Increased security controls in process for the Critical Infrastructure Protection (CIP) standards
For many Bulk Power System owners and operators, there’s nothing funny about preparing for the April fool’s day 2016 deadline for North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) V5 requirements.
NERC, operating under the governance of the Federal Energy Regulatory Commission (FERC), defines and enforces CIP standards to protect the grid against cybersecurity-related threats. Grid providers should start early and allocate adequate resources to address updates to security management controls, training, network and physical systems, and information security as well as incident reporting, response, and recovery planning.
As Cyber-attacks on our grid increase in frequency and level of sophistication, ranging from physical attacks on sub-stations1, to malware-based attacks aimed at industrial control systems 2, NERC CIP updates are a vital mitigating step. Additionally, more and more IP-facing systems are replacing antiquated operational technology that used to be sufficiently air-gaped from internet facing threats. CIP V5 closes many of the security gaps around unauthorized access to those systems.
Layer in the massive growth projected in internet-connected grid devices, applications, users, and things that will stem from IoT innovation, and its clear CIP V3 was inadequate for addressing the new threats arising from a modern grid.
Version 5 Tackles Internal and Remote Access Vulnerabilities
One area where CIP V5’s stricter controls enhance grid security is in the area of Electronic Security Perimeters. Updates in V5 tackle internal and remote access vulnerabilities in three important areas:
- Increasing the asset coverage – avoiding pitfalls of the past such as mis-classifications assets
- Adding stricter controls around remote access
- Delineating greater prescriptive measures to prove compliance
V5 expands previous versions where a risk-based approach to classifying assets is incorporated into the guidelines. This helps determine the appropriate assurance level assigned to any given system. As one would expect, the stakes have increased around the area of Identity, Access, and Authorization to medium and high impact systems.
Assessing the potential loss associated with a system compromise in the context of grid reliability in either economic and safety terms is the key to determining the level of security needed. For CIP, It’s through this risk-based approach that assets are classified and security requirements are applied. Three key areas included in Bulk Electric Cyber Systems, which affect all medium and high-impact systems, include:
Part 1.3: Requiring inbound and outbound access permissions, including the reason for granting access, and denying all other access by default
Part 2.2: Requiring all Interactive Remote Access sessions to utilize encryption that terminates at an Intermediate System
Part 2.3: Requiring multi-factor authentication for all Interactive Remote Access sessions.
GlobalSign energy customers are already replacing single-factor, password-based authentication with multi-factor credentials including digital certificates based on Public Key Infrastructure (PKI). PKI technology is a viable approach for Grid operators to sustain much needed productivity and reliability with the enhanced security their critical operations require.
The Need for Reference Architectures
The National Cybersecurity Center of Excellence (NCCoE) managed by NIST is addressing some of these very same Identity and Access Management (IdAM) use cases. One main focus of NCCoE is facilitating a public-private sector initiative around developing an IdAM reference architecture to assist Energy system owners on how they might address cyber security threats.
With frameworks and standards in abundance, NCCoE recognized a real need for a reference architecture that grid operators could use to improve their cyber security programs. Although the NIST Cyber Security Framework, an outcome of President Obama’s Executive Order around CyberSecurity for Critical Infrastructure, provides an excellent methodology to assess cyber security programsit doesn’t provide the much-needed real tactics one could use to address identity and access control in the context of a typical energy physical, IT, and OT environment. As stated by NCCoE, the Energy Sector use-case goal is as follows:
In order to protect power generation, transmission, and distribution, energy companies need to be able to control physical and logical access to resources.
They must be able to authenticate the individuals and systems to which they are giving access rights with a high degree of certainty.
Energy companies must be able to enforce access control policies consistently, uniformly, and in a timely way across all resources.
NCCoE is taking a practical approach to factoring real end-user feedback -often from Electric Utility providers- at all critical stages of the requirements-gathering, design, and build phases. NCCoE is also heavily engaging with private sector vendors that serve the energy sector to make recommendations around commercial off-the-shelf products and services, as well as sharing cybersecurity industry best practices. And finally, a major component of the NCCoE IdAM for Energy initiative is looking to produce a framework that incorporates standards governing the energy sector such as NERC CIP V3 and V5.
CIP V5 updates are needed to address an ever increasing cyber threat, and grid providers must commit appropriate resources to address the substantial updates to the standard. I urge utilities to pay attention to NCCoE’s energy IDaS reference design, and benefit from industry established solutions and best practices that can help address CIP V5 updates but more importantly improve grid security.
^1 On April 16, 2013 there was a sniper attack on electrical transformers owned and operated by PG&E Corporation causing millions of dollars of damages.
^ 2 Duqu is a collection of malware related to the Stuxnet worm gear at attacking Industrial Control systems[CA1] .