A cyberattack on key utility infrastructure of a nation can spell disaster, especially as a part of a firesale attack (a cyber attack that intends to disable or render unusable the nation’s transportation, utilities, telecommunications, and financial infrastructure). The potential doomsday scenario has many nations considering the impact the fall out of a wide scale cyberattack could have on the country’s stability and economy.
This is not something that should frighten people, but the strength and resilience of a nation comes from the hard work the people embody, and the United States cyber defense reflects this. In the latest bid to strengthen the cyber resilience of the country, the US government created the The North American Electric Reliability Corporation (NERC) framework, a framework that is designed to protect a part of the utility infrastructure of the United States.
The NERC is the federal entity responsible for the oversight of the Bulk Electric System (BES) for North America. Its jurisdiction applies to all owners, users, producers, and suppliers of the Bulk Electric Supply in eight provinces of Canada, one state in Mexico and all of the continental United States. NERC Standards carry the force of regulation and as such are mandatory for all entities to whom it applies, and they cover a wide range of categories.
The NERC Critical Infrastructure Protection (CIP) Standards are those which apply specifically to the cybersecurity aspects of the Bulk Electric System and its efficient and reliable supply. CIP deals with the prior planning and preparation within organizations and government agencies to deal with threats to the effective and timely functioning of national and regional critical infrastructure.
NERC CIP standards also referred to as the NERC CIP Requirements, define the reliability requirements for planning, operating, and protecting the North American bulk power supply system. There are 10 Fundamental Requirements within the NERC CIP standards which also contain numerous sub-standards, and these are being added to and amended every year, with several requirements currently pending regulatory approval. The sub-standards give detailed information and direction on the appropriate methods to be used for proper compliance and aspects of enforcement. In the coming section we will explore the 10 fundamentals in greater detail.
1. Identification and Categorization
Based on the NERC CIP-002-5.1a: Bulk Electric System (BES) Cyber System Categorization.
The fundamental purpose of NERC CIP-002-5.1 is to identify and categorize BES Cyber Systems which are defined as a grouped set of critical cyber assets — the BES Cyber Assets. Cyber assets are further defined as those electronic devices which are programmable and the data held within those same devices. Part of the categorization process involves the grading of the various BES Cyber Systems based on the impact of any interruption of the reliable supply of electricity. The cause of the interruption is not the key factor, rather it is the length of time the interruption to the supply lasts; anything longer than 15 minutes is a problem.
Along with the identification and categorization of BES Cyber Systems, any support systems which necessarily provide reliable functioning to the BES Cyber Systems must be treated similarly. These Cyber Assets are broadly categorized as:
- Electronic Access Control or Monitoring Systems – intrusion detection systems, electronic access points, and authentication servers.
- Physical Access Control Systems – card access systems and authentication servers.
- Protected Cyber Assets – networked printers, file servers and LAN switches.
2. Security Controls
Based on the NERC CIP-003-6: Security Management Controls.
The primary purpose of NERC CIP-003-6 is to establish clear accountability for the protection of the BES Cyber Systems of North America through the delegation of authority and the identification of a senior manager responsible for the policy development of consistent and sustainable security management controls.
These controls must establish the levels of responsibility and accountability within an organization to protect the Bulk Electric System (BES) Cyber Systems from any negative impacts on the BES Cyber System that could lead to faulty operation or instability.
3. Background Checks and Training
Based on NERC CIP-004-6: Personnel & Training.
In the NERC CIP standards one of the most important aspects is the training of staff and contractors. This is the focus of NERC CIP-004-6: Personnel and Training. The purpose here is to reduce the exposure of the BES to cyber risks from personnel and contractors with direct physical access or permitted cyber access through appropriate screening and training of those personnel. This can be separated in two parts:
Cybersecurity Awareness and Training
Awareness: a cybersecurity awareness program must include a documented schedule of activity at least once per quarter annually. The awareness program should build upon the cybersecurity practices already established for staff and contractors and include updates in both physical and remote access requirements.
Training: Before gaining access to BES Cyber Systems, each individual must also go through training, especially those people involved in high-impact BES Cyber systems, and this training must be taken once every 15 months. The training must cover each of the following areas as listed in the NERC CIP standards:
- Cybersecurity policies
- Physical access controls
- Electronic access controls
- Visitor control program
- BES Cyber System Information: control and storage
- Cybersecurity Incidents: identification and notification procedures
- BES Cyber System: Recovery Plan
- Cybersecurity Incidents: Response Plan
- BES Cyber System security risks: interactions with cyber assets (removable media, etc.)
It is important, as with all NERC CIP standards, to keep accurate and dated records of any training activities undertaken by both the trainer and the trainee.
Risk and Access Control Management
Personnel risk assessment program: this must be documented and in line with all relevant laws and be conducted before access to critical BES cyber systems is allowed. The risk assessment must include identity verification, a criminal record check and be repeated every seven years.
Access management program: a clear process for the authorization of electronic and physical access to BES Cyber Systems. This process includes access to storage areas, both physical and digital, and requires the documentation of authorization documents to be checked and updated quarterly. Where electronic access is authorized, all groups and categories of groups must be checked for ongoing relevance and updated every 15 months.
Revocation/removal of access privileges program: a clear process for the removal of the ability to access (physically or remotely) from an individual who currently holds the authorization to do so within 24 hours of a termination action. The termination action may be a result of reassignment, transfer, redundancy, retirement, death or any other scenario where the access privileges of the individual are considered to be no longer appropriate.
4. Electronic Security
Based on NERC CIP-005-5: Electronic Security Perimeter(s).
In order to better protect the BES Cyber Systems from misoperation and instability, one of the NERC CIP requirements calls for the creation of electronic security perimeters around cyber assets. An Electronic Security Perimeter (ESP) groups together all the cyber assets linked to the same router or routable protocol within it and creates a virtual barrier through which all data flow can be monitored.
Where cyber assets are located outside the ESP and therefore have External Routable Connectivity (ERC), those assets must enter the network through a specified interface — an Electronic Access Point (EAP).
The management of all remote access into the BES Cyber System must include clear guidelines for the granting of external access permissions and documentation of the grant process. Management of Interactive Remote Access where cyber assets which are outside the ESP and not connected to the EAP can initiate access to the BES Cyber System must use intermediate systems which perform access control management between the external user and the ESP of the BES cyber assets, employ data encryption, and require multi-factor authentication.
5. Physical Security
Based on NERC CIP-006-6: Physical Security of BES Cyber Systems.
Cybersecurity risks include any risks to physical assets and those risks arising from physical access to critical infrastructure; it is this area of risk which NERC CIP-006 addresses. It does this through operational and physical controls defined under the CIP Requirements for a physical security plan, a visitor control program, and a maintenance and testing program. Each of these areas must have a clear and well defined set of operational and procedural controls which must be followed by personnel, visitors, and contractors. In brief, these NERC CIP requirements contain the following:
- Physical security plan – documented operational and procedural controls to restrict physical access, especially unaccompanied access to BES Cyber Systems. This must include the use of authorized access protocols, monitoring of access, and response plan for detected unauthorized access.
- Visitor control program – unless a visitor is granted unescorted physical access authorization, all visitors must be provided with an escort for the whole of the visit. A detailed log of visitors must be kept for at least 90 days and must include the name and contact details of the person responsible for the visitor.
- Maintenance and testing program – At least once every 2 years all Physical Access Control Systems (PACS) must be tested for efficacy including any elements at the Physical Security Perimeter (PSP).
6. System Security
Based on NERC CIP-007-6: System Security Management.
Managing system security is another fundamental CIP requirement and this must be implemented through application of specific technical, operational, and procedural elements.
These elements as listed in the NERC CIP standards are:
- Ports and services – control access to device ports through systems config or physical port lock.
- Security patch management – system for tracking, installing, and evaluating of security patches.
- Malicious code prevention – system to deter, detect, and prevent malicious code activation.
- Security event monitoring – log cybersecurity events whether failed or successful.
- System Access controls – authentication of interactive user access enforcement methods.
7. Incident Management
Based on NERC CIP-008-5: Incident Reporting and Response Planning.
Once a cybersecurity incident occurs, there must be a clear and planned response, or set of responses, designed to help mitigate the risk to the efficient and reliable functioning of the BES.
All NERC CIP standards require documentary proof of compliance, and NERC CIP-008 is at the heart of NERC’s critical infrastructure risk management requirements. The three areas of compliance here are:
- Cybersecurity incident response plan specifications – outline the full process used to identify, classify, and then respond to any cybersecurity incidents.
- Cybersecurity incident response plan implementation and testing – at least once every 15 months the plans must be tested through a live incident or practice exercise.
- Cybersecurity incident response plan review, update, and communication – within 90 days of a live incident or planned response exercise any changes to the response plan must be shared with the relevant individuals.
8. Recovery Plans
Based on NERC CIP-009-6: Recovery Plans for BES Cyber Systems.
Recovering from a cybersecurity incident that has affected the reliable functioning of the BES Cyber Systems requires recovery planning. NERC CIP requirements in support of the recovery phase from a cybersecurity incident are similar to those for incident management — specifications, implementation, and testing, and review, update, and communication.
- Recovery specifications – including the conditions under which the plan should be activated and the specific responsibilities of those responding.
- Recovery implementation and testing – at least once in every 15 month period the plans must be tested through a live incident response or through a practice exercise.
- Recovery plan review, update and communication – within 90 days of a live incident or planned response exercise any changes to the response plan must be shared with the relevant individuals.
9. Configuration and Vulnerabilities
Based on NERC CIP-010-2: Configuration Change Management and Vulnerability Assessments.
When working to protect cyber systems it is obvious that prevention is best, and the NERC CIP standard 010-2 specifies the requirements for the prevention and detection of any unauthorized changes. This fundamental protection is achieved through system configuration controls and active testing for system vulnerabilities. The three areas for compliance are:
- Configuration change management – develop baseline configuration and authorization process for operating systems, software, ports, and security patches.
- Configuration monitoring -at least once in every 35 days monitor baseline for unauthorized changes. Document and investigate.
- Vulnerability assessments -at least once every 15 months conduct a vulnerability assessment through either a live incident or practice exercise.
10. Information Protection
Based on NERC CIP-011-2: Information Protection.
This NERC CIP standard specifies the requirements for identification of specific types of information that could, if misused, affect the reliable functioning of the BES. To prevent unauthorized access to the BES cyber-system it is important that personnel are able to identify information that could be used maliciously; to gain unauthorized access or to compromise the BES Cyber Systems.
- Information protection protocols – methods to be used for identifying BES Cyber System information and the procedures to be followed for its safe handling and storage.
- BES cyber asset reuse and disposal – the process through which BES cyber assets are prepared for reuse or disposal in such a way that the BES cyber system information is rendered irretrievable.
The NERC-CIP fundamentals should give you a clearer understanding of the overall scope of the framework and what is required.
Do keep in mind that it is an involved process that is constantly being adapted to the changing cyber environment. At RSI Security we live and breath cybersecurity. Book a free consultation to become NERC-CIP compliant today!