Going Beyond Compliance: Using NERC CIP v5 as a Catalyst for a Greater Security Strategy

Doug Wylie, CISSP

The North American electricity industry, including power generation and transmission is largely comprised of private organizations, yet it has shown itself to be one of the most progressive in its commitment to make measurable investments for proactive physical and cyber security. It has done so in the effort to ensure the integrity, safety and reliability of its critical assets and operations – those that both people and business have come to depend on each and every day.

Secured data transferThere are very good reasons why investments to better protect power generation and transmission are imperative.  In the energy sector alone, according to PwC[1], the average number of detected cybersecurity incidents jumped six times from 2013 to 2014. In addition, attacks attributed to foreign nation-states, such as the one in which Russian nationalists[2] are suspected of inserting advanced malware into the networks of critical infrastructure, more than doubled.

The electricity industry has a rich history of recognizing growing risks that emerge from expanding cyber threats. Now over a decade ago, in 2005, the Federal Energy Regulatory Commission (FERC) passed revisions to its definition of what comprises a bulk electric system (BES). In doing so, it provided “greater clarity, consistency and improved reliability by focusing on core facilities that are necessary for operating the interconnected transmission network.” This action helped cement government and industry’s recognition that the electricity sub-sector had already evolved to a highly interconnected system of systems.

In parallel to the expanded definition, FERC took an added step to grant the North American Electric Reliability Corporation (NERC) the authority to coordinate with BES industry partners to develop and issue the NERC Critical Infrastructure Protection Cyber Security Reliability Standards (NERC CIP), which has governed the industry since.

NERC CIP establishes base-level reliability standards for bulk electric power generation and transmission. But the proliferation of advanced, sophisticated and highly targeted cyber threats demonstrates that power organizations must be even more proactive with cybersecurity investments, rather than simply fulfilling and complying with the baseline requirements-checklists established by standards.

Instead, each organization serving the North American power grid, no matter the size, must learn to embrace NERC CIP as a starting point and catalyst for a deep culture shift; one that embraces cybersecurity as a part of a greater risk mitigation strategy, and is supported by those in the highest levels of governance.

The New Era of NERC CIP Standards
In November 2013, FERC approved the NERC Critical Infrastructure Protection (CIP) V5 standards, and the requirements for which owners and operators must conform to will become enforceable beginning in April 1, 2016. Version 5 represents the most material changes to accountability in the electricity sub-sector in more than 10 years, which is representative of both the changing threat landscape, and the recognition that it’s time to expand upon the progress already achieved in certain portions of the BES to more broadly mitigate cyber risks to the electric grid.

In addition, the NERC CIP V5 standards incorporate a significantly larger scope of the systems protected as compared to previous versions, and all facilities that meet the definition of BES will now be subject to comply with regulations. Because NERC CIP V5 reaches nearly every power generation facility, come April 2016, many private organizations will be held accountable to meet cybersecurity standards for the very first time.

Unlike most government regulations, industry regulations have many benefits, because they are often rooted in standards both authored and influenced by its very stakeholders.  Once in place, the regulations force organizations, under mandate, to make changes to align with and conform to the standards. In the case of NERC CIP, the V5 standards will require an even broader set of power entities to implement cybersecurity practices and controls to enhance reliability and protection of critical systems, or risk being fined $1 million per day per violation.

Despite NERC’s authority, and the good intentions of the NERC CIP standards, the unintended consequence of any regulation is that it can easily lead organizations into a ‘check-the-box’ mentality. In other words, regulation often drives leadership to commit to meeting only the bare minimums necessary for compliance, since this is the extent to which they are measured. This approach, however, is extremely counterproductive to the type of agility and flexibility needed to address today’s prolific cyber threats.

While fundamentally important, NERC CIP V5 does not and cannot cover every variable or minimize all vulnerabilities that can affect the security posture of BES.  Even with the comprehensive nature of Version 5, gaps still remain in technical and non-technical aspects of the standards that leave opportunities available for adversaries to exploit.

Some examples include, shortfalls in vetting the security of the supply chain; absence of baseline security requirements for products; grey areas in the skill level requirements for those tasked with assessing risks and conducting security penetration tests on products and systems; allowance for the ongoing use of legacy unsupported devices and unsecured (and insecurable) protocols in the control systems; leniency in authentication and access control requirements within an electronic security perimeter.

As such, owners, operators, board governors and even financial officers must begin to consider NERC CIP V5 compliance as a starting point for a greater risk management strategy that supports a more permanent path to safety and security.

Overcoming Inertia for Energy Industry Security
It is misguided to believe that standards compliance alone will absolutely result in good behavior or drive overall improvement in addressing risks to critical systems used throughout industry. Instead, standards should be interpreted as models and guides for industries and organizations to take action rather than sit idle to admire new and existing security challenges and threats.

That said, though, in the US, regulations are often viewed as a consequence or as simply the cost of doing business. As a result, many organizations only exert nominal effort, with little thought to the objective behind the regulation, so as to meet the bare minimum requirements for compliance. This ‘check-the-box’ mentality often has an adverse effect, stifling progress, and falsely assuming that compliance is the endgame – when it should be the beginning to larger strategy.

Threat actors are highly motivated to target US critical infrastructure. For reasons such as intellectual property theft, hacktivism to disrupt service, intent to invoke physical damage, financial extortion and fraudulent activity, and even espionage activities to establish military advantage — numerous incentives make critical infrastructure attractive targets for adversaries.

Power LinesWhile the US has yet to experience a major cyber attack against the power grid, a recent report[3] revealed the impact of such a catastrophe on the economy could reach as high as $1 trillion. As technology and connectivity are increasingly added to industrial control systems, cyber attacks will continue to become easier to initiate from anywhere in the world and attackers will find new ways through even the most calculated security controls.

Motivation Beyond Compliance
In addition to financial damages, significant reputational consequences, liability, injury and loss of life can result from a successful cyber attack on the energy sector – and the interconnectedness of systems in the power grid means the effects of attacks are no longer limited to the hacked facility. In fact, the electric grid is a partnership of utility companies that exchange power from all over the country and across national boarders. Because control systems in these facilities are now interconnected, it is realistic for an adversary to infiltrate one system and find ways to laterally move to obtain access to others systems.

Power facilities, in particular those with poor cybersecurity practices, remain most vulnerable to attack. A successful event would no doubt be newsworthy not just in the U.S. but across the globe – perhaps even more so than the corporate breaches at retail establishments like Target, Sony Pictures and Home Depot. An attack on critical infrastructure could be devastating to a company’s credibility and in turn, its reputation. Even if an event was localized and isolated, given the sheer size of some of the power producers and transmission firms, broader questions about the safety, reliability and integrity of rest of their assets would almost certainly surface.

However, the risk to power companies’ reputations are not the only problems for them to consider. While potential loss of life and financial loss are often the most significant motivators for deploying strong cybersecurity practices, they are constantly balanced against opportunity cost for maintaining production, streamlining processes and ultimately maximizing profitability.  Yes, safety training is a cultural norm and cost of business, almost uniformly required in power facilities to help protect operators and others in proximity of safety risks; however, unlike safety, cyber security training is far from such a current norm and rarely considered a typical cost of business.

Yet, a cybersecurity breach of a control system could absolutely put human life at risk if state-of-the-art technology were not in place or misconfigured, or if there wasn’t sufficient oversight in the design, installation, operation and maintenance aspects of a system that has in some cases well outlived its useful life.

Embracing a Culture of Continuous Improvement
With little question, facilities within the electricity sub-sector, as they adapt to NERC CIP V5 will be in a better position to meet their objectives of enhancing the reliability and resiliency and better protecting systems from cyber risks. But, that objective will continue to be constantly threatened by both unpatched and newly discovered vulnerabilities in systems and by adversaries wanting to exploit weaknesses that damage or disrupt operation of the overall facilities. While the situation is unlikely to ever change, if the energy industry shifts beyond just conformance, to one that encourages a true cybersecurity culture, most every facility would begin to see benefits measured in risk reduction, greater cost controls and increased profitability.

Without a culture that fosters security-maturity and vigilance that is combined with the application of best-practices and proven solutions like state-of-the-art cybersecurity technologies, threat actors will continue to find ways to circumvent controls and infiltrate system without potentially sounding off any alarms.  As shown in the past, adversaries might establish a position and stay inside a network for months to gather confidential information and critical communications. In addition, a lack of network visibility means a facility may not even know where the blind spots are in its network or how many assets it has, or those devices that are out of place.

Implementing an integrated security strategy that goes beyond compliance will help minimize the risk of disruption and damage while also reducing the potential for financial impact on the business enterprise.

 Doug Wylie is a 20-year veteran of the industrial control systems security industry, and currently serves as the vice president of product marketing and strategy at NexDefense. A longer version of this article is available at www.nexdefense.com/whitepapers.

[1] http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

[2] http://thehill.com/policy/cybersecurity/223266-report-russian-hackers-infiltrate-us

[3] http://www.scribd.com/doc/270914376/Business-Blackout-Looyd-s-of-London-report-on-Cyber-Attack-on-U-S-Power-Grid

Comments are closed.