By Dave Cullen, Field CTO
Today’s ongoing cyberattacks worldwide make grid security top-of-mind for governments and cybersecurity stakeholders alike. New and stricter cybersecurity legislation is already working its way through the U.S. Congress, and the European Union is tightening its own defenses against cyberthreats.
From grid decentralization to localized microgrids feeding rapidly-shifting loads, maintaining production and infrastructure while meeting evolving cybersecurity regulations is already a considerable challenge for utilities. Now, energy and utility companies are scrambling to ensure that their OT networks reduce the risk of potential state-sponsored digital and cyber threats. This enhanced attention shines new light on NERC CIP – the North American Electric Reliability Corporation Critical Infrastructure Protection regulatory framework.
In this post, we’ll take a closer look at NERC CIP, discuss why the framework is especially relevant in today’s turbulent cyber climate and see how companies can simplify their compliance with it.
First launched in 2007, NERC CIP is a pioneering set of requirements designed to secure the North American power grid by tightly regulating the Bulk Electric System’s (BES) operations. The BES is the part of the electrical grid that does the heavy lifting - electrical generation resources, transmission lines, interconnections, and equipment that operate at voltages of 100 kV or higher.
NERC CIP was conceived to provide a comprehensive regulatory framework for protection against cybersecurity attacks on BES utilities. NERC CIP requirements cover the security of electronic perimeters and the protection of critical cyber assets, as well as personnel and training, security management, and disaster recovery planning.
NERC CIP has teeth. Penalties for non-compliance are incredibly steep – literally up to $1 million per violation per day. In January 2019, NERC levied a $10 million fine against an unspecified company for 127 separate NERC CIP violations. In addition to fines, the framework stipulates sanctions and other harsh regulatory actions against BES providers. This means that compliance is an essential part of BES operations.
Despite this, compliance with NERC CIP is anything but simple. The primary reason? The framework is outdated. It was created decades before the technology that is driving most of today’s cyber threats existed. Most notably, increased IT/OT convergence, and the massive expansion of connected devices, make it hard for utilities to even be sure which assets are considered part of the BES under the regulations. This makes NERC CIP compliance highly complex and seemingly subjective. It also dramatically raises regulatory liability stakes for BES players across the continent.
Protecting today’s complex, multi-vendor, multi-generation IT/IoT/OT BES environments requires a rethinking of the way BES stakeholders approach cybersecurity. Compliance with NERC CIP does not necessarily guarantee that effective security design and posture are in place.
A better approach to NERC CIP compliance is to let compliance flow from security, not hope that security flows from compliance. This means that BES players need to start by adopting a risk-informed approach to mitigating cyber risk. They need to focus on building a security program that is aware of both contextual risks and the gaps that regulations don’t cover.
To make this happen, the first step is to identify assets and discover risks without impacting operational continuity, while also considering the increasing interconnectivity of IT and OT networks.
Once assets at risk are identified, the next step is enabling security teams with knowing exactly what they need to do if they are breached. This requires the creation of automated mitigation playbooks - simple, step-by-step remediation guidelines that help operational teams manage threats efficiently, leveraging existing security controls.
Finally, mitigation and remediation need to be supplemented with automated compliance and security reports that can be presented to senior-level personnel and technical clients, as well as to regulatory bodies like NERC CIP and other auditors. These reports need to assess risk by asset, assign compliance and security scores, and offer recommendations for continuous improvement.
OTORIO helps BES stakeholders comply with NERC CIP using rapid and automated compliance assessments, as well as ongoing monitoring for continuous NERC CIP compliance, especially as new equipment is introduced into BES networks. We offer:
Contact us to see how OTORIO’s OT security solutions can help with your NERC CIP compliance.