1. Introduction
The North America energy regulatory commission (NERC) did develop and release policies for reliable operation of the Bulk Electric System (BES).
Part of these policies deal with cyber security risks of the various entities which are part of the BES. The list of them includes:
- Balancing Authority, Distribution Provider, Reliability Coordinator
- Generator Operator, Generator Owner
- Transmission Operator, Transmission Owner
The policies affect these BES entities which performs automatic Load shedding under a common control system owned by the responsible Entity, without human operator initiation, of 300 MW or more.
Each Responsible Entity needs to develop one or more cyber security risk management plan(s) for BES Cyber Systems and their associated Electronic Access Control or Monitoring Systems and Physical Access Control Systems. The plan(s) shall include: Violation Risk Factor and Time Horizon.
2. Local implementation and guidelines
As required by NERC local utilities are mandated to identify and protect all Critical Infrastructure Protection (CIP) assets which contribute to the safety and reliability of the bulk electric system.
The local utilities which operate in a specific region then develop guidelines which apply to all Suppliers that provide products and/or services to utilities which may be subject to the requirements set forth by the NERC CIP Standards.
The elements under these policies include facilities in the Transmission and Generation system operated at 100 kV or higher.
Protection covers CIP Cyber Assets that relate to the production, generation or transmission of energy and information that is identified as Confidential Information.
Examples of protecting Critical Infrastructure electronically may include data masking, encryption, hashing, tokenization, cipher, or electronic key management or physical protection lock.
Electronic protection extends also to:
- programmable devices that make a direct data connection (via Ethernet, serial, USB, or wireless - including Bluetooth or near field communication) to CIP Assets
- storage media devices used to store, copy, move, or access data and are directly connected (via serial, USB) to a CIP Asset
3. Requirements to suppliers of utilities and energy providers
Suppliers and providers of products or services shall use issued to the them by power utility – Green Laptops
The Supplier of products including software must indicate methods to verify software integrity and authenticity of all software (firmware and patches) used on Critical Assets. This applies to initial delivery, and incremental update methods.
Methods for integrity and authenticity check should be indicated. Where practical, methods and tools used to support the verification and confirm software integrity such as cryptographic hash function or other
For Suppliers who use software developed by other parties, the supplier will Provide a software Bill of Materials (SBOM) where practical listing all the open source and third-party components present in a codebase.
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk .
Contractor shall develop and implement a “Response Plan,” which will include policies and procedures to address Security Incidents, disclosure by vendors of known vulnerabilities related to the products or services provided to power utility and xerification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System.
Contractor will identify or provide utility with a method to identify the country (or countries) of origin, of the procured Contractor product and its components (including country of manufacture (hardware) and country of build (software and firmware).
Contractor will identify the countries where the development, manufacturing,maintenance, and service for the Contractor product are provided. Contractor will use only “approved” cryptographic methods as defined in the FIPS 140-2 Standard19 when enabling encryption on its products.
4. Conclusion
The current guidelines and policies by NERC have been adopted by the participants in the electric powering system - on the generation, transmission, distribution, balancing sides.
All of the policies listed in this aricle concern the supply side of the energy system.
On the other side - the demand side we have:
- hundreds or thousands of large plats and factories
- tens to hundreds of thousands of small businesses
- thousands of cities and municipalities
- hundreds of millions of individual users
The guidelines and policies by NERC currently do not look at the Cybersecurity on the demand side.
The products that we are developing and releasing are placed and become part of the demand side of the electric powering system.
We are willing to get in contact and work with any party of the supply side of the Bulk Electric System, and especially with the Balancing Authority, Reliability, Distribution Provider.
Reference
API switch - programming interface for developers