Energy and Utility companies play a critical role in the United States’ national security. That’s largely in part because these responsible entities are strictly maintained and regulated to secure and protect energy infrastructure on a national scale. Whenever these systems fail, the damage has the potential to be massively more impactful than your typical power outage on a rainy day. While these cases of failure are few and far between, catastrophe is a lot closer to our grid than the everyday consumer can account for. For example:
What would happen if a town lost power? Traffic lights stop working, buildings lose power, chaos ensues. The life-saving machines in hospitals power down, medications kept in electrically powered and regulated machines are trapped. In today’s day and age, we often underestimate how dependent we are on electricity to power our daily lives and as the grid becomes more and more connected through the internet of things (IoT), we are increasingly open to cyber attacks caused by bad actors that don’t even need to leave their houses to wreak havoc on an entire region or nation.
Cybersecurity in the Energy & Utilities Space
The North American Electric Reliability Corporation (NERC) has been in operation since the early 1960s and is in charge of maintaining the operations and functions of our Bulk Power System, also known as the electric grid. Prior to the invention and adoption of the internet and regulations of cybersecurity today, NERC served entirely as a voluntary industry organization. For over 40 years, NERC suggested NERC CIP environment standards to assist energy companies and government agencies in maintaining their infrastructure along the electric grid. Jump to 2005, the Energy Policy Act of 2005 required the Federal Energy Regulatory Commission to choose an Electric Reliability Organization. NERC was seen as the most qualified organization to take charge as they had been working towards establishing industry reliability standards for a very long time. This new designation gave NERC more authority, allowed them to decide mandatory regulations, and continued to improve and modify their current standards of compliance. In 2008, (CIP) Critical Infrastructure Protection standards compliance framework was developed to mitigate cybersecurity attacks on the Bulk Electric System. While initially, these standards were not required, they were used to mitigate risk, later becoming an industry norm.
NERC Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America's bulk electric system.
What is NERC CIP
At the time of writing, these frameworks are comprised of 11 control families, with another 5 subject to enforcement in the future. These are mandated for energy and utility companies operating within the Bulk Electric System to protect critical cyber assets and minimize risk and manipulation by bad actors seeking to cause damage. These controls are listed below with their CIP compliance definition:
CIP-002-5.1a Cyber Security - BES Cyber System Categorization
To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.
What it means: Here the framework prioritizes the inventory of any connected systems that fall within the scope of the NERC CIP standards. As with any cybersecurity framework, knowing what you and your organization are protecting is paramount to success - if you don’t know how many assets you’re protecting and don't run vulnerability assessments you leave yourself open to unexpected threats.
CIP-003-7 Cyber Security - Security Management Controls
To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES)
What it means: Organizations must outline the controls that they have in place to secure the assets that they scoped for the previous section. This sits at the highest level and is most relevant to cybersecurity program managers and CISOs, this enables visibility into the security activities, responsible entities and steps taken to secure the assets of the organization.
CIP-004-6 Cyber Security - Personnel & Training
To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric System (BES) from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
What it means: One of the most unpredictable variables of any cybersecurity program is human error - as a result, given that the grid is of such great importance, those adhering to NERC CIP must include personnel training in their cybersecurity program.
CIP-005-5 Cyber Security - Electronic Security Parameters
To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
To manage physical access to Bulk Electric System (BES) Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
What it means: Organizations must also take into account the physical security of these assets.
CIP-007-6 Cyber Security - System Security Management
To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).CIP-008-5 Cyber Security - Incident Reporting and Response Planning
To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.
What it means: Ensure that you and your organization have a clear and documented plan in place in the event that a cyber event does happen.
CIP-009-6 Cyber Security - Recovery Plans for BES Cyber Systems
To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.
What it means: You and your organization should also have a documented plan for disaster recovery - how does your organization ensure that business and operations remain uninterrupted in the face of an event?
CIP-010-2 Cyber Security - Configuration Change Management and Vulnerability Assessments
To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
What it means: This element goes hand-in-hand with access control - make sure that you have systems and processes in place in the event that configurations are changed. This can pose a great security threat and you must make sure that there are systems in place to protect against unauthorized or unsupervised configuration changes.
CIP-011-2 Cyber Security - Security Protection
To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
What it means: Getting a level deeper, the controls necessary to satisfy these requirements are specific tactics and solutions (endpoint solutions) to protect specific elements and assets of the organization.
CIP-014-2 Physical Security
To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection.
What it means: The grid sits at one of the largest intersections of the digital and physical realms, in fact if the grid is down access to the digital fails. As a result, organizations must also take into account the steps they are taking to protect the physical centers that keep the grid online.
Currently, there are 5 CIP controls that are to be enforced by the NERC in the near future, these are CIP-003-8 Cyber Security - Security Management Controls, CIP-005-6 Cyber Security - Electronic Security Parameter(s), CIP-008-6 Cyber Security - Incident Reporting and Response Planning, CIP-010-3 Cyber Security - Configuration Change Management and Vulnerability Assessments, and CIP-013-1 Cyber Security - Supply Chain Risk Management. CISOs seeking to stay ahead of these regulations should adapt their policies to meet these new standards, as it will further lower potential risk to the electric grid and satisfy NERC CIP requirements simultaneously.
As the information security landscape continues to evolve, we can expect the instances of bad actors attacking our electrical grid, both national and regional entities, to only increase. By staying NERC CIP compliant and adjusting your business policies to NERC regulations as they are announced, your organization will succeed in protecting its customers, critical cyber assets, the natural resources it relies on, and the Bulk Electric System.
The greatest burden of critical infrastructure protection CIP for many security leaders lies in the scoping and awareness of what assets need to be secure. In that capacity, an integrated risk management platform is critical to success and ongoing CIP compliance. Static spreadsheets and assessments are outdated the moment they are completed - a continuous, integrated, risk-based approach to NERC CIP compliance and security management enables security leaders to gather assessment data into a single source of truth and report out to both technical and business-side stakeholders much more effectively and efficiently.
CyberStrong is an industry-leading platform that is helping cybersecurity teams at some of the largest financial institutions and energy and utility organizations streamline their assessments and risk and compliance management units. Learn more about how CyberStrong can help your organization streamline NERC CIP and cybersecurity management and reporting here.