Utilities Under Pressure: NERC CIP Enforcement Gets Serious about Cyber Assets Compliance
- May 17, 2017 5:15 pm GMT
- 2134 views
As of April 2017, utility and power companies must have their medium and high impact systems in compliance with new Critical Infrastructure Protection (CIP) security standards from industry regulator the North American Electric Reliability Corporation (NERC). Utilities will need to be simultaneously iron-fisted on security controls and hyper-focused on compliance procedures in order to meet the stricter regulations and enforcement deadlines.
The risks related to non-compliance are high and violations could result in significant penalties for each cyber incident. Notable 2016 settlements of $1.1 million and $1.7 million with individual non-compliant companies indicate that NERC enforcement is intensifying.
Regulating Transient Cyber Assets
The latest enforcement deadline applies to the new CIP-010-2 R4 requirement regarding “transient cyber assets and removable media” (guideline attachment for R4 TCA requirement begins on page 27 of the CIP-010-2 document). Transient Cyber Assets (TCA) include mobile devices such as laptops and USB drives. These devices are not a permanent part of the systems they connect to and are used for transitory purposes, including data transfer, testing, and maintenance.
To comply with the new requirements, impacted companies will need to put these assets under rigorous controls. Responsible entities (utility companies) must be able to show documented plans and evidence of their implementation. Moreover, the requirements cover TCAs managed by parties other than the responsible entity. TCAs must be authorized for ongoing use and for on-demand (new or temporary use) before being connected (Ethernet, wireless, Bluetooth, etc.) to a BES Cyber System. Authorization must be limited to necessary business functions and include approved users, locations, and uses.
TCA Controls are Work Intensive
Controls must be in place to mitigate vulnerabilities from unpatched software on the TCAs and removable media, including system hardening, patch management, and read-only media. Further controls for malware mitigation are required, such as updating anti-virus signatures, and whitelisting approved applications. To reduce the risk of unauthorized access, responsible entities are required to restrict physical access to the devices, encrypt device data contents, and employ multi-factor authentication to gain access.
Finally, applicable controls must be reviewed regularly to ensure they are functioning as intended, and that patches and signatures are up-to-date. For audit purposes, compliance teams must keep records of device connection and disconnection, as well as who used the devices, where they were used, and for what purpose. Records of related patching, scanning, updating, and reviewing activities should also be maintained.
This NERC CIP mandate is expected to be part of an ongoing process, as guidelines are updated to reflect ever-changing risks. For example, in January 2016, the Federal Energy Regulatory Commission (FERC) directed NERC to modify standards related to TCA security; the modifications mandate protection for transient devices at Low Impact Cyber Systems (in addition to standards already in place for medium and high impact systems, as outlined above).
Malware Prevention is Critical
The stakes are high: national security, public safety, and human lives depend on reliable energy infrastructure. The point of these regulations is to protect critical infrastructure from espionage and terrorist attacks. It’s important that utilities find a way to manage compliance responsibilities so that they enhance security measures, not distract from them. As the connectivity of the grid and its components rapidly increases via IoT sensors, online communications, and industrial control systems (ICS), it becomes more vulnerable to being disrupted by malware and other intrusions. The TCA regulations, aimed directly at reducing malware risk, address only one aspect of utility security; there are many more regulations (from NERC and other organizations) to contend with.
Optimizing Security and Compliance Programs with GRC Solutions
It is imperative that utilities streamline and integrate their security and compliance activities. Compartmentalized, manual approaches (e.g., departmental spreadsheets for tracking and reporting) simply won’t suffice to keep facilities secure, and definitely won’t leave firms prepared for audits. Utilities should implement comprehensive governance, risk management, and compliance (GRC) solutions to help them systematize and automate security and compliance programs. Enterprise-wide, cloud-based GRC platforms provide a common framework to link security and compliance activities via process and policy. Data can be imported from multiple sources to create a central hub for records, dashboards, and documentation, increasing accountability and collaboration across the enterprise.
Within a comprehensive GRC solution, policies can be mapped to controls from a variety of regulatory frameworks, which are automatically updated when guidance changes. Workflow engines guide records through review and approval processes. Employee awareness of policies can be tracked and documented. Likewise, vendor assessments can be managed and documented via standardized, repeatable processes. Dependency mapping ties risks to key assets, so that mitigation and recovery plans can be analyzed and optimized.
Diligent use of a comprehensive GRC solution yields greater visibility across the enterprise: work in risk management and security reinforces related compliance activities, creating efficiencies and fresh insights. Audit preparation no longer needs to eat away at revenue and resources. Proactive, process-based management of the compliance lifecycle saves money and time, helps prevent negative incidents like breaches and penalties, and creates more resilient organizations.