Security threats against utilities have been a constant focus for bulk power systems (BPS) for decades. After a massive outage in August 14, 2003, 50 million people in the Northeastern United States (U.S.) and parts of Canada were left without power for most of the evening. The problem that federal authorities dealt with in the aftermath of the blackout was how to handle those responsible for the blackout. Since there was an absence of federal regulations related to a blackout of this magnitude and no federally mandated processes that BPS operators needed to follow, it was impossible to fine those responsible.
It was at this point, that the U.S. federal government set forth an initiative to protect the national power grid from internal negligence and even external cybersecurity threats. The result was for the Federal Energy Regulatory Commission (FERC) to put the North American Electric Reliability Corporation (NERC) on the task of developing required Reliability Standards for all BPS operators to follow to continue operating.
These Reliability Standards came at a crucial time in history as a 2015 report by Lloyd’s of London found that a major cyber-attack on the U.S. power grid could cost the country anywhere between $243 Billion and $1 Trillion dollars. When computer systems are not properly secured, it may lead to catastrophic problems, disclosure of sensitive information, and frauds.
Users with unauthorized access can easily exploit security vulnerabilities in a network if they are present. Therefore, threat and vulnerability management to secure critical infrastructure protection (CIP) is vital. Where some BPS operators get caught up is related to the time and resources that are required to plan processes that follow these specific NERC-CIP requirements. This article will give you a closer look at the specific threat and vulnerability management solutions and standards that NERC requires BPS operators to follow and provide you with the best plan for how to become compliant with NERC-CIP.
What is NERC?
Until January 1st, 2007, NERC was the North American Electric Reliability Council, not the North American Electric Reliability Corporation (for which it now is known as). Before this transition, the FERC certified NERC as the electric reliability organization for the United States on June 20th, 2006. NERC was also certified as the Electric Reliability Organization (ERO) for North America where FERC is the committee for oversight on their standards for North America and governmental authorities in Canada oversee their standards in that regional territory.
NERC is responsible for the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC focuses on working with a variety of governments, industries, and consumers to address the cybersecurity of the power grid. The efforts of the organization focus on compliance monitoring and regional audit observations that include risk elements, implementation guidance, and event mediation.
NERC-CIP Compliance
On March 15, 2007, FERC approved the first 83 NERC Reliability Standards which were effective less than 90 days after approval. These Reliability Standards were the first set of legally enforceable standards for U.S. BPS operators with additional NERC standards being good practice for BPS operators to implement as well. Their protocols and critical infrastructure protection standards (NERC-CIP), contain extensive cybersecurity requirements that BPS operators must adhere to. In addition to NERC-CIP, NERC requires that BPS operators implement a three-level alert system that informs the electric grid and recommends preventative actions to address imminent and non-imminent cyber threats and vulnerabilities. For a full overview of the current NERC-CIP reliability standards in the U.S., peruse the below table:
| Standard Number | Title | Effective Date of Standard | Phased-in Implementation Date (if applicable) |
| Critical Infrastructure Protection (CIP) Reliability Standards | |||
| CIP-002-5.1a | Cyber Security — BES Cyber System Categorization | 12/27/16 | |
| CIP-003-6 | Cyber Security — Security Management Controls | 7/1/16 | Detail |
| CIP-004-6 | Cyber Security — Personnel & Training | 7/1/16 | Detail |
| CIP-005-5 | Cyber Security — Electronic Security Perimeter(s) | 7/1/16 | |
| CIP-006-6 | Cyber Security — Physical Security of BES Cyber Systems | 7/1/16 | Detail |
| CIP-007-6 | Cyber Security — System Security Management | 7/1/16 | Detail |
| CIP-008-5 | Cyber Security — Incident Reporting and Response Planning | 7/1/16 | Detail |
| CIP-009-6 | Cyber Security — Recovery Plans for BES Cyber Systems | 7/1/16 | Detail |
| CIP-010-2 | Cyber Security — Configuration Change Management and Vulnerability Assessments | 7/1/16 | Detail |
| CIP-011-2 | Cyber Security — Information Protection | 7/1/16 | |
| CIP-014-2 | Physical Security | 10/2/15 | |
Another function of NERC is the submission of Notice of Penalty Spreadsheets (SNOPs) to those BPS operators that are in violation of the NERC-CIP standards. Recently, NERC has been cracking down on addressing past NERC-CIP violations. The number of moderate or severe NERC-CIP violations that featured prior noncompliance with similar conduct totaled 111 in 2016 and 48 in 2017. This decrease is positive to see, but it still needs considerable work see that the 2017 calendar year featured NERC filing 38 separate SNOPS that totaled a combined penalty of $1,310,500.
This is not to mention the $2.7 million settlement agreement was outlined in a Feb. 28 notice from NERC based on several noncompliance instances by an unidentified registered entity (URE). The settlement is due to noted security problems at the URE that resulted in sensitive information (including passwords and usernames) being publicly exposed on the internet for 70 days. This information could have aided hackers to obtain access to the grid and manipulate it however they pleased.
NERC required that the URE implement a new system for handling source code to prevent a recurrence of the problem and implement a secure process for vendors to securely transfer source code information for software development purposes. On top of this, all employees and vendors that work at or with the URE must take annual information security and privacy awareness training that help to prevent classified emails and attachments from being sent to outside email addresses. The URE may have been trying to save money by cutting corners on their vulnerability risk management processes, but their lack of security monitoring and NERC-CIP reliability standards compliance led to exponential cost increases that may take years to come back from.
NERC-CIP Threat/Vulnerability Management and Planning
Addressing vulnerability and risk concerns in your BPS network security entails following all NERC-CIP reliability standards to ensure that all potential threats have been remediated. This isn’t a task to put on the backburner. This is something that requires extensive planning and research to ascertain the specifics behind the nature of cybersecurity threats and vulnerabilities. Holding the mindset that your BPS network is safe without NERC-CIP compliance can cost you millions in fines from NERC and put the security of all U.S. utilities in jeopardy. Russian hackers claimed to have penetrated several U.S. utility control rooms last year but did not cause any blackouts via the hack. Although this report has not yet been confirmed, it’s still best to stray on the side of caution when it comes to tackling security vulnerabilities and managing cyber threats.
The process of achieving full NERC-CIP compliance requires BPS operators to undergo vulnerability assessments (VAs) every 15 months. BPS operators are also required to self-report the documentation of their findings in these VAs to NERC. These VAs must also cover all vulnerabilities that were identified in past assessments and detail an action plan for how the BPS operator will strengthen the functionality of their critical infrastructure moving forward to stay NERC-CIP compliant. Furthermore, VAs must also examine workstation firewalls, network device firmware configurations, system access controls, and user account management. Cyber asset inventories must also be considered with the BPS operator showcasing their cyber security solutions for mitigating vulnerabilities to highlight their ability to consistently reduce the risk of cyber-attacks when they are located.
CIP-005-5 – Electronic Security Perimeters
CIP-005-5 chronicles the measures that a BPS operator must follow to correctly document their vulnerability assessment. The VA must, per this reliability standard, “document the design and conduct of the assessment, including the Cyber Assets and networks included, the tools used, and the results of the assessment.” The BPS operator must document the flow of cyber assets through their critical infrastructure by detailing the routable connectivity across the Electronic Security Perimeter (ESP) into any Cyber Asset. An Electronic Access Point (EAP) must then control Cyber Asset traffic into and out of the ESP and the documentation verify that only the ports and services required for operations at the EAP are enabled.
Integral to CIP-005-5 compliance is also the verification by the BPS operator that default accounts, passwords, and network management community strings are controlled by valid processes and implemented with the appropriate configurations. Compliance with this reliability standard is done via lowering the organization’s password policy threshold. This would decrease the success probability of possible intrusion attempts. This protocol does increase security but could cause bottleneck problems if authorized users make too many typographical errors which could lead to frequent lockouts. Developing the proper framework for authorized users to follow for password distribution is essential to ensure that efficiency doesn’t decrease due to the added stress of increased password security. The entity must also ensure that their EAP to ESP connections are appropriately configured as NERC requires a cyber VA on these connections at least on an annual basis. The purpose of this risk assessment is to ensure that the entity’s systems can communicate safely and effectively with its EAP online and offline to ensure that rogue connections can be detected and blocked quickly.
CIP-008-5 Incident Reporting and Response Planning
CIP-008-5 deals with the reporting of incidents if they have become compromised or have led to the interference of one or more reliability standards. This reliability standard deals with the timely and detailed documentation of communications protocols that are necessary for normal operations, emergency operations, support, maintenance, and troubleshooting. These processes are implemented with the intent of ensuring that EAPs can function as a first level line of defense in stopping a cyber-attack if the ESP has been compromised. BPS operators should also have a Cyber Security Incident response plan in place that they periodically test via paper drill, tabletop, or full operational exercise. If a Cyber Security Incident has occurred, it should be reported with any lessons learned documented as soon after the incident as possible.
CIP-010-2 – Configuration Change Management and Vulnerability Assessments
The purpose of CIP-010-2 is to “prevent and detect unauthorized changes to BPS Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BPS Cyber Systems from compromise that could lead to misoperation or instability in the BPS.” This reliability standards assists entities in developing improved audit evidence production that may increase their operational process effectiveness if appropriately implemented. At least every 36 months, the entity must perform an active VA in a test or production environment where the test is performed in a manner that minimizes adverse effects.
Additionally, programs must be assessed to ascertain the organization’s overall implementation of its policies, plans, and procedures involving their vulnerability plans. Personnel risk assessment programs and personnel training program could be developed to satisfy this reliability standard. The focus of this standard is for the entity to establish a baseline of controls that allows for proper and timely execution of information security processes. Users with access to sensitive information must follow appropriate access controls with the BPS operator tasked with monitoring and logging all vulnerabilities and configuring patch management and incident response systems. This is to ensure that the utility has the applicable backup recovery protocols in place to support a possible breach of security.
Closing Thoughts
According to a recent Accenture survey, 74% of North American utility executives currently believe that cyber-attacks could possibly bring down an electric distribution grid in the U.S. in the next five years. Without the appropriate processes, procedures, and protocols to patch up and identify vulnerabilities and documenting plans for improvement, a BPS cyber system could be subject to a massive breach. Therefore, cybersecurity awareness and personnel training concerning BPS control systems are crucial to continued safety of the U.S. electric grid. Through focusing on NERC-CIP compliance, BPS operators can adequately configure the appropriate vulnerability and risk management plans that will allow them to beat hackers at the point of intrusion and create a safer environment for positive future sustainability.
