating that it was an area for major investments.

“The Strategic Directions Electric report shows that reliability focused investments are the focal point of capital outlay across the sector,” said Rueckert. “Despite the headlines, this makes sense. At the end of the day, utilities have a mandate to deliver reliable service and comply with environmental regulations.”

Given the competition for capital, many utilities will struggle to implement cyber compliance programs.  They are more focused on other pressing issues, such as aging infrastructure, regulatory uncertainty and the evolution of fuel and technology.

As executives prepare to adopt Version 5, several key elements should be considered:

Implementation: Additional expertise will be required to design and deploy network security. Work will focus on specific network protocols, software applications and patch management as outlined in CIP Version 5.

Electronic perimeters:  Version 5 identifies distinctions between a “critical” and a “protected” cyber asset. Solutions such as robust firewalls and network segmentation will be required to protect the CIP assets.

Security:  Utilities will need a full range patch management solution with a robust program for review. In addition, a detailed system to classify data is required. This will identify relevant data so that proper levels of security controls can be managed. Once achieved, information safeguards can provide protections for data at rest and in transit.

Vendor solutions: Specific vendors and solutions will need to be identified, evaluated and tested for interoperability as well as to ensure they can meet Version 5 standards.

“As utilities seek to improve their performance through enhanced data collection and do more with less, they should have a plan in place to address their weaknesses,” Rueckert said. “This includes understanding the bottom line impacts of meeting CIP standards.”

Published originally on Black & Veatch Solutions.