NERC to Expand CIP Reliability Standards
The Federal Energy Regulatory Commission (FERC) issued Order No. 848 on July 19, which instructs the North American Electric Reliability Corp. (NERC) to expand CIP reliability standards to include mandatory reporting of cybersecurity incidents that could harm the bulk electric system (BES).
The order will support a more proactive view of cybersecurity and enable a more effective evaluation of BES risk exposure. This aligns with industry best practices of adopting CIP models for risk-based, pre-emptive measures to protect the BES.
The Threat is Real
Russian cyber hackers just claimed they were able to penetrate U.S. utility control rooms last year and could have caused widespread blackouts. While the investigation continues, there is little doubt among industry experts that at any time, cyber attacks have the potential to compromise power flows.
Emphasizing this looming potential, Order 848 instructs NERC to modify CIP reliability standards to mandate reporting of “Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the [bulk electric system] BES.”
The Impetus Behind the Order
A lack of cyber-related incidents reported in accordance with NERC’s current reliability standard CIP-008-5 for Cyber Security Incident Reporting and Response Planning has caused concern for FERC, and with good reason. Reporting a compromise or disruption to “one or more reliability” tasks after the compromise has occurred may be indicative of lack of vigilance built into a holistic cyber management framework.
Registered entities will soon be responsible to report any attempt to compromise its electronic security perimeter (ESP) or associated electronic access control or monitoring system (EACMS). Any device inside the perimeter determined to be a critical cyber asset falls within the threshold.
Impact on Risk and Threat Classification
The new standard will “improve awareness of existing and future cyber security threats and potential vulnerabilities” to the BES. In addition, NERC is expected to tighten timelines for submitting Cyber Security Incident reports “based on a risk impact assessment and incident prioritization approach to incident reporting.”
Reporting threats to the BES in advance of a confirmed compromise enables regulators (E-ISAC, ICS-CERT) to trend, track and respond to what could be a trending threat beyond the single entity level. Investigating and remediating significant risks approach demonstrates a holistic, proactive view of cybersecurity, and contextualizes risk exposure more effectively.
Preparedness and Prevention
Just as NERC updated CIP guidelines for controlling remote access to critical systems across the supply chain, the same principle of preparedness and prevention applies to the forthcoming standard for cyber vigilance.
Cyber risk management is a continually adaptive process. While no network is impenetrable, the goal is to be in the best position to detect threats, analyze the risk and respond with a process that mitigates the risk, supports the goal of continuous compliance and maintains evidence for audit readiness.
A Modern NERC CIP Compliance Approach
Entities best prepared for Order 848 and NERC CIP compliance in totality are those that already have electronic cyber security compliance systems in place. Common characteristics of these entities include:
- Powerful configuration and integration capabilities
- Automated workflows based on current NERC CIP guidelines
- A single platform as a centralized source of information for automated reporting, auditing, and regulatory compliance
- A document and data management process that proves monitoring and enforcement in compliance with CIP
- A collaborative change control process that documents methods and authorizations
- A wholistic view and full control of all assets and access, including third parties that have connectivity and access to bulk power system networks
CIP compliance has proven to be a challenge due to the rapid and changing nature of compliance requirements. However, the threat to the industry will continue to necessitate stricter standards for detecting and thwarting as many vulnerabilities as possible. NERC provides guidelines that are the most inclusive in any industry, but without an integrated NERC CIP compliance system in place, registered entities are going to continue to lag behind and face penalties and worse, a higher likelihood of cyber attacks.