The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Question

What Cyber Security Frameworks are relevant to Energy Central members, and why?

Kathryn Wagner's picture
Product Manager, Energy & Utilities Industry AssurX

Professional BackgroundWith over 25 years of experience integrating software, I am currently Product Manager, Energy & Utilities Industry, at AssurX. In my role I work closely with energy...

  • Member since 2017
  • 15 items added with 12,214 views
  • Oct 12, 2021
  • 516 views

NERC CIP may be the obvious first answer, but it is not the only Cyber Security Framework that is relevant to Energy companies: NIST, ISO, CIS, CMMC, and many other acronyms frequently appear in cyber security conversations. These other frameworks can be used to further the robustness of security programs, but which ones are most beneficial?

Your access to Member Features is limited.

Best Answer

NERC CIP only addresses the bulk power system, leaving a large portion of the electric grid without defined cybersecurity protection practices. It is also dauntingly complex and confusing with some truly bad advice, i.e. the 15 minute rule to identify Cyber Assets. The NIST Cybersecurity Framework (CSF) Version 1.1 is more comprehensive, concise and effective than NERC CIP, with application across all critical infrastructure including, electric, gas, water, transportation, healthcare and communications. My recommendation is to follow the NIST CSF V 1.1 with specific guidance provided by NIST SP 800-53, SP 800-160 and for software supply chain protections, SP 800-161 (a/k/a NIST C-SCRM) combined with NTIA Software Bill of Materials (SBOM) for best practice.

Never trust software, always verify and report! (TM)

Nagendra Cherukupalli's picture
Nagendra Cherukupalli on Oct 13, 2021

'Dauntingly complex' - I agree with.  But the compliance is something that is checked for to get acceptance.  Not sure what your experience has been so far,

Appreciate your insights.  I learnt something from it as well.  

Kathryn Wagner's picture
Kathryn Wagner on Oct 13, 2021

Richard, in your opinion, if a Utility were to strive to meet the various NIST references you mentioned, then they would be much more secure and yet also be NERC CIP compliant as a natural output from those security measures?

Richard Brooks's picture
Richard Brooks on Oct 14, 2021

Kathryn,

Thanks for the question. The NERC CIP standards are designed with a compliance mindset as opposed to a "secure the ecosystem from attacks" mindset. The NIST CSF and other specific NIST guidance, i.e. SP 800-161, contains more specific instructions on what to address for "real cybersecurity". Here's an example showing this "compliance mindset" that permeates the NERC CIP standards, versus NIST guidance on the same security control.

NERC CIP-010-3 R1 Part 1.6 states:

"Prior to a change that deviates from the existing baseline configuration associated with baseline items in Parts 1.1.1, 1.1.2, and 1.1.5, and when the method to do so is available to the Responsible Entity from the software source:  1.6.1. Verify the identity of the software source; and 1.6.2. Verify the integrity of the software obtained from the software source."

This language is an example of the "compliance mindset" that permeates the NERC CIP standards, that enable a party to avoid being held accountable to standards 1.6.1 and 1.6.2, by claiming a vendor did not supply a means to perform the verification needed. That leaves plenty of wiggle room during an audit.

NIST provides guidance to address software verification guidance with "real cybersecurity protections" as the prime objective, not compliance. Here is NIST's guidance regarding software verification, taken from SP 800-161-r1:

SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

This control applies to the federal agency and applicable supplier information systems and networks. The integrity of all applicable systems and networks should be systematically tested and verified to ensure that it remains as required so that the systems/components traversing through the supply chain are not impacted by unanticipated changes. The integrity of systems and components should also be tested and verified. Applicable verification tools include: digital signature or checksum verification, acceptance testing for physical components, confining software to limited privilege environments such as sandboxes, code execution in contained environments prior to use, and ensuring that if only binary or machine-executable code is available, it is obtained directly from the OEM or a verified supplier or distributer. Mechanisms for this control are discussed in detail in NIST SP 800-53 Rev. 5. This controls applies to the federal agency and applicable supplier information systems and networks. When purchasing an ICT/OT product, an organization should perform due diligence to understand what a supplier’s integrity assurance practices are. Organizations should require its prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors.

 

The answer to your question is: Parties that want to implement "effective cybersecurity protections" will follow NIST guidance. Parties can comply with NERC CIP standards, but they may not have "effective cybersecurity protections" in place, like those provided by NIST, when they're finished. For an industry perspective on this topic I refer you to Tom O'Briens Senate Testimony PJM’s Approach to Addressing Cybersecurity Threats to the Grid

Kathryn, you asked Richard "if a Utility were to strive to meet the various NIST references you mentioned, then they would be much more secure and yet also be NERC CIP compliant as a natural output from those security measures?"  Not necessarily but you are on the right track with your thinking. 

As a former "prosecuting attorney" for WECC litigating against entities that were in violation of the CIP standards, I saw both small and large registered entities seriously violate the standards and struggle with systemic violations of CIP standards. For example, I prosecuted two of the largest utilities in North America for major systemic CIP violations.  Each of those entities had thrown millions of dollars at their compliance programs. There were other smaller registered entities with much less invested but much more robust CIP compliance programs that were often used as exemplars in the Western Interconnection. I no longer believe that CIP compliance effectiveness was a result of large budgets.  One reason for failures were the gaps and silos within the company where one part of the company was focusing on being compliant with CIP standards, another with NIST, another with SOX, etc.  Each part of the company was doing its own thing but as a whole, the company ultimately failed to focus uniformly on the tasks leading to the main goal of all of these regulatory schemes---protection of physical assets, cyber assets, data, etc.

Very generally speaking, you should first continue to ask yourself, what tasks need to be done when trying to identify and protect assets, detect and respond to threats, recovery of cyber or physical asset or data.  Second, focus on concepts like identifying and managing assets, understanding your business environment and key players within it, managing and monitoring the governance (regulatory regimes your subject to), assessing risk, etc.  Third, once you take those steps, you can better see where particular standards or protocols fit (e.g. CIP, NIST, CIS, COBIT, ISA, ISO, etc.).  If you look past the naming conventions, acronyms, numbers, and legalese, you will see that each of these regulatory regimes gives you a task or objective that deals with identification, protection, detection, recovery, etc.  Once you draft your policies and procedures with these tasks and objectives in mind instead of simply complying with a standard, you will be much more likely to be secure and also NERC CIP compliant (and SOX complaint, and NIST compliant, etc.) as a natural output of your planning and implementing.

Can you see how you have formed the foundation for real protection and compliance and how this process, though more tedious up front, would be easier to maintain in the long run?  How a program like this would take a more holistic look at compliance and protection from a company wide view instead of piecemeal?  How a compliance program with these foundations would be more dynamic allowing you to meet future environmental and regulatory changes? 

HERE IS A VALUABLE TOOL:  NERC working groups already went though and compared the tasks and objectives inherent in NERC CIP, NIST, CIS CSC, COBIT, ISA, ISO and did a “direct line” comparison between them.  They gave you a cheat sheet on how to build the foundation for your compliance program and still be compliant with the variety of regulatory regimes you are subject to.  Look down at the bottom under “Technical Reference Documents”, then the list under “Approved Technical reference Documents” and then click on the Excel spreadsheet, “Technical Reference Document: Assessing and Reducing Risk Tool.”  Once open, look at the tabs along the bottom and select “Cyber Security Framework”  Find it here.  https://www.nerc.com/comm/Pages/Reliability-and-Security-Guidelines.aspx

https://www.nist.gov/publications/guide-lte-security

Several utilities are interested and investing in private LTE systems as a foundation to their grid modernization strategy. In addition to being a robust guide to LTE security, it drives the point home of how building security from the ground up has clear advantages, as opposed to legacy systems that may pose a threat as a weak link.

If the request is related to projects inside the USA, NERC CIP would be my first choice.  That is something that the US critical installations ask for, like military installations.  There are many sites where info related to NERC CIP can be found.  The one that I found interesting is:

https://www.ispartnersllc.com/blog/nerc-cip-consistent-compliance/

 

(Author: Anthony Jones)

 

Quoting here:

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a plan comprised of a set of requirements. The NERC CIP developed and designed a series of standards intended to protect any assets used to operate North America’s Bulk Electric System (BES). North America includes, for the purposes of NERC CIP, the United States, Canada and Mexico.

 

Key requirements…these are things to pay attention to (from the above source):

  • Program Development and Management
  • Compliance Audits and Assessments
  • Patch Management
  • Vulnerability Assessment and Management
  • Incident Reporting of Cybersecurity Events and Quick Response Planning
  • Mock Audits
  • On-the-Spot and Unplanned Audits
  • Asset Identification and Configuration Management
  • Reliability Standard Audit Worksheet Development
  • Systems Security Assessments and Management
  • Personnel Training
  • Policy, Process and Procedure Planning
  • Development, Documentation and Evidence Reporting
  • Security Information and Event Management
  • Recovery Planning

Tap Into The Experience of the Network

One of the great things about our industry is our willingness to share knowledge and experience.

The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.

When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.