The electric utility industry is built on a foundation that requires an ultimate level of security to operate effectively. As hackers multiply and their level of sophistication increases rapidly, the electric utility industry must also evolve its cybersecurity defense capabilities. A recent survey of 140 North American electric utilities found that 88% of respondents expect cyberattacks to increase within the next 2 to 3 years. That figure is meteoric and most likely slightly distressing for those bulk power system (BPS) operators that haven’t gotten up to speed on patching their software vulnerabilities quite yet.
One figure that is also quite distressing is that only 46% of BPS operators that responded to a recent survey said that they regularly applied vendor-validated patches. Seeing that more than half of BPS operators are not currently developing patches necessitates an open dialogue about how to get those entities who are still lacking in patch management the necessary information to do so. This article aims to tackle the topic of patch management as it relates to the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Reliability Standard compliance. Follow the remainder of this article to find out more about the patch management process, benefits, and best practices for implementation. The experts at RSI Security can provide further help through NERC CIP compliance analysis and certification services.
The North American Electric Reliability Corporation (NERC) is a nonprofit international regulatory authority that the Federal Regulatory Commission (FERC) has authorized to safeguard the reliability of the North American BPS. NERC is responsible for the United States of America (U.S.A.), Canada and parts of Baja California in Mexico. BPS operators in these regions are required to meet NERC’s 101 mandatory Reliability Standards to continue operating safely within that territory. The NERC-CIP Reliability Standards are legally enforceable and focus on each entity protecting their cyber assets in a way that is transparent to the public (including stakeholders) and that provides the public with reasonable notice and opportunity to comment on the entity’s compliance efforts. These 11 Reliability Standards are detailed in the below table:
|Critical Infrastructure Protection (CIP)
|Cyber Security — BES Cyber System Categorization
|Cyber Security — Security Management Controls
|Cyber Security — Personnel & Training
|Cyber Security — Electronic Security Perimeter(s)
|Cyber Security — Physical Security of BES Cyber Systems
|CIP-007-6 (Patch Management)
|Cyber Security — System Security Management
|Cyber Security — Incident Reporting and Response Planning
|Cyber Security — Recovery Plans for BES Cyber Systems
|Cyber Security — Configuration Change Management and Vulnerability Assessments
|Cyber Security — Information Protection
The energy and utilities industry requires a disciplined patch management approach that focuses on decreasing the threat of cyber vulnerability exploitation. Unfortunately, over 67% of systems administrators have reported trouble determining which patches need to be apply to which systems. NERC-CIP compliance requires BPS operators to know their patch sources and the tools that they utilize to monitor for new security patches. The documentation of the entity’s monitoring of these patch sources must cover the organization’s software, operating system, and firmware that is being used in its protected environment. This level of documentation is required by NERC-CIP to prevent a zero-day exploit that has the potential to damage the power grid for months and destroy the North American infrastructure and economy in one fell swoop. Thus, it is essential that entities pay close attention to NERC-CIP Reliability Standard CIP-007-6 if they are keen on following NERC-CIP patch management requirements.
The purpose of NERC-CIP Reliability Standard CIP-007-6 is to “manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.” CIP-007-6 became effective on April 1, 2016 and focuses on entities monitoring their networks for vulnerabilities and streamlining plans to tackle said vulnerabilities via a documented patch management process. This Reliability Standard’s focus on patch management is documented in section R2 which is then broken down into a few different sections. We will cover the specifics that this Reliability Standard entails in the below subheadings.
CIP-007-6 R2 requires that all BPS operators deploy a patch management process to monitor and address known security vulnerabilities in their software. This process should be implemented in a proactive way to fend off vulnerabilities that may be exploited in a malicious manner to gain control over the BPS operator’s cyber assets or system. Any standalone cyber system or one that can be accessed remotely must have a developed patch management process. This is to combat both intentional and unintentional exploitation of vulnerabilities via the introduction of malicious code on the entity’s infrastructure.
Requirement 2.1 requires entities to “have a patch management program that covers tracking, evaluating, and installing cyber security patches.” The patches that this requirement focuses on only pertain to those that involve cybersecurity fixes. Tracking of patch management process entails that the entity set up a system for notifying them of the availability of new cyber asset cybersecurity patches. These notifications and the implementation of patches must be documented and tracked to determine when the assessment timeframe clock begins. The BPS cyber systems that are associated with this requirement are as follows:
|BES Cyber Systems
|Electronic Access Control or Monitoring Systems (EACMS)
|Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.
|Physical Access Control Systems (PACS)
|One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP.
|Protected Cyber Assets (PCA)
|Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.
Requirement 2.2 is all about documentation and adhering to a security patch evaluation timeline for applicability purposes. The BPS operator must determine the applicability of each patch in their infrastructure every 35-calendar day to ensure that patches are up-to-date and there are no redundancies in the network. The reasons for why a patch is noted as being non-applicable must be documented with the reasons for why the entity claimed it was non-applicable. For those patches that are noted as being applicable, the assessment must determine the risk involved with implementation and the urgency and timeframe for the remediation of the vulnerability. The entity must also define the process for vulnerability remediation as well as the steps that they must take to patch it.
Patch Management Process
Once an approved list of patches has been defined, the entity must have them installed via a change management process that meets with NERC-CIP compliance standards. Once the patches have been approved, they must be rated according to their priority. NERC-CIP also requires that all BPS operators identify the approved sources that they use to monitor for new patches. But monitoring patch sources is just one of many steps that a BPS operator must accomplish. On top of this, it must also document evidence that shows it has performed this task. From there, the data that is collected must then be collected and normalized before validation against the approved cyber asset baselines. Lastly, a comprehensive assessment must be run from the list of new network patches that includes criteria used to determine the significance of each patch and how it fends off vulnerabilities in the entity’s network environment.
Patch Management Benefits
The process of manually updating critical systems is cumbersome at best. Implementing a great patch management process automatically allows businesses to update their processes for every node in its network. Patch management tools allow entities to take the hassles out of patch deployment by automating the process altogether. This can provide the entity with a comprehensive overview of its network’s health, letting it know what its current liabilities are and how urgently it needs to patch them.
Systems that remain unpatched carry with it incredible risk as they are the easiest attack vectors for criminals looking to gain network access. Hackers and security researchers are constantly discovering new vulnerabilities, and entities are constantly issuing patches to deal with them to close network entry points. When an entity is proactive about developing an ironclad patch management process, they are effectively ensuring that nothing slips through the cracks. Even if software on the entity’s network is used infrequently, it still must be checked for major security holes as those are typically the first places that hackers look to exploit as they are most easily forgotten about by the organization.
Patching up vulnerabilities might be time consuming if done manually, but when the task is automated it can free up huge amounts of time for the organization. The amount of free time that can be freed up is enough to allow energy IT staff to focus on more productive areas of the operation. With more focus being placed on developing distributed workforces that require remote access, the implementation of a patch management process can increase staff mobility while keeping network security high when they are working remotely. Implementing patch management processes that can be updated remotely allows field agents the ability to stay updated regardless of their current location.
When the BPS operator applies the appropriate security patches at optimal times, the risk of a terrible security breach decreases exponentially. A reliable patch management process will ensure that employee system software is consistently precise and void of issues that could plague productivity and increase their downtime. Configuring patches that contain new features or functionality allow an entity to extend their support to additional platforms, thus increasing productivity even more.
Patch Management Best Practices
NERC-CIP patch management processes must contain the same level of coverage and control for off-premise staff just as they do for those on-premise employees. In organizations where end users are in various off-premise locations at any given time, it’s essential that teams treated them as if they were sitting in the bullpen to avoid unanticipated breaches. The fact remains that 62% of organizations reported needing hours to detect new devices on their own network, and hours on top of that to remove any unauthorized devices. Hackers only need a minute to deploy malware and taking more than a few minutes to identify the source of the intrusion and lock down a patch solution is much too long. Following the below best practices will keep a BPS operator on top of their patch management process:
|Develop an up-to-date inventory of all production systems, including OS types (and versions), IP addresses, physical location, custodian and function.
|Devise a plan for standardizing production operating systems to the same version of OS and application software.
|Make a list of all the security controls you have in place (routers, firewalls, IDSes, AV, etc.) as well as their configurations.
|Compare reported security vulnerabilities against your inventory/control list.
|Assess the vulnerability and likelihood of an attack in your environment. Consider the severity of the threat, the level of vulnerability, and the cost of mitigation and/or recovery.
|Deploying the patch without disrupting uptime or production.
Developing a systematic, accountable and documented process for timely patch deployment requires the entity to inventory all IT resources. Once inventoried, the entity will analyze each resource to determine which resource is used within the organization. This task should be done on a single-network level at first until a process for integrating multi-platform environments is developed. Once a multi-platform environment is ready, it will allow the entity to configure patches that will allow its teams to plan and schedule patch updates months in advance to nonstandard desktop systems, legacy devices and even devices with unusual configurations.
Creating an environment where new patch releases can be tested with other installed hardware and software prior to deployment will ensure that there are no surprises (i.e. downtime) when the patch goes live. This is where automated patch management software comes in handy. Automated patch management can streamline the entire patch management process via automating the delivery of updates via a centralized patch management server. This allows an entity’s network infrastructure to stay up-to-date while keeping end-user computers patched.
Patch management is a vital cybersecurity solutions process that is even more important to the energy utility industry when you consider the implications of what may happen if a vulnerability were to be exploited. Maintaining a consistent and systematic patch management process is essential for BPS operators to implement to reduce their attack surface and improves the overall security and productivity of their organization. Through implementing the appropriate patch management processes, an entity can stay on top of updates that allow them to safeguard their network infrastructure from a wide variety of cyber crimes and threats.