Importance of standards in the safety of critical systems
In view of the ongoing cyber attacks worldwide, the security of power grids is now at the top of the agenda of government agencies and those responsible in the field of cybersecurity. The US Congress is already working on new and stricter laws on cybersecurity, and the EU is tightening its own defenses against cyber threats.
Otorio, provider of security technology for critical infrastructures and production environments, explains the importance of standards for effective OT security.
From the decentralization of the network to localized microgrids that supply rapidly changing loads, there is a lot to do. Maintaining production and infrastructure while complying with evolving cybersecurity regulations is already a major challenge for utilities. Now, energy and utility companies are making efforts to ensure that their OT networks reduce the risk of potential government-sponsored digital and cyber threats. This increased attention sheds new light on NERC CIP – the set of rules of the North American Electric Reliability Corporation for the protection of critical infrastructures.
According to Otorio, it is time to take a closer look at NERC CIP to discuss why the framework is particularly relevant in today’s turbulent cyber climate and to show how companies can simplify their compliance with the framework.
What is NERC CIP?
First introduced in 2007, NERC CIP includes a groundbreaking set of requirements aimed at securing the North American power grid through strict regulation of the operation of the Bulk Electric System (BES). The BES is the part of the power grid that bears the main load – power generation equipment, transmission lines, connecting lines and equipment operating at voltages of 100 kV or more.
NERC CIP was developed to create a comprehensive legal framework for protection against cyber attacks on BES utilities. The requirements of the NERC CIP relate to the security of electronic perimeters and the protection of critical cyber assets, as well as personnel and training, security management and disaster recovery planning.
NERC CIP has teeth. The penalties for non–compliance with the regulations are incredibly high – literally up to one million US dollars per violation per day. In January 2019, NERC fined an unspecified company $10 million for 127 separate violations of NERC CIP. In addition to fines, the regulatory framework also provides for sanctions and other tough regulatory measures against BES providers. This means that compliance is an integral part of BES operations.
However, compliance with the NERC CIP is far from easy, because the framework is outdated. It was created decades before the technology that causes most of today’s cyber threats. In particular, the increasing IT/OT convergence and the massive spread of connected devices make it difficult for utilities to be sure which plants are considered part of the BES under the regulations. This makes compliance with the NERC CIP extremely complex and seemingly subjective. In addition, the liability risk for BES players across the continent is increasing dramatically.
Simplification of NERC CIP compliance
The protection of today’s complex, cross-vendor, cross-generational IT/IoT/OT-BES environments requires a rethinking of the approach of BES managers to cybersecurity. NERC CIP compliance is not necessarily a guarantee that an effective security concept and behavior is in place.
A better approach is to make compliance depend on security and not hope that security depends on compliance. This means that BES managers must first take a risk-informed approach to mitigating cyber risks. You need to focus on building a security program that takes into account both the contextual risks and the gaps that the regulations do not cover. In order to achieve this, the first step is to identify plants and uncover risks without compromising operational continuity.
Once the compromised assets are identified, the next step is to enable security teams to know exactly what to do in the event of a breach. This requires the creation of automated remediation measures – simple, step-by-step remediation measures that help operational teams efficiently manage threats while leveraging existing security controls.
Finally, mitigation and remedial measures must be complemented by automated compliance and security reports that can be submitted to senior staff and technical customers, as well as regulatory authorities such as NERC CIP and other auditors. These reports must assess risk by asset, assign compliance and safety assessments, and make recommendations for continuous improvement.
How can this be supported technologically?
OTORIO supports BES players in complying with NERC CIP by means of fast and automated compliance assessments and by means of ongoing monitoring of continuous NERC CIP compliance, in particular with the introduction of new devices in BES networks.
- spOT Lifecycle – Enables machine manufacturers to ensure safe and NERC CIP-compliant OEM machines, from a single plant to the entire production site. It automates cybersecurity FAT with on-demand scans of individual machines. spOT provides an extensive inventory of equipment and a certificate of conformity for each machine delivered. It enables machine manufacturers to offer security as a service throughout the entire life cycle of the machine.
- RAM2 Continuous Monitoring – The field-proven RAM2 platform provides continuous, granular and comprehensive monitoring of the security situation and compliance governance – with detailed and granular reports that can be adapted to the individual needs of each BES provider. The system prioritizes BES cyber risks on the basis of cross-site investigations and offers practical and actionable instructions for risk reduction. The platform simplifies the management of NERC CIP compliance by creating a constantly updated, dynamic and granular compliance score that supports the fulfillment of existing and new compliance requirements.
- ReconOT – An automatic, passive OT-centric exploration tool for detecting corporate resources as they are seen by potential attackers. ReconOT supports NERC CIP compliance by focusing on industrial OT, unlike other attack surface tools that focus mainly on IT.