For most of us, we expect it to be as reliable as the sun coming up tomorrow. The energy that gets delivered to our homes, offices and every other place in-between relies on the electrical utility to operate flawlessly and deliver this essential commodity. What many do not realize is that utilities and other mission critical operations like it have become ground zero for potential attacks by nation states, rogue factions, or in some cases even employees that have privileged access to the facility.
Motives for taking an electrical grid offline can vary from accidental actions to revenge or terrorism. No matter the motive, the resources required to launch an attack are minimal while the impact of taking the grid offline can cause major havoc. In 2003, the Northeastern United States was plunged into a blackout due to a software glitch that did not trip the safeguards and redistribute the load when overhanging foliage disrupted electrical transmissions. The cascading action of this failure caused an outage in excess of 508 generating units at 265 power plants.
Since the aforementioned incident, certain safeguards and minimum thresholds have been put in place to ensure standards. The North American Reliability Corporation (NERC) was formed to, “assure the effective and efficient reduction of risks to the reliability and security of the grid”. Comprised in part by the electrical agencies that it was envisaged to regulate, NERC produced guidelines to help ensure the reliability of electrical distribution across the vast areas it serves. The introduction of these guidelines in 2016 did not come too soon. Recent incidents, such as the attack on a Ukrainian electric utility which involved the Industroyer malware (a.k.a. CrashOverride), or the incident at a Middle Eastern oil and gas refinery in which the TRISIS malware was used to attack a Triconex Safety Instrumented System, underscore the increasing threat of cyber-attacks on critical infrastructure.
While there have not been many penalties for failure to comply with the NERC guidelines, in January 2019 the Wall Street Journal reported that Duke Energy was fined $10 million for 127 CIP and other security violations between 2015-2018. This is more than triple the last fine levied by NERC. Many news agencies that covered this story cited the interconnectivity and interdependence of grid providers that created clear and present danger which needed to be strongly addressed. Specifically, when one agency does not fully comply with published guidelines, they become the weak link in the chain for all the other providers. So what should utilities and energy providers do to make sure they meet minimum NERC standards?
While this is not an exhaustive list, here are three key areas to comply with NERC standards:
- Ensure you can identify and classify the Bulk Electrical Systems (BES) assets that are in your OT environment. A cardinal principle of cyber security states that “You can’t secure what you don’t know exists.” In order to secure your control systems, as well as to comply with NERC CIP, the first thing you need to do is identify what you have. This can be accomplished by deploying ICS security technology that automatically discovers and maps all ICS devices (even dormant) and keeps an up-to-date inventory of these assets. This includes the operator and engineering workstations, the controllers (PLCs, RTUs and DCS controllers), and other devices.
- Deploy consistent and sustainable security controls that protects the BES and safeguards against its misoperation. Real-time alerts can enforce security management policies on any unauthorized ICS access and activity. This comprehensive audit trail enables generation owners and operators to establish responsibility and accountability, as well as preventing malicious or erroneous activities that could lead to misoperation or instability of the plant.
- Manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. This can be accomplished by deploying an ICS security system that detects both rule violations as well as anomalous behavior. This system should be able to detect malicious code activities on the network and on devices, including malware propagation, abnormal communications, network attacks on controllers and direct attacks via connected compromised laptops. Furthermore, real-time alerts enable security staff to mitigate threats before they lead to misoperation or instability.
NERCs enforcement of security guidelines should be viewed as a minimum level security blueprint that helps in raising the tide and lifting the security posture of all electrical and utility providers. For a more detailed report on how to ensure your organization’s compliance with NERC standards, please check out this Guide on this exact topic.