Breaches and incidents at utility and other energy-related companies have been rising faster than an electric bill in a Texas summer. In 2019, a power plant in Ukraine was attacked and the power went out in the area for about an hour due to the problems it caused. And in February 2020, a gas pipeline in the US was shut down for two days after an ransomware incident. According to a study done by Allianz, 54% of critical infrastructure providers report attacks that attempted to control systems.
All signs point to attacks not abating anytime soon. These sites make great targets for ransomware groups looking for critical infrastructure that cannot afford to be down. They are also targeted by cyberterrorists and nation-state actors looking to create real-world mayhem out of digital efforts. One would think this would be a wake-up call for utilities to get serious about cybersecurity efforts. However, according to the "State of the Electric Utility 2020" report from Utility Dive, 37% of U.S. utility companies have not completely implemented their cybersecurity programs.
NERC Updates Are Coming
Nothing lights a fire under a regulated industry faster than a regulation change that could bring fines or sanctions. Upcoming updates to the cybersecurity portions of North American Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) rules have many utilities and other covered companies scrambling to figure out the implications for their cybersecurity programs and to implement any necessary solutions. Sorting through the various elements of NERC regulations and rules can be confusing and frustrating; they are often highly technical in nature, and they use a lot of acronyms. It doesn't help that some of the terms they use are the same as IT terms, such as EAP and LEAP.
Understanding New Rules and Regulations
NERC is a nonprofit quasi-governmental agency that sets forth the standards for CIP. Much of this standard refers to non-cyber functions of the electric generation business, but given the incursion of automation technology and connectivity in most plants now, more elements are being added all the time to deal with cybersecurity, and this latest batch is no exception.
Having just gotten past the January 1, 2020, effective date of CIP 003-7 on Security Management Controls, companies now will have to make sure they are ready for the July rules. These changes focus on updates to the security perimeter requirements and change control all while introducing a new category of controls, CIP 013-1, which covers supply chain risk. Here is an overview of the changed or added sections with key takeaways on each.
CIP 005-6 Cybersecurity — Electronic Security Perimeter
This section defines fairly detailed rules for firewalls, DMZs, and network segmentation requirements for protected assets. Added requirements center around the implementation of CIP-005-6 parts R2.2.4 and R2.2.5, which stipulate that they must have methods for determining how many active vendor remote access sessions they have at any given time and a way to disable these sessions.
Many general remote access solutions don't differentiate between internal and vendor sessions and don't allow granular management and control over individual sessions. If you have one of these systems or no system at all and are just using VPN connections, you will have to develop some custom controls to monitor this activity and manually pull the reports you need to show compliance. Implementing a vendor management system that focuses on third-party access can help you isolate and track vendor sessions separate from internal sessions and make this job a whole lot easier.
CIP 010-3 Cybersecurity — Configuration Change Management and Vulnerability Assessments
These controls are designed to prevent unauthorized changes to systems and also stipulate regular vulnerability assessments and tests to make sure systems are not susceptible to such modifications. There are a number of elements to this section, but the only changes that will be made for July 2020 implementation are R1.1.6, R1.6.1, and R22.214.171.124, which require you to verify the identity of any software you use in your supply chain and its integrity. This can be done by checking hashes and having processes for software downloads that stipulate known sites, checking certificates, and more. Most of this is fairly easy to implement, unless you have a large software development operation. Some software development tools will do some of this for you as well.
CIP 013-1 Cybersecurity — Supply Chain Risk Management
This adds a new section to the CIP standards and probably represents the area that's least implemented in full by covered entities. It details the development and deployment of a formal supply chain risk management program. An astonishingly large number of organizations don't have a written program to track third-party risk, even those managing a large population of vendors doing critical tasks. Section 1.2 describes the various requirements you must have for vendors and supply chain partners, including notifications of breaches on their end, onboarding and offboarding of their users in your systems, and software integrity verification.
Finally, it all has to be reviewed and signed off on by the enterprise's CIP Senior Manager at least every 15 months, with documentation of compliance per the R2 and R3 rules. While this may seem like a lot of things to get done, there are many technology solutions out there that can help get technical controls in place, such a Vendor Privileged Access Management (VPAM), and various vendor risk assessment platforms and exchanges to do risk assessments. The key is getting started with your program policy and procedure documents, for which there are many templates available on the Internet and consultants willing to put them together for you.
Are You Prepared for the Updates?
Hopefully, these new rules are the "burning bridge" that get electrical utilities moving toward full implementations of cybersecurity programs that include all the contemporary best practices that NIST and other standards expect. It may be a race to the finish, but once implemented, these regulations will make sure electrical utilities are safer from cyber threats, especially ones brought in by third parties. And for utility IT security departments pressed to get all this in place by July, they can rest easy for a while after that. After July 2020, the next NERC CIP updates that include cyber controls are in July 2022.
About the Author: Tony Howlett, CISO, SecureLink
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Tony is currently the CISO at SecureLink.