Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Tony Howlett, CISO, SecureLink
By Tony Howlett, CISO, SecureLink
Sponsored Article

NERC Updates May Force Utility Companies into Better Cybersecurity

Once implemented, these upcoming regulations will ensure electrical utilities are safer from cyber threats, especially those brought in by third parties.

Breaches and incidents at utility and other energy-related companies have been rising faster than an electric bill in a Texas summer. In 2019, a power plant in Ukraine was attacked and the power went out in the area for about an hour due to the problems it caused. And in February 2020, a gas pipeline in the US was shut down for two days after an ransomware incident. According to a study done by Allianz, 54% of critical infrastructure providers report attacks that attempted to control systems. 

All signs point to attacks not abating anytime soon. These sites make great targets for ransomware groups looking for critical infrastructure that cannot afford to be down. They are also targeted by cyberterrorists and nation-state actors looking to create real-world mayhem out of digital efforts. One would think this would be a wake-up call for utilities to get serious about cybersecurity efforts. However, according to the "State of the Electric Utility 2020" report from Utility Dive, 37% of U.S. utility companies have not completely implemented their cybersecurity programs.

NERC Updates Are Coming 
Nothing lights a fire under a regulated industry faster than a regulation change that could bring fines or sanctions. Upcoming updates to the cybersecurity portions of North American Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) rules have many utilities and other covered companies scrambling to figure out the implications for their cybersecurity programs and to implement any necessary solutions. Sorting through the various elements of NERC regulations and rules can be confusing and frustrating; they are often highly technical in nature, and they use a lot of acronyms. It doesn't help that some of the terms they use are the same as IT terms, such as EAP and LEAP.

Understanding New Rules and Regulations
NERC is a nonprofit quasi-governmental agency that sets forth the standards for CIP. Much of this standard refers to non-cyber functions of the electric generation business, but given the incursion of automation technology and connectivity in most plants now, more elements are being added all the time to deal with cybersecurity, and this latest batch is no exception.

Having just gotten past the January 1, 2020, effective date of CIP 003-7 on Security Management Controls, companies now will have to make sure they are ready for the July rules. These changes focus on updates to the security perimeter requirements and change control all while introducing a new category of controls, CIP 013-1, which covers supply chain risk. Here is an overview of the changed or added sections with key takeaways on each. 

CIP 005-6 Cybersecurity — Electronic Security Perimeter
This section defines fairly detailed rules for firewalls, DMZs, and network segmentation requirements for protected assets. Added requirements center around the implementation of CIP-005-6 parts R2.2.4 and R2.2.5, which stipulate that they must have methods for determining how many active vendor remote access sessions they have at any given time and a way to disable these sessions. 

Many general remote access solutions don't differentiate between internal and vendor sessions and don't allow granular management and control over individual sessions. If you have one of these systems or no system at all and are just using VPN connections, you will have to develop some custom controls to monitor this activity and manually pull the reports you need to show compliance. Implementing a vendor management system that focuses on third-party access can help you isolate and track vendor sessions separate from internal sessions and make this job a whole lot easier. 

CIP 010-3 Cybersecurity — Configuration Change Management and Vulnerability Assessments
These controls are designed to prevent unauthorized changes to systems and also stipulate regular vulnerability assessments and tests to make sure systems are not susceptible to such modifications. There are a number of elements to this section, but the only changes that will be made for July 2020 implementation are R1.1.6, R1.6.1, and R1.1.6.2, which require you to verify the identity of any software you use in your supply chain and its integrity. This can be done by checking hashes and having processes for software downloads that stipulate known sites, checking certificates, and more. Most of this is fairly easy to implement, unless you have a large software development operation. Some software development tools will do some of this for you as well. 

CIP 013-1 Cybersecurity — Supply Chain Risk Management
This adds a new section to the CIP standards and probably represents the area that's least implemented in full by covered entities. It details the development and deployment of a formal supply chain risk management program. An astonishingly large number of organizations don't have a written program to track third-party risk, even those managing a large population of vendors doing critical tasks. Section 1.2 describes the various requirements you must have for vendors and supply chain partners, including notifications of breaches on their end, onboarding and offboarding of their users in your systems, and software integrity verification. 

Finally, it all has to be reviewed and signed off on by the enterprise's CIP Senior Manager at least every 15 months, with documentation of compliance per the R2 and R3 rules. While this may seem like a lot of things to get done, there are many technology solutions out there that can help get technical controls in place, such a Vendor Privileged Access Management (VPAM), and various vendor risk assessment platforms and exchanges to do risk assessments. The key is getting started with your program policy and procedure documents, for which there are many templates available on the Internet and consultants willing to put them together for you. 

Are You Prepared for the Updates?

Hopefully, these new rules are the "burning bridge" that get electrical utilities moving toward full implementations of cybersecurity programs that include all the contemporary best practices that NIST and other standards expect. It may be a race to the finish, but once implemented, these regulations will make sure electrical utilities are safer from cyber threats, especially ones brought in by third parties. And for utility IT security departments pressed to get all this in place by July, they can rest easy for a while after that. After July 2020, the next NERC CIP updates that include cyber controls are in July 2022. 

NERC Resources:

About the Author: Tony Howlett, CISO, SecureLink
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Tony is currently the CISO at SecureLink.


Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
3/24/2020 | 12:28:27 PM
A Bit Confusing, Indeed...
I spent some time this morning reviewing the referenced standards. They seem to be much too prescriptive, and much of the work done reinvents the wheel (discussing firewall best practices, training standards, etc.). The focus should be on the unique aspects of the sector which make cyber challenging, not 58 pages on cybersecurity controls (while incident response only gets 25). I agree this sector warrants high attention but disagree with thier approach so far...

Secondly, this industry reminds me of the healthcare sector 10 years ago...who is supposed to be helping these entites interpret and implement this guidance? Expertise is limited - greenfield for new jobs (and consulting contracts)?
User Rank: Apprentice
4/8/2020 | 8:12:18 AM
Re: A Bit Confusing, Indeed...
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
Due to comment spam on our site, we have changed our comment system to block all posts that include URLs. We are seeking a longer-term solution that would allow for URLs.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926&qu...
PUBLISHED: 2020-10-28
Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.
PUBLISHED: 2020-10-28
An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain operating system files via a TFTP GET request, as demonstrated by reading /etc/passwd or /proc/version.
PUBLISHED: 2020-10-28
The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the applicatio...
PUBLISHED: 2020-10-28
A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.