How to manage risks and follow North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) standards.
When the lights – and computers – go out, everyone knows why electric power and utilities are ranked as one of the most critical industries in the world. Yet the challenges to this industry are monumental and extend throughout the power grid, from bulk generation and transmission to distribution.
In the physical domain, deteriorating infrastructure and outdated legacy technologies, severe weather exacerbated by climate change, workforce transformations, and the exponentially growing “grid edge” of electric vehicles and smart houses are only part of the issues utilities must confront. The virtual world demands fully integrated digital enterprises using advanced information and communication technologies that operate seamlessly and are capable of analyzing and processing real-time “big data'' within seconds.
The digital age that enables the functionality of utility companies and interoperability of regional entities also brings with it the greatest perils. Cybercrime threatens not only distribution lines, but also bulk energy generation and transmission. Not only do outages impact neighborhoods and local businesses, but wide-scale disruption in commerce, transportation, healthcare and communications endangers the economic and political stability of entire regions and countries.
We witnessed the cyberattack on Ukraine in 2015, and in 2019 experienced our own attack in the Western US, when unidentified hackers caused recurrent operator loss of visibility with a basic denial-of-service attack that exploited firewall vulnerabilities. But our limited successes in thwarting attempts have not abated the rising frequency of threats or range of “bad actors.” State-sponsored criminals, terrorists and hackers motivated by personal gain all have similar goals of data theft, power disruption or destruction of equipment.
The role of NERC and CIP standards
None of these threats are being ignored. After a massive blackout in 2003 caused 50 million people to lose power in the US and Canada, the US Congress established the North American Electric Reliability Corporation (NERC) in cooperation with Canada’s provincial government authorities. With the mission of ensuring the adequacy and reliability of electric power, NERC was charged with developing standards for the North American Bulk-Electric System (BES) and in 2008 was granted the authority to monitor and enforce compliance.
Over 10 years, NERC established a series of Critical Infrastructure Protections (CIP) focused on capabilities, performance and risk management. These requirements address the myriad challenges faced by registered electric power and utility companies, from facilities design and maintenance, to communications and personnel performance.
Bulk energy and utility companies are obligated to comply with CIP standards requirements or face substantial penalties, up to $1 million per day, for violations. Non-compliance issues include lack of proper documentation or insufficient evidence of compliance, nonconforming policies or procedures, and disclosure of sensitive information. Utilities are differentiated as low, moderate, high and severe risk, or “violation severity levels.” Low-impact entities are allowed to self-report incidents of non-compliance, while high-impact entities are subject to regular audits.
Notably, many CIP requirements aim to mitigate cybersecurity risks, highlighting the critical dimensions of this threat environment. CIPs address issues such as Cyber Security Personnel and Training (CIP-004), Cyber Security Electronic Security Perimeters (CIP-005), Cyber Security System Security Management (CIP-007), and Cyber Security Configuration Change Management and Vulnerability Assessments (CIP-010).
Today’s cyber challenges
To circumvent rigorous security measures established by power companies and utilities, saboteurs target vendors with less secure manufacturing and development practices. Third-party vulnerabilities expose clients to risks with cyber weapons such as infectious malware on “watering hole” vendor websites, counterfeit components and malicious microchips.
As the number of cyberattacks targeting supply chains and third parties increased, NERC responded by issuing a new CIP standard for cybersecurity in 2020, specifying third-party risk management requirements. CIP-013, Cyber Security Supply Chain Management (C-SCRM in standards terminology), focuses on supply chain processes and risk management planning, implementation and documentation, particularly for evidence retention in cases of non-compliance.
CIP-013 purpose is stated: "To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems."
For energy organizations to comply with requirements, they must develop a comprehensive plan that identifies and analyzes risks of vendor communication and products, document that plan and demonstrate implementation with reviews every 15 months. NERC’s compliance guidance outlines six areas of vendor security criteria:
- Recognition of cyber security incidents
- Coordination of responses to cyber security incidents
- Notification of personnel changes that impact remote access
- Identification of product or service vulnerability
- Verification of software and patch integrity and authenticity
- Coordination of controls for remote access
While this guidance is exhaustive, NERC does not specify how to document or implement compliance and audits can vary according to the risk management plans each company presents.
Vendor risk management is key to compliance
Compliance will entail increased attention to vendor and third-party processes and risks, and necessitate thorough vetting of their strengths and potential security vulnerabilities. Action plans must start with an audit of multiple layers of entire third-party supply chains, with analyses of access points and vendor threat risks. Policies and procedures, technical documentation, histories and correspondence all need to be investigated. This process requires automated data gathering and processing systems on par with that of other high-security risk industries like financial institutions.
Companies should review vendor contracts for alignment with CIP-013 requirements and install technical controls for monitoring software and hardware integrity and authenticity. Internally, personnel training is essential, as all operational and business areas must coordinate implementation, with authority, responsibility and accountability clearly defined.
Bulk energy organizations recognize the need for resilience to protect against escalating attacks through their supply chain and that CIP-013 will limit their exposure. While public wellbeing and safety are always top priority, third-party breaches are also the most expensive for companies when they cause significant downtime and disruption, and require substantial funds to remedy the situation.
For energy companies, CIP-013 also means increasing risk management efforts while maintaining operations.
Learn how to address vendor risk management requirements with SAI360.
SAI360 Placed Leader in 2021 Gartner Magic Quadrant for IT Risk Management.