Alignment of NERC CIP and ISO27001
image credit: © Adam121 | Dreamstime.com
- Apr 28, 2020 5:15 pm GMTApr 28, 2020 5:16 pm GMT
- 2350 views
This item is part of the Special Issue - 2020-04 - Cybersecurity, click here for more
The energy industry is a critical infrastructure that is core to our business operations, safety, comfort and general well-being. This has become most evident with recent disasters such as Super Storm Sandy as well as the current Covid-19 pandemic.
Unquestionably there is the need to ensure the supply of energy in a safe and highly reliable manner particularly when faced with both physical constraints such as downed wires and damaged infrastructure as well as personnel requirements under confinement and the order to work at home. These situations demonstrate not only our dependence on operational systems that are flexible, adaptable and resilient, but also the cyber assurance that is necessary from both from a user perspective and an asset sensor and control perspective.
The exponential use of asset technology at the grid edge and the widespread use of communications networks to transport data that is used for situational awareness and near-real-time operational control of these innovations bring both opportunities for greater detailed information, but also potentially exposes the enterprise to greater threat surfaces. Extending remote user access to this information also increases the need for a greater level of sophistication to assure compliance and operational integrity.
Great effort has been undertaken by NERC, NIST and others to secure this large-scale industrial control system. While many of the stipulated requirements under NERC CIP are primarily focused on bulk systems, the concepts, philosophies and practices are applicable to distribution systems and other assets. With the new sources of supply such as Distributed Energy Resources, the extension of many of the rules applied to bulk systems must now be adapted to a greater variety and diversity of assets.
In November 2019, NERC conducted its fifth biennial Grid Security Exercise (GridEx), a grid security and emergency response exercise. The exercise was structured as two days of distributed play and it provided an opportunity for stakeholders in the electricity industry to respond to simulated cyber and physical attacks that affected the reliable operation of the grid, fulfilling NERC’s mission to assure the reliability of the North American BPS. Led by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC), GridEx V was the largest geographically distributed grid security exercise to date. Among the key recommendations resulting from this exercise it the need for all parties including DOE, DOE, law enforcement and facility mangers to coordinate planning, response, and mitigation of risks. This has become even more acute with the large number of employees who are self-isolating and working from home.
While many of current standards within our industry focus on physical security measures, standards such as ISO27001 go well beyond implementing technical safeguard measures. It provides a framework for policy and protection to achieve business objectives for information security, establishes policies on control and expectations, allocates resources to enforce this and regularly reviews the efficacy of the plans.
Today the landscape of cyber risks span from the OT/IT to the entire enterprise.
Brian Smith, CISSP and Principal Cyber Security Consultant at EnerNex, has been working with a number of utility clients helping them examine and comply with NERC CIP requirements in areas including communications networks, automation systems, SCADA and teleprotection applications. Brian points out that “among some of the biggest challenge areas that have been seen in our industry stem from the fact the NERC CIP standards are impacting more and more groups within the utility and the need to have corresponding degrees of understanding of these standards at the working level. Two specific areas on the technology side where utility clients have been and still are facing challenges involve the evolution to IP based technology for internal and external communications at transmission substations and the increased use of virtualization technology.”
Brian states :“When it comes to IP communications related to transmission substations, the use of serial or non-routable solutions provided some degree of insulation in the past from the bulk of the NERC CIP requirements. Here, the focus of the effort often turned toward things such as documenting how legacy systems in substations were exempt (in v3) or that the minimal requirements applied (in v5) by the use of non-routable communications to the cyber assets covered by the NERC CIP standards. But this world is changing, and utilities are finding that as communications technologies evolve within their environments, things are not as straight forward as they once were. Without a common picture and end-to-end perspective, what might seem to be a simple change or evolution in the overall system may ultimately result in major compliance implications if certain thresholds are triggered inadvertently (for example, something becoming classified as external routable connectivity when a router configuration is changed). As this area often involves multiple IT and OT groups, a lack of a common understanding increases the likelihood that the impact of any system change to the utility's overall compliance obligation may go undetected until after the updated systems are placed into production potentially leading to an audit finding or self-report.”
Brian further indicates that, “For virtualization, this is an area where the current trends and practices in the IT world are not completely compatible with respects to NERC CIP compliance. For the most part, the NERC CIP standards are silent as far as how they apply to virtualization. For this reason, physical separation has become the norm when segregating NERC CIP Bulk Electric System Cyber Systems from non NERC CIP cyber systems. Using a single hardware platform and virtualization technology such as a Virtual LAN or hypervisor hosting Virtual Machines for both NERC CIP and Non-NERC CIP cyber assets puts a utility at risk. While NERC is working on updates to address virtualization, the process to produce the updated standards and gain FERC approval is not a quick one so it will take time before anything changes on that front. The NERC CIP standards have done a good job in getting the industry to address the structure and governance of security programs related to cyber assets that may impact the bulk electric system. The shortcoming is they are very focused on this area and don’t apply to any other areas of a utility environment such as distribution or advanced metering infrastructure.”
While NERC CIP is a foundational cyber guideline, many other industries have adopted the international standard ISO27001 as their framework for Information Security Management (ISIM).
John Verry, Chief Information Security Officer (CISO) for Pivot Point Security, has been a leader helping various industry client focus on ISO27001 compliance and certification and points out the value of following this framework for energy utilities.
“The net goal of any information security regulation, including NERC, is to ensure that information security risks are managed effectively. At its genesis (2003) the NERC CIP standards were focused on managing highly specific risks to Critical Cyber Assets. At the time, developing focused guidance was definitively the right approach. Leveraging a comprehensive framework like ISO 27002 at that time would have been akin to using an elephant gun on a mosquito hunt,” said Verry.
He continued: “However, I think the confluence of a number of recent trends make now a very good time for energy organizations to strongly consider leveraging ISO 27001 to simplify the operation of their Information Security & Privacy programs. These trends include:
- NERC CIP has increasingly grown in scope, especially post July 2020 when the five additional standards came into play, so ISO 27001 is now “rightsized” for most energy organizations.
- The energy industry and its supply chain has evolved notably. Increasingly, what were once isolated elements of the broader solution are now “connected,” and the cloud is increasingly a component of the overall solution. Energy is increasingly part of the Internet of Things, whether utilities want that or not. Comprehensive challenges need comprehensive, proven, approaches like ISO 27001.
- Many organizations in the energy supply chain have embraced ISO 27001 (e.g., smart meters, SaaS utility payment applications, solar companies, commercial lighting management systems, demand response, etc.). Leveraging ISO 27001, for a supply chain that is already leveraging ISO 27001, greatly simplifies supply chain risk management (CIP-013-1, which comes into effect July 2020).
- ISO 27001 has evolved to better address the unique attributes of the energy industry. In 2013, ISO released ISO 27019, which is energy and utility industry specific implementation guidance. It adds 9 new controls and tunes 22 existing controls to address specific energy challenges like securing SCADA communications, IT/OT segregation, and securing peripheral sites like substations. Addressing energy specific risks with an energy vocabulary simplifies its use notably.
- Privacy regulations like CCPA and GDPR are a growing challenge for energy organizations. ISO 27701, a certifiable extension to ISO 27001, provides an elegant solution to managing privacy and information security in a unified management system. It reduces complexity and operational overhead as it comprehensively reduces risk.”
John further indicates, “Leveraging a proven recipe like ISO 27001 provides a simplified approach to deal with the ever-growing array of regulations/standards/guidance that impact the energy industry (e.g., NERC, NCSF, CCPA, CA SB-327, NISTIR 7628, etc.). ISO 27001 certification gives key stakeholders a high level of confidence that you are managing information security and privacy risks in a manner consistent with best practice and relevant laws/regulations.”
To help visualize the relationship of NERC-CIP and the ISO 27001 family framework, the following graphic based on NIST’s Smart Grid Framework, shows how these standards align and complement each other:
NERC-CIP and ISO 27001/ISO27019 together can form a comprehensive cyber framework that helps insure the protection of the assets, the respective Generation, Transmission and Distribution Control centers, and the enterprise and interactions with third parties.
About the Authors
Ron Chebra, Vice President of Grid Modernization at EnerNex (http://www.enernex.com),has over 35 years of experience with communications networks, telemetry applications and energy related systems. He has a deep operating knowledge in technology solutions in areas such as Microgrids, Renewable Energy Integration, Smart Grid, Distribution Automation (DA), Advanced Metering Infrastructure (AMI) and Demand Response.
Brian Smith, CISSP, is a Principal Consultant with EnerNex (http://www.enernex.com), and has over 28 years of experience in the electric utility field with an extensive background in industrial control systems cyber security, NERC CIP compliance, utility communications, utility automation systems, integration, networking, Supervisory Control and Data Acquisition (SCADA), Energy Management Systems (EMS) and teleprotection applications.
John Verry, 27001 Lead Auditor, CISA, CTPRP, CRISC, is the CISO of Pivot Point Security (https://www.pivotpointsecurity.com) where he has delivered valued services to a variety of clients in the Energy industry. He and his team are leaders in ISO27001 certification/compliance and act as the Virtual Chief Information Security Officers (vCISO) for a select set of clients.