BLOG HOME

  • Energy and Utilities power elements behind a building for energy and utilities industry - AssurX ECOS

April 25, 2024

According to the International Energy Administration, weekly cyberattacks on global utilities more than doubled from 2020 to 2022.

Even though there haven’t yet been any cyberattacks in the U.S. that have impacted the grid for an extended period, experts agree that it’s only a matter of time before a breach occurs.

And it’s not just bulk electric system assets that are at risk. In recent years, electric utilities have suffered numerous data breaches affecting customer information, including bank account details.

There’s no question that cybersecurity is a mounting concern for electric utilities, making NERC CIP compliance more important than ever.

Here we examine ten key reasons why NERC CIP compliance is critical, with one caveat:

Basic compliance shouldn’t be your goal, as that can lead to a check-the-box mentality. Rather, the goal of electric utilities should be to implement a strong cybersecurity program, from which NERC CIP compliance is a natural output.

Download a free case study on how Vermont Electric Power Company automated its NERC compliance program

1. Mitigating Cyber Risk

Prioritizing NERC CIP compliance is essential for utilities because of the myriad challenges today related to cyber risk. These include:

  • Increasingly sophisticated hackers: Threat actors are constantly growing smarter, and utilities have to find new ways of staying ahead of them. Ransomware attacks are a particular concern, with the median ransomware event for a utility with $500M in revenue costing more than $17M, according to a report by ThreatConnect.
  • Changing technology: As technology changes, utilities are forced to secure both new technology and older technologies that may not be as easy to secure.
  • Managing IT and OT security: Securing IT and OT environments requires two different approaches, with the type of components utilities must monitor different across the two. While patch management for IT can largely be automated, installing patches on OT systems requires advanced planning due to the need to isolate systems.

2. Protecting Critical Infrastructure

NERC CIP compliance is a vital priority as new vectors emerge for malicious actors to attack critical infrastructure. These cyberattacks can have serious consequences that pose significant risks to public safety.

Take the 2015 attack on Ukraine’s power grid, for example. Targeting multiple electric utilities, the cyberattack led to widespread power outages that left hundreds of thousands of residents there without power during cold winter months.

It’s not hard to see how cyberattacks on electric utilities in the U.S., too, could cause widespread disruption and even loss of life. This underscores the importance of NERC CIP compliance in protecting critical infrastructure.

3. Reducing Regulatory Risks

Because the risks are so great, so are the penalties for electric utilities in violation of CIP requirements. For utilities often tasked with doing more with less, avoiding these fines is a top motivator for ensuring compliance.

Penalties for NERC CIP violations can reach as high as $1 million per day per violation. In 2019, the agency levied one of its highest fines ever when it slapped an organization with multiple locations in different NERC regions with a fine of $10 million.

While fines of this size may be the exception, the implication for utilities is the same: not addressing CIP compliance effectively comes with serious financial risk.

4. Maintaining Customer Trust

Reducing reputational risks and maintaining customer trust is another big reason why electric utilities should prioritize NERC CIP compliance. Those utilities who are hacked may find themselves the subject of news headlines for all the wrong reasons, and the reputational impacts can be long-lasting.

Anytime the power supply is disrupted, you can be sure that customers will have questions for utilities. That distrust can be hard to erase, such as the reputational impacts experienced by large utilities in the wake of substation security events.

5. Mitigating Supply Chain Risks

Reducing supply chain risks from vendors and third-party components is a central part of NERC CIP standards. That’s because vulnerabilities introduced through the supply chain are often a weak spot in cybersecurity programs—an area where compliance with NERC CIP-013 can help.

Consider, for example, what could happen if malicious code was installed via a third-party software patch. In the case of the 2020 SolarWinds cyberattack, this supply chain vulnerability ended up affecting more than 30,000 organizations.

6. Safeguarding Access Management

Complying with NERC CIP standards can help electric utilities prevent unauthorized access that can lead to cybersecurity incidents. CIP-004 in particular requires that those with access have a background check every seven years and CIP training every 15 months. The standard also requires utilities to revoke access from employees within 24 hours of being terminated or leaving the organization.

These tasks all require ongoing monitoring to keep up with requirements so that employees are trained appropriately and potentially disgruntled employees can’t get access to sensitive systems.

7. Reinforcing Physical Security

Physical security is a crucial concern for electric utilities today. News stories abound of utility substations being the target of physical attacks, and it’s not hard to see how an attack on physical systems can put cybersecurity at risk.

NERC CIP compliance ensures that utilities have controls to restrict physical access, helping mitigate the risk of physical attacks.

8. Strengthening Incident Response

NERC CIP-008 requires electric utilities to have solid incident response plans, and NERC CIP-009 requires electric utilities to have documented recovery plans to ensure they can recover from incidents quickly with minimal disruptions to the grid. In addition to having processes for information backup and storage, the requirements of this standard focus on:

  • Having a team of people identified so the plan can be activated right away in the event of a cybersecurity incident
  • Exercising each recovery plan once every 15 months, whether with a tabletop exercise, operational exercise, or recovering from a real-life incident
  • Ensuring everyone on the team is notified whenever a change to recovery plan(s) occurs
  • Periodically reviewing the plan and updating it as needed, for instance replacing someone who has left the organization

9. Protecting Data Integrity

Ensuring the integrity of critical operational data is important for a variety of reasons, such as for preventing tampering that could compromise the grid. CIP compliance protects data integrity by mandating requirements around:

  • Access control to prevent unauthorized manipulation of data
  • Data encryption to prevent interception during transit
  • Monitoring and logging systems to detect and track suspicious activity
  • Conducting audits to identify vulnerabilities that could affect data integrity

10. Audit Readiness

A strong focus on NERC CIP compliance can help ensure audit readiness, which is a top challenge for utilities. Those that aren’t prepared face increased risk of NERC violations, roughly 10% of which are found during audits versus self-reporting, according to NERC’s latest compliance report.

A rock-solid CIP compliance program can eliminate the worries and regulatory risks of a CIP audit, which will involve evaluating a wide range of requirements and evidence. Demonstrating a proactive approach to NERC CIP compliance shows regulators that you take cybersecurity seriously, building confidence in your systems and your ability to maintain grid reliability.

Automated NERC CIP Compliance: Tying It All Together

With so many requirements and evidence required to demonstrate compliance, utilities need a better way to manage cybersecurity than manual methods such as spreadsheet-based tracking.

Instead, utilities are shifting to automated NERC compliance systems to standardize their approach to cybersecurity. An automated NERC compliance system addresses many of the challenges discussed here by:

  • Automatically importing daily baselines and monitoring the system for any changes that need to be cataloged and evaluated
  • Enabling time-initiated tasks like security patch evaluation, recovery plan review and access management review to prevent key deadlines from slipping by
  • Coordinating data from multiple sources and monitoring data integrity, for example identifying when there’s a blank field that shouldn’t be there within source data
  • Providing a centralized document management repository for managing all compliance-related documentation, including recovery plans
  • Ensuring asset lists are comprehensive and up-to-date and have all the required evidence to demonstrate compliance with CIP requirements
  • Tracking activities around third-party vendors to reduce supply chain risk, including vendor agreements, communications, and incident history
  • Surveilling all electronic, physical, and sensitive documentation access to enforce controls and principle of least privilege

Overall, NERC compliance software helps protect system-wide cybersecurity by streamlining the process of organizing, tracking and managing internal controls and evidence collection. The result is that subject matter experts (SMEs) can spend less time on the administrative details of CIP compliance, and more time evaluating opportunities to strengthen the organization’s security posture.

Conclusion

Cybersecurity threats are on the rise for utilities worldwide, with electric utilities increasingly a target for malicious actors looking to take down grid assets and cause widespread power outages.

Furthermore, as threats become more sophisticated, so too does the technology that utilities are responsible for securing. As all of this grows more complex, it’s on utilities to find new ways to strengthen cybersecurity to prevent cyberattacks from disrupting grid operations.

NERC compliance software helps organizations achieve this goal and ensure that they meet CIP requirements. More than just helping meet compliance requirements, however, an automated approach helps utilities build a stronger cybersecurity program, mitigating risks for the organization and the public at large.

Download a free brochure on the AssurX Enterprise Energy Compliance System (ECOS)

About the Author

Kathryn Wagner is Vice President, Industry Solutions, Energy & Utilities at AssurX. Kathryn brings more than 25 years of experience in manufacturing systems integration and compliance while being responsible for the development and evolution of product offerings for NERC compliance and related systems that focus on reliability and resilience.