The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Question

What Cyber Security Frameworks are relevant to Energy Central members, and why?

Kathryn Wagner's picture
Product Manager, Energy & Utilities Industry AssurX

Professional BackgroundWith over 25 years of experience integrating software, I am currently Product Manager, Energy & Utilities Industry, at AssurX. In my role I work closely with energy...

  • Member since 2017
  • 15 items added with 11,233 views
  • Oct 12, 2021 10:10 am GMT
  • 219 views

NERC CIP may be the obvious first answer, but it is not the only Cyber Security Framework that is relevant to Energy companies: NIST, ISO, CIS, CMMC, and many other acronyms frequently appear in cyber security conversations. These other frameworks can be used to further the robustness of security programs, but which ones are most beneficial?

Your access to Member Features is limited.

Best Answer

NERC CIP only addresses the bulk power system, leaving a large portion of the electric grid without defined cybersecurity protection practices. It is also dauntingly complex and confusing with some truly bad advice, i.e. the 15 minute rule to identify Cyber Assets. The NIST Cybersecurity Framework (CSF) Version 1.1 is more comprehensive, concise and effective than NERC CIP, with application across all critical infrastructure including, electric, gas, water, transportation, healthcare and communications. My recommendation is to follow the NIST CSF V 1.1 with specific guidance provided by NIST SP 800-53, SP 800-160 and for software supply chain protections, SP 800-161 (a/k/a NIST C-SCRM) combined with NTIA Software Bill of Materials (SBOM) for best practice.

Never trust software, always verify and report! (TM)

Nagendra Cherukupalli's picture
Nagendra Cherukupalli on Oct 13, 2021

'Dauntingly complex' - I agree with.  But the compliance is something that is checked for to get acceptance.  Not sure what your experience has been so far,

Appreciate your insights.  I learnt something from it as well.  

Kathryn Wagner's picture
Kathryn Wagner on Oct 13, 2021

Richard, in your opinion, if a Utility were to strive to meet the various NIST references you mentioned, then they would be much more secure and yet also be NERC CIP compliant as a natural output from those security measures?

Richard Brooks's picture
Richard Brooks on Oct 14, 2021

Kathryn,

Thanks for the question. The NERC CIP standards are designed with a compliance mindset as opposed to a "secure the ecosystem from attacks" mindset. The NIST CSF and other specific NIST guidance, i.e. SP 800-161, contains more specific instructions on what to address for "real cybersecurity". Here's an example showing this "compliance mindset" that permeates the NERC CIP standards, versus NIST guidance on the same security control.

NERC CIP-010-3 R1 Part 1.6 states:

"Prior to a change that deviates from the existing baseline configuration associated with baseline items in Parts 1.1.1, 1.1.2, and 1.1.5, and when the method to do so is available to the Responsible Entity from the software source:  1.6.1. Verify the identity of the software source; and 1.6.2. Verify the integrity of the software obtained from the software source."

This language is an example of the "compliance mindset" that permeates the NERC CIP standards, that enable a party to avoid being held accountable to standards 1.6.1 and 1.6.2, by claiming a vendor did not supply a means to perform the verification needed. That leaves plenty of wiggle room during an audit.

NIST provides guidance to address software verification guidance with "real cybersecurity protections" as the prime objective, not compliance. Here is NIST's guidance regarding software verification, taken from SP 800-161-r1:

SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

This control applies to the federal agency and applicable supplier information systems and networks. The integrity of all applicable systems and networks should be systematically tested and verified to ensure that it remains as required so that the systems/components traversing through the supply chain are not impacted by unanticipated changes. The integrity of systems and components should also be tested and verified. Applicable verification tools include: digital signature or checksum verification, acceptance testing for physical components, confining software to limited privilege environments such as sandboxes, code execution in contained environments prior to use, and ensuring that if only binary or machine-executable code is available, it is obtained directly from the OEM or a verified supplier or distributer. Mechanisms for this control are discussed in detail in NIST SP 800-53 Rev. 5. This controls applies to the federal agency and applicable supplier information systems and networks. When purchasing an ICT/OT product, an organization should perform due diligence to understand what a supplier’s integrity assurance practices are. Organizations should require its prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors.

 

The answer to your question is: Parties that want to implement "effective cybersecurity protections" will follow NIST guidance. Parties can comply with NERC CIP standards, but they may not have "effective cybersecurity protections" in place, like those provided by NIST, when they're finished. For an industry perspective on this topic I refer you to Tom O'Briens Senate Testimony PJM’s Approach to Addressing Cybersecurity Threats to the Grid

https://www.nist.gov/publications/guide-lte-security

Several utilities are interested and investing in private LTE systems as a foundation to their grid modernization strategy. In addition to being a robust guide to LTE security, it drives the point home of how building security from the ground up has clear advantages, as opposed to legacy systems that may pose a threat as a weak link.

If the request is related to projects inside the USA, NERC CIP would be my first choice.  That is something that the US critical installations ask for, like military installations.  There are many sites where info related to NERC CIP can be found.  The one that I found interesting is:

https://www.ispartnersllc.com/blog/nerc-cip-consistent-compliance/

 

(Author: Anthony Jones)

 

Quoting here:

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a plan comprised of a set of requirements. The NERC CIP developed and designed a series of standards intended to protect any assets used to operate North America’s Bulk Electric System (BES). North America includes, for the purposes of NERC CIP, the United States, Canada and Mexico.

 

Key requirements…these are things to pay attention to (from the above source):

  • Program Development and Management
  • Compliance Audits and Assessments
  • Patch Management
  • Vulnerability Assessment and Management
  • Incident Reporting of Cybersecurity Events and Quick Response Planning
  • Mock Audits
  • On-the-Spot and Unplanned Audits
  • Asset Identification and Configuration Management
  • Reliability Standard Audit Worksheet Development
  • Systems Security Assessments and Management
  • Personnel Training
  • Policy, Process and Procedure Planning
  • Development, Documentation and Evidence Reporting
  • Security Information and Event Management
  • Recovery Planning

Tap Into The Experience of the Network

One of the great things about our industry is our willingness to share knowledge and experience.

The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.

When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.