With its mission of being able to “ensure the North American bulk power system,” the main purpose of NERC (North American Electric Reliability Corporation) is to develop reliability standards for power supply in the contiguous United States, Canada, and Mexico. NERC also administers CIP (Critical Infrastructure Protection) which outlines mandatory standards that address the security of cyber assets that are critical to operation of the North American electricity grid.
Maintaining compliance and staying on top of revised standards are not just required for regulated utility companies – they’re a top priority. Staying secure and protecting a company’s most valuable and sensitive assets are necessary for preventing cyber attacks. Staying up to date with revisions to CIP standards, such as the recent addition of CIP-008 in January 2021, brings up the discussion around the overall security posture of utility companies and the need to go above and beyond when it comes to security.
Maintaining compliance and staying on top of revised standards are not just required for regulated utility companies - they're a top priority.
Helping Utilities Tackle Compliance
To give us a first-hand account of the challenges with compliance and security, we sat down with the Manager of Generation Cyber Security for a Fortune 500 electricity provider who has more than 13 years of experience in the utility space and has worked collaboratively with Sendero throughout the last several years.
How has the industry changed with the presence of NERC and mandatory CIP compliance?
Cyber Security Manager: At the inception of CIP, compliance standards related to cyber security were relatively minor. Although it’s slow moving, we’re seeing some meaningful regulation. For example, only last year were firewalls required for low impact sites. In many ways it’s the industry regulating itself, which accounts for the gradual changes.
What are the biggest challenges with maintaining compliance with NERC CIP standards?
Cyber Security Manager: Maintaining compliance for medium and high impact programs can be challenging. Take patching (CIP-007) for example, some patches require approval from the vendor as they can break the control systems, and some vendors are known to backdate patches, which makes it complicated to prove that the control systems are up to date. However, even low impact sites have their challenges. For example, the interpretation of CIP-003-7, which outlines the management of Transient Cyber Assets (TCAs), can vary across the industry depending on the company.
In your professional opinion, what are the differences between compliance with NERC CIP standards and a robust security program?
Cyber Security Manager: First of all, compliance does not equal security. Companies can be very compliant with low impact site standards fairly easily, but that doesn’t mean they have a robust security program in place. Going back to the example of TCAs – per the standard, to maintain compliance you must have a process to deter, detect, and prevent malicious code; however, the details are left to each organization, and the effectiveness can vary between them.
There’s a difference between meeting the spirit of the regulation and meeting the technicality of the regulation – you can do a lot of paperwork and check all the boxes for compliance, but at the end of the day, it’s crucial to go beyond the regulations to ensure a robust security program.
In addition to the minimum that’s required with the CIP program, which areas are most critical and vulnerable to address first in order to achieve higher security?
Cyber Security Manager: In general, control systems are vulnerable and designed with security as an afterthought. The first step is to secure the perimeter (engineering workstations, Human Machine Interfaces (HMIs), etc.) and prevent unwelcome access to these systems in the first place. The next step is to work with vendors in developing and implementing better security processes and procedures in order to be at the forefront of compliance and industry security standards.
How has the global pandemic affected security and NERC CIP compliance, if at all?
Cyber Security Manager: It’s been a challenge getting people into the power plants to do maintenance on the systems, and of course, with everyone working from home, hackers are at a greater advantage to potentially breach assets after gaining footholds through less secure devices.
Do you foresee any changes or updates to current CIP standards? If so, what would they be?
Cyber Security Manager: I believe we will see changes to classifications. Currently, battery sites are considered generation, even though batteries don’t really generate and are more of a grid stabilization device. But because we don’t have a specific definition of battery in CIP, they’ve been falling under the classification of generation.
What do you look for in a partner to help implement compliance standards?
Cyber Security Manager: Finding a partner that is going to balance compliance and actual security is crucial. Attention to detail is imperative, especially when implementing standards and regulations.
How has working with Sendero helped your organization in achieving NERC CIP compliance and maintaining the level of security the organization requires?
Cyber Security Manager: Before Sendero, I didn’t have a good appreciation for what strong project management capabilities can do for a team. Each person I’ve had the pleasure of working with at Sendero has had the ability to keep us on track and facilitate cross-team collaboration. Ultimately, as part of the utility space, it’s up to us to push the control system vendors and industry to bolster both security and compliance programs. Sendero enables us to do our job better by taking on the project oversight so we can stay focused on compliance security priorities.
Working Alongside Clients on their NERC CIP Journey
Luba Popov, Senior Manager, has been working with utility clients for several years. She was able to elaborate on how Sendero can help organizations reach their potential.
What services related to security and NERC CIP compliance does Sendero provide to clients?
Luba: Most clients already have a NERC CIP program in place but need assistance in driving prioritization of work, managing the workload and resources, and ensuring that key milestones are met. Maintaining compliance and implementing more robust security postures requires coordination with different groups across the organization as well as working through reporting needs. This is where Sendero can provide value in working closely alongside our clients to achieve their compliance and security goals.
What is Sendero’s approach to working with clients on security and NERC CIP compliance programs?
Luba: We support clients in not only achieving higher levels of compliance but also in protecting their most critical assets. We first listen to their needs and work with them in defining priority activities. Additionally, we assist in managing risks and issues and provide a unique perspective in optimizing the implementation of new processes and tools. Sendero’s past experience in the security and NERC CIP compliance space make project management and execution more effective. We are there as a partner in the journey to maintaining compliance and achieving greater security.
What have you learned from working with clients who are seeking to achieve minimum NERC CIP compliance and enhance security?
Luba: For most, the timeline is important, but quality can’t be overlooked. It’s necessary to put the right measures in place for a comprehensive program, including planning, strategy, and change management. Identifying what success looks like while also creating and regularly updating a security roadmap are crucial activities when structuring your program. Additionally, metrics allow for a large number of assets and multiple efforts in parallel to be accounted for. This provides leadership with an understanding of where a program is at any given time along the roadmap. Utility companies in the generation space are subject to extra scrutiny because of the social responsibility they inherently possess. They need to keep up with revisions to NERC CIP standards while staying one step ahead of hackers. Ultimately, it’s a priority to protect and monitor a utility company’s most valuable assets, to continually improve, and to prevent cyber attacks.
Going Above and Beyond
Keeping up with standards that are constantly in flux is a challenge, but it’s also a necessity, not only for maintaining compliance but also ensuring critical assets are secure. Wherever you are in your compliance journey, remember that checking the boxes for compliance does not equate to a higher level of security.