Safety is of paramount concern when it comes to the bulk electric system of North America. With so many busy cities flourishing on the continent, power interruption will definitely derail the daily grind of its inhabitants and the long-term health of its economies.
This is one of the primary reasons why in 2006, the North American Electric Reliability Corporation created the Critical Infrastructure Protection (CIP) standards. These established the guidelines that will protect the bulk power system from vulnerabilities and problems.
In assessing vulnerabilities using the NERC CIP guidelines, there must be cooperation among stakeholders, a focus on safety, and the development of actionable information for mitigation of problems.
We provide a comprehensive guide for an adequate understanding of the basis, processes, and effects of NERC CIP vulnerability assessment tests.
Mandated by Law
With the creation of NERC CIP cyber vulnerability safeguards, companies that run bulk electric systems are required by law to adhere to its standards. This is for the safety of everyone.
The basis for running regular vulnerability assessment is clearly stated in the body of the guidelines. In a nutshell, it should answer the specific requirements of CIP-005 and CIP-007. These guidelines outline the need for annual cyber vulnerability assessments.
It’s important to note that the goal of these assessments is to discover breach possibilities, not the probability that such an event will occur. This requires a more thorough assessment.
Let’s get into the specifics of the guidelines that you need to be familiar with:
NERC CIP-005, Electronic Security Perimeter
In R4 (requirement 4), a NERC CIP Cyber Vulnerability Assessment must be done on the electronic access points to the Electronic Security Perimeter once a year.
This assessment has a set of minimum requirements, as provided by R4.
- R4.1 A document that identifies the vulnerability assessment process
- R4.2 A review that only essential ports and services for operations at access points are enabled.
- R4.3 A rundown of all the access points to the Electronic Security Perimeter
- R4.4 A review of default accounts, network management community strings and passwords and the controls for all of these
- R4.5 Documentation of the results of the vulnerability check, together with an action plan to mitigate or remediate these vulnerabilities, and the execution updates on these action plans.
A key point of CIP-005 is that it covers the Electronic Security Perimeter. On the other hand, CIP-006 discusses the Physical Security Perimeter or the actual objects and devices that comprise the infrastructure.
A rule of thumb is that the same strict protocols enforced to protect the Electronic Security Perimeter must apply to the Physical Security Perimeter as well.
NERC CIP-007, Cyber Security – Systems Security Management
In R8 (requirement 8), there is another requirement for a NERC CIP Cyber Vulnerability Assessment wherein the Responsible Entity must perform an annual check of all Cyber Assets located within the Electronic Security Perimeter.
This assessment must include the following as a bare minimum:
- R8.1 A document that will identify the vulnerability assessment process that will be used.
- R8.2 A check of the ports and services that Cyber Assets require or operation within the Electronic Security Perimeter. They must be enabled.
- R8.3 A thorough review of controls for default accounts involved.
- R8.4 Documentation of the assessment results, an action plan to address the identified vulnerabilities, and status updates on the implementation of the action plan.
The Commonality of the Requirements
It doesn’t have to be two separate assessments to satisfy the requirements of CIP-005 and CIP-007. These can all be done in one evaluation.
An essential pointer is that there is a significant focus on ports and services. There is a commonality of data that can be gathered to save resources and time.
Understanding the Process of Vulnerability Assessment
With a clear understanding of the law and its requirements for Responsible Entities, the vulnerability assessment should go smoothly. There are three steps: the planning, the assessment process and the mitigation once vulnerabilities are found.
Because a lot is at stake if bulk electric systems fail or are exposed to vulnerabilities, the assessment should never be taken lightly. It requires careful planning and collaboration with the engineering and operations personnel to ensure that there will be no harm done.
Why is teamwork essential? For the assessment team to conduct their work well, they will need data and access from the system and network administration personnel. Scheduling is vital so that there are no operational stresses that will add complications to the test.
The assessment team must also have open communication lines with the responsible entity about the scope of the test. This includes details such as the duration of the assessment, the number of assessors required, the amount of data that will be needed and the qualifications of those that will collect vital data.
After the scope is determined, the assessment team should move to identify the performance requirements, resources for estimation, travel expenses, rules of engagement and team identification.
Everyone in the team has a role, and this must be carried out flawlessly to minimize any harm to the bulk electric power system. Here are team roles that are typically enlisted in the assessment team:
- Physical security assessors
- Control systems engineers
- Information technology assessors
- Team leader
- Report writer
The usual procedure is to have two leaders, one that has skills in project management, and one that has experience in the technical aspect of the assessment.
At the end of the assessment, the report writer must gather all findings, inputs and contributions to create the required documentation.
As for cyber vulnerability assessment, it mostly follows the same planning. The assessment team needs to determine the quantity and varieties of cyber assets and applications. The reality is that more significant enclaves will require more complex internal network infrastructure checks. It is essential to determine how many electronic security perimeters and communication paths there are.
Estimation of resources is an essential next step. This includes travel costs, especially for CIP cyber vulnerability assessments. The assessment team is not always based on the location of the responsible entity. This means some fees must be included in the planning, such as trip allowance, food budget, lodging, and visits to outlying locations such as substations, generation plants and other control centers.
How the project plan is written should also be part of the program. During the assessment, there must be smooth and delicate coordination of access to critical cyber assets. This must be balanced with the operational requirements of the responsible entity as prescribed by the NERC CIP.
The safe conduct of the assessment depends on a project plan that is written with all the required actions of all the participants in a schedule that has been agreed upon.
Planning is essential because NERC CIP cyber vulnerability assessment requires hands-on fieldwork to check the critical cyber assets involved. The assessors must be physically present to access or watch the access of critical cyber assets within the control systems.
These are the rules of engagement that must be tackled in planning. Remember the importance of the bulk electric power system. The assessment plan must protect the regular operation of the power system, and minimize the liabilities of the assessors.
Before the actual assessment, it must be clear what actions and activities the assessors can participate in and what events they are just observers. As a rule of thumb, it’s best to avoid active measures in the dynamic control system. The regular protocol is to let the responsible entity retain the “hands on the keyboard” to perform actions within the active control system, while the assessors look on.
Network sniffing may be allowed if agreed upon by all parties.
As a substitute, the assessors can test secondary control systems, stand-alone systems, or testing networks. However, the substitutes must be proven to be similar to the primary active systems.
The Conduct of the Assessment
The planning should take the bulk of the assessment preparation to anticipate problems. When all of it has been sorted through, the next step is the conduct of the actual assessment.
But it is easier said than done. Implementing the plan is a different challenge altogether. There will be surprises, such as personnel availability and communication failures. So there should also be room for contingencies.
For this reason, the assessment team should be quick on their feet to adapt on the spot and learn to reallocate resources or reschedule events. But this comes with a delicate balance to ensure that there is no conflict of interest.
The tasks outlined in the plan should be implemented in the order that makes the most sense, and that causes the least disruption.
To minimize the time of exposure to each critical asset, the assessment team should check the services and the account simultaneously so as not to waste time. It should be ensured that there are no changes in the platform and that both external and internal assessment complement each other.
The Report of the Results
The overall point of taking time to plan and conduct the vulnerability assessment is to find potential problems — and search for ways to address and remedy them.
This is why, after the actual assessment, the next important step is the reporting of the results. These results should provide a clear picture of the bulk power system and recommend actionable information on how to address any vulnerability.
As listed above in the basis for the vulnerability assessment, the responsible entity is required by the NERC CIP standards to present the following as minimum requirements:
- A document that outlines the vulnerability assessment process
- Documentation of the results
- Action plan to find remedies to the vulnerabilities
- Status update of the action plan
This is why the assessment report will be very vital. Most of the information that is needed to pass the requirements should be found here. This includes technical information, specific tools, and techniques that can be referred to for future use.
The report should be done well to pass the standards of auditors who will check if the vulnerability assessment was done in accordance with the NERC CIP standards.
It needs to report all discovered vulnerabilities, as well as the tools and techniques used to get these results. This is important for future reference if the system encounters any similar issues in the future. The tools or technology may become obsolete, but it can give future assessors an idea about the nature of the problem.
The report should also be thorough. It is not enough to just point out vulnerability as though it were an enumeration in a quiz. The report must explain how this vulnerability can be exploited.
The Mitigation of Vulnerabilities
Assessments will be useless if it just finds vulnerabilities and does nothing to address them. Several cities are depending on bulk power systems, and they should have zero problems whenever possible.
The assessment team should provide sufficient information to help the responsible entity make informed choices about how to address, minimize, or eliminate a vulnerability. If it is ignored, it can cause problems that can have significant consequences. If it is resolved as quickly as possible, it can help avoid issues before they even begin.
It is essential for those that conduct the NERC CIP Vulnerability Assessment to remain objective at all times. They can also make relevant recommendations to improve the stability of the bulk power system and be available likewise as an essential resource to enhance operations down the road.
Learn More About NERC CIP Vulnerability Assessment with RSI Security
Mandated by law, NERC CIP Vulnerability Assessment is an important annual event that all responsible entities must plan for. Securing the stability of bulk electric power systems is very vital. While this assessment is conducted, the power system should be operating efficiently and without problems.
Let the expertise and experience of security professionals such as RSI Security walk you through all the planning and conduct of the Vulnerability Assessment. Our guide will help ensure the smooth and efficient handling of this important annual event.