The energy and utility industry perform a crucial function in the national economy and national security of countries worldwide. When these industries’ critical industrial automation and control systems (IACS) fail, the impact has a cascading adverse effect on society and human life.
Imagine what would happen if a metropolitan city lost power. Traffic lights would stop working; building systems would stop functioning; emergency life-saving machines would start failing. Chaos would ensue, and lives would be at risk. We tend to underestimate how dependent we are on electricity and its effect on our daily lives. It is only in dire and unfortunate situations that we truly appreciate the goodness of electricity.
As the electric grid’s IACS systems become more cyber-enabled through the use of Internet Protocol (IP) enabled and Internet of Things (IoT) technology devices, the industry becomes increasingly vulnerable to severe threats. Malicious actors could exploit technology vulnerabilities and cause a malfunction or operational failure. That malfunction or failure may disturb or disrupt other critical functions, leading to a power plant or transmission line failure that unleashes cascading havoc on an entire region or nation. The first known cyberattack of this nature on a power grid was in 2015, and it caused about 230,000 customers in Ukraine to lose electricity for up to six hours. Cyberattacks on IACS have real physical consequences.
This severity of cyberattacks to the electric grid makes NERC CIP extremely vital for the interconnected power grid of the US, Canada, and the northern portion of Baja California, Mexico. The purpose of NERC CIP is to protect these North American nations’ interconnected electric grid from cyberattacks and increase its cyber resilience.
The evolution of NERC
NERC stands for the “North American Energy Reliability Corporation.” NERC is responsible, among others, for establishing reliability standards that must be adhered to by electric grid operators. CIP stands for “Critical Infrastructure Protection.” “NERC CIP” is a set of standards that NERC developed for the North American Bulk Electric System (BES) to protect the vital electric grid facilities from cyber threats.
Although NERC is present since the 1960s, its initial name was “National Electric Reliability Council” and was responsible only for the providers operating within the US soil. With the advent of the internet and the realization of how dependent the electric grid became on internet connectivity, the Energy Policy Act of 2005 mandated the Federal Energy Regulatory Commission (FERC) to select an Electric Reliability Organization. NERC was the most qualified organization to take charge.
Realizing that the US and Canada’s electric grids could not be separated, “National” was changed to “North American.” Interestingly, NERC also covers some parts of Mexico. While before 2005, the reliability standards issued by NERC were voluntary, based on the new mandate, they became mandatory regulations.
In 2008, the CIP compliance framework was developed to mitigate cybersecurity attacks on the Bulk Electric System. These standards have far-reaching effects. In the EU, the Network and Information Systems (NIS) Security Directive mandates security requirements to protect critical infrastructures, such as the electric grid, from cybersecurity threats. A 2018 report from the EU Center of Energy states that: “The United States has favored a strategy of ‘security in depth’ with strict and detailed regulations in specific sectors, which are implemented by institutions possessing coercive powers. By contrast, the EU has adopted a more flexible and exhaustive approach covering a wide range of issues, leaving an important margin of maneuver for member states in the implementation of norms. Nevertheless, these approaches are potentially complementary in that the strengths of the American system can serve as a model to improve certain weaknesses in the European approach, and vice versa.”
What are the NERC CIP standards?
At the time of writing, the NERC CIP frameworks comprise of 11 enforced reliability standards, with another five (5) subject to enforcement in the future. These standards are mandated for energy and utility companies operating within the Bulk Electric System to reduce the risk of cyberattacks and manipulation by malicious actors attempting to cause damage. These standards are summarized as follows:
CIP-002-5.1a, Cyber Security – BES Cyber System Categorization
The purpose of the standard is “To identify and categorize BES Cyber Systems for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES.” The standard focuses on the identification and categorization of BES Cyber Systems as the foundation for applying “appropriate protection against compromises that could lead to misoperation or instability in the BES.” Knowing what systems an organization possesses is paramount to the success of cybersecurity programs. Otherwise, you may find yourself open to unexpected threats.
CIP-003-8, Cyber Security – Security Management Controls
The goal is “To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).” The objective is to create visibility into the security controls and steps taken to secure the organization’s assets identified in CIP-002 against cybersecurity threats.
CIP-004-6, Cyber Security – Personnel & Training
The purpose is “To minimize the risk against compromise … from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.” This standard aims at eliminating the human error factor by strengthening personnel training programs in cybersecurity.
CIP-005-5, Cyber Security – Electronic Security Parameters
This standard mandates how “To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise…” This standard aims to establish access management mechanisms to authenticate and authorize the access of people and devices to critical cyber assets. It sets and enforces access to cyber assets and the amount of access to those assets.
CIP-006-6, Cyber Security – Physical Security of BES Cyber Systems
The goal of the standard is “To manage physical access to Bulk Electric System (BES) Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise.” Physical security of BES Cyber Assets should be integrated and aligned with these assets’ cybersecurity to cater for the electric grid’s holistic protection.
CIP-007-6, Cyber Security – System Security Management
This standard aims to manage “system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise.” CIP-007 requires responsible entities to document all their activities to secure BES Cyber Assets, including the actions mandated by the frameworks mentioned above.
CIP-008-5, Cyber Security – Incident Reporting and Response Planning
The purpose of the CIP is “To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.” This standard helps ensure that responsible entities have a concise and documented incident response plan in place to revert to when a cyber incident occurs.
CIP-009-6, Cyber Security – Recovery Plans for BES Cyber Systems
The purpose of this framework is to ensure business continuity of the BES Cyber Systems “by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.” This standard helps responsible entities achieve resilience against cyber-attacks and ensure that business and operations remain uninterrupted during and after a cyber incident.
CIP-010-2, Cyber Security – Configuration Change Management and Vulnerability Assessments
CIP-010 helps protect BES Cyber Systems from compromise because of “unauthorized changes by specifying configuration change management and vulnerability assessment requirements.” This standard is associated with establishing access controls and ensures that responsible entities have processes in place to detect and respond to unauthorized or unsupervised configuration changes. These unwanted changes pose a significant security threat that can disrupt reliable operations of BES Cyber Systems.
CIP-011-2, Cyber Security – Security Protection
CIP-011 aims “to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements.” This standard dives a bit deeper into the protection of specific components and assets of BES responsible entities by defining controls, tactics, and endpoint solutions.
CIP-014-2, Physical Security
Physical security should be integrated with cybersecurity to provide holistic protection of BES Cyber Systems. The goal of CIP-014 is “To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading within an Interconnection.” As the electric grid functions as a hub between the physical and the digital worlds, providing robust physical protection is of the utmost importance to deter intruders and keep the grid online.
NERC CIP compliance
The proliferation of cutting-edge technology in BES facilities has created a more capable yet more complex environment. As a result, being compliant with the NERC CIP standards is a complicated exercise that requires in-depth knowledge and understanding of the framework.
Since NERC CIP standards are comprehensive, covering every angle of BES safety from physical security to personnel training and threat detection. Every responsible entity should adopt various best practices and strategies to ensure compliance and protect the electric grid’s critical infrastructures.
Industrial Automation and Control System (IACS) visibility, vulnerability management, and threat detection are the cornerstones of NERC CIP compliance and an effective and robust IACS cybersecurity. Establishing these capabilities and automating the supporting processes makes CIP compliance and overall electric grid safety, reliability, and security easier to attain and maintain.
How ORIGNIX helps
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize well-established techniques and templates aligned with ISA/IEC 62443 and ISA/IEC 61511 industry standards to identify potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.
To learn more about how ORIGNIX customers benefit, visit our website.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis