Top 12 NERC CIP Compliance Considerations
Please note, this is Part 1 of 2 in the series dedicated to NERC CIP Compliance Considerations.
North American organizations that conduct business in the Energy sector are subject to strict compliance requirements of the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards.
Non-compliance may result in penalties and sanctions (i.e. failed audits and non-compliance can trigger fines and sanctions up to $1M per incident per day).
As a member of NPCC and NERC under the merchant generator category, we understand the full spectrum of risks the energy industry is exposed to, and the requirements needed for an organization to mitigate those risks to ensure NERC CIP Compliance.
Having done 60+ power facility risk assessments globally (both in and out of NERC jurisdiction), we have come up with Top 12 NERC CIP compliance considerations and recommendations to help you meet your compliance goals.
Here’s an important thing to keep in mind: organizations seeking NERC CIP compliance must realize that meeting the compliance requirements is not a one-time achievement, but rather a process of continuous improvement. This means it is crucial to take this initiative as a journey rather than a destination.
“Failed audits and non-compliance can trigger fines and sanctions up to $1M per incident per day.”
Here are the top 12 NERC CIP compliance considerations:
1. Have BES (Bulk Electric System) Cyber Assets/Systems been categorized in accordance with impact-based approach (NERC CIP V5)?
Recommendation:
First off, asset owners must have a firm understanding of the impact level of their facility (Low, Medium or High).
Next, it is important to identify and categorize key BES Cyber Assets/Systems based on the determined impact level.
It is also imperative to know the NERC terminology and use it to filter out unnecessary (non-critical) Cyber Assets/Systems.
Believe it or not, we faced situations when facilities were unable to adequately filter out number of devices. It typically meant that there was no appropriate level of isolation between network segments.
2. Have Security Policies and Processes been put in place and regularly audited?
Recommendation:
Although this seems like an essential part of any organization nowadays, from our experience, the documentation is quite often in place, but may be lacking or has not been communicated and embedded into the operational framework at the facility.
In other words, it might be there, but not being used and definitely not being regularly reviewed.
Where a facility did not previously have a culture of security, it may be difficult to shift the mindset. A well-thought-out set of policies can help establish and maintain the appropriate guidelines and form the basis for awareness training.
Thus, it is important to not only have good security policies and processes, but to leverage those for new hires and reinforce regular communication around them.
3. Are employee/staff risk assessments, security awareness and training performed regularly?
Recommendation:
Believe it or not, you can only count on your technical controls to provide a certain level of security assurance.
One of the most fundamental defenses is to ensure a sufficient level of security awareness. As most security breaches happen as part of the “human factor”, ensuring staff is well trained an understand the risks associated with certain activity can help to significantly reduce risk to BES Cyber Assets/Systems.
The key here is to develop a program catered to the risks of running a power generation or transmission facility. Amongst other things, risks such as connecting internet to BES Cyber Assets/Systems, use of removable media and contractor access (remote and local) must be covered in depth.
“Ensuring staff is well trained an understand the risks associated with certain activity can help to significantly reduce risk to BES Cyber Assets/Systems”
4. Have Electronic Security Perimeters between lower-level security networks and ICS networks been defined and protected?
Recommendation:
Surprisingly, we have encountered a number of power generating and transmission facilities with flat networks.
In this case, if one device is compromised, the results can be disastrous. Developing and maintaining a network-level (and in many cases device-level) segregation is the key to this recommendation.
We won’t be wrong if we say that it is often hard to establish network security perimeters in existing (running) facilities, where there was a fairly flat network in place.
It typically means re-addressing devices based on type and purpose and establishing firewall rules to allow only necessary traffic between segments. In fact, it is exponentially easier to set this up when the facility is being commissioned.
Nonetheless, it is important to ensure this base level of control is well-thought-out, deployed and maintained using a least route, least privilege security model while avoiding dual-homed network cards (where a device simultaneously sits on 2 network segments with different security levels) at all costs.
In environments where there are especially sensitive networks, it is also common to use a data diode (a device which only allows traffic to flow in one direction) to protect a highly sensitive network from a lesser secure network while still allowing traffic to pass outbound (from high security level to lower level). This is typically used in highly sensitive environments such as nuclear plants or government defense network segments.
5. Has a Physical Security Plan of BES Cyber Assets/Systems been properly developed and maintained?
Recommendation:
When you think of a power generating or transmission facility, it is often assumed that physical security would be built into the facility.
Often overlooked, physical security can be a challenge depending on the type of facility and location.
For example, a wind farm spanning 2000 acres would be much more difficult to protect than a transmission asset sitting on 2 acres of land. Combine that with the often remote and isolated location of these facilities, and physical security is sometimes given a back seat.
Although strategically placed cameras, lighting and fencing can help to deter unauthorized trespassers, it is important to cover the fundamentals such as no-trespassing signs, and locking of gates/doors at all times.
Here’s the good news: visitor sign-in and badge systems are simple ones to implement and can be effective in building a security mindset.
By the way, here’s a great video highlighting some of the gaps in physical security which can be exploited where technical controls are difficult to bypass:
“Visitor sign-in and badge systems are simple ones to implement and can be effective in building a security mindset”
6. Do BES Cyber Assets/Systems have proper technical controls for security? (logging, malicious code, access)
Recommendation:
We won’t be wrong if we say that this can be a daunting task.
And here’s why:
It may involve the combination of new, old and multivendor products, some of which have limited functionality to log, or integrate with security products. In our experience, this is typical to industrial IT (or OT) equipment.
But wait, there’s more…
Combine this with longer than usual service life and critical roles, and you have created the perfect storm.
If, like many running facilities, this was not considered during commissioning, the good news is that there are options. The challenge is having the specialization to complete this work while ensuring there is no downtime (or if you are lucky and there is an upcoming facility outage, you may be able to take advantage of the time to perform the work).
This work typically involves integrating systems with specialized equipment such as serial access servers and secure access gateways coupled with minimizing the ability to connect with different network segments (hence recommendation #4 above coming before this step).
Once the access conduits have been minimized, access gateways can be installed which are integrated with the SIEM (Security Information and Event Management) or other log aggregation service to help with forensics. Security/access gateways also allow for integration with an identity management system and role-based access control.
Having worked on a number of risk assessments, we are aware that it can be difficult to identify applicable BES Cyber Assets rather than capturing all systems (both OT and non-OT). This can make it challenging to prioritize and can in some cases make it a daunting task to protect these systems.
At the same time, it is imperative to ensure an appropriate level of security for BES Cyber Assets/Systems when it comes to technical, physical and logical controls. Don’t forget the human factor (awareness training, staff risk assessments and documentation).
Thank you for reading Part 1 of 2 in the series dedicated to Top 12 NERC CIP Compliance Considerations.
Here are some of the sections that will be covered in Part 2 of the series:
- Incident Response and Reporting
- Disaster Recovery Plan
- Vulnerability Management
- Information classification and data handling
- Bonus
Stay tuned for the second part of the series!