For more than a decade, energy and utility organizations have been tasked with meeting standards from the North American Electric Reliability Corp. (NERC) and mandated by the Federal Energy Regulation Commission (FERC).
With critical infrastructure attacks on the rise, compliance mandates seem more timely than ever. NERC Critical Infrastructure Protection (CIP) standards are made up of nearly 40 rules and almost 100 sub-requirements. This is may sound like a lot, but as the name suggests, these provisions are critical for ensuring that electric systems are prepared for cyber threats.
Throughout the standards, NERC refers to "Critical Assets" and "Responsible Entities". It is important to understand the definitions for both terms:
Critical Assets: These assets include but are not limited to: Control systems, data acquisition systems and networking equipment, as well as hardware platforms running virtual machines or virtual storage.
Responsible Entities: They are defined as reliability coordinators, balancing authorities, interchange authorities, transmission service providers, transmission owners, transmission operators, generator owners, generator operators, load servicing entities and NERC/regional entities. All responsible entities are required to adhere to standards as defined by NERC.
The digital innovation shows no signs of slowing down. Advances in information technology bring new vulnerabilities which threaten the reliable functioning of the power grid that is critical to America's energy future. Therefore, it is important that energy and utility organizations have a comprehensive understanding of NERC regulations. Since the program was enforced in 2009, there have been several updates to the regulations, and there are likely to be more in the future.
We've made it easy for you by identifying and providing additional context for the current (as of November 2018) standards:
CIP-002-5.1a - Cyber Security - BES Cyber System Categorization
This standard requires you "to identify and categorize Bulk Electric System (BES) cyber systems and their associated BES cyber assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber systems could have on the reliable operation of the BES. Identification and categorization of BES cyber systems support appropriate protection against compromises that could lead to misoperation or instability in the BES."
What it means to you: During this time, you will identify each critical asset, categorize the asset, prioritize how the asset coincides with compromise or loss and, ultimately, highlight the overall relationship or operating dependency the asset has to your facility. This is helpful when submitting to the NERC Compliance Registry (NCR), and it also aids in creating compliance monitoring objectives.
CIP-003-6 - Cyber Security - Security Management Controls
This standard requires you "to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against compromise that could lead to misoperation or instability in the BES."
What it means to you: This necessitates consistent and sustainable security management controls be enacted by an organization to protect all identified critical cyber assets from compromise, misoperation or instability. Cybersecurity policy, leadership, exceptions, information protection, access control, change control and configuration management are all included in CIP-003-6, while adherence to sub-requirements may vary by organization, criticality of assets and impact rating.
CIP-004-6 - Cyber Security - Personnel & Training
This standard requires "the minimizing of risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES cyber systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems."
What it means to you: This necessitates that all personnel with authorized access to critical cyber assets have an adequate degree of personnel screenings and risk assessments, employee training and security awareness programs. You also need to maintain a list of credentialed access lists, including service providers and contractors. Moreover, CIP-004-6 also requires the organization to document, review and update such training and programs on an annual basis.
CIP-005-5 - Cyber Security - Electronic Security Perimeter(s)
This standard requires you "to manage electronic access to BES cyber systems by specifying a controlled Electronic Security Perimeter in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."
What it means to you: This standard primarily focuses on your perimeter and efforts to address vulnerabilities encountered during remote access. The perimeter that houses all critical cyber assets should be protected and any and all access points be secured. Key components to this include, but are not limited to, the following: remote session encryption, multi-factor authentication, anti-malware updates, patch updates and using extensible authentication protocol (EAP) to limit access based upon roles.
CIP-006-6 - Cyber Security - Physical Security of BES Cyber Systems
This standard requires you "to manage physical access to BES cyber systems by specifying a physical security plan in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."
What it means to you: This standard emphasizes the physical security perimeter and tasks the responsible entity with implementing a physical security program. The goal is to address the physical security zone and create preventative controls aimed at protecting and controlling access to cyber assets based upon risk-based security zones. A physical security plan, protection of physical access control systems, protection of electronic access control systems, physical access controls, physical access monitoring, physical access logging, log retention access, and maintenance and testing are all requirements of the security program for CIP-006-6.
CIP-007-6 - Cyber Security - System Security Management
This standard requires you "to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."
What it means to you: This requires that you create, implement and maintain processes and procedures for securing systems for both critical and non-critical cyber assets. This also means documenting security measures, including records of test procedures, ports and services, security patch management and malicious software prevention.
CIP-008-5 - Cyber Security - Incident Reporting and Response Planning
This standard requires "mitigation of the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements."
What it means to you: Security incidents related to any critical cyber assets must be identified, classified, responded to and reported in a manner deemed appropriate by NERC. You will want to create an incident response plan that should include the actions, roles and responsibilities of those involved, as well as details of how incidents should be handled and reported to governing bodies. This plan will need to be updated annually and tested for applicability.
CIP-009-6 - Cyber Security - Recovery Plans for BES Cyber Systems
This standard requires that you "recover reliability functions performed by BES cyber systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES."
What this means to you: Your critical cyber assets must have recovery plans that align with their energy utilizes organization and adhere to disaster recovery best practices. A recovery plan, change control, backup and restoration processes and testing or backup media are all requirements of CIP-009-6.
CIP-010-2 - Cyber Security - Configuration Change Management and Vulnerability Assessments
This standard requires "preventing and detecting unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES."
CIP-011-2 - Cyber Security - Information Protection
This standard requires you "to prevent unauthorized access to BES cyber system Information by specifying information protection requirements in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."
CIP-014-2 - Cyber Security - Physical Security
This standard requires you "to identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack, could result in instability, uncontrolled separation, or cascading within an interconnection."
***
These requirements are regularly being reviewed and updated, so it's important to remain steadfast and proactive when creating a cybersecurity strategy within your organization. You can learn more about the above requirements by visiting NERC.com.
Of course, like at organizations in other industries, energy and utility companies may be short on resources and require a partner that can help them better understand, achieve and maintain compliance with NERC CIP-related requirements.
Interested in learning how Trustwave and our team of NERC CIP certified employees can assist your energy/utility company in addressing the standards?
