Three Key Ways to Ensure NERC Compliance: The $10 Million Wake Up Call

In January 2019, the North American Reliability Corporation (NERC) fined Duke Energy $10 million for 127 Critical Infrastructure Protection (CIP) and other security violations occurring between 2015-2018.

Most of us expect our energy resources to be as reliable as the sun coming up tomorrow. 

To have that reliability, the energy delivered to our homes, offices and other places needs an electrical utility that operates flawlessly and without failure. 

But many people don’t realize that utilities and other mission-critical operations are ground zero for potential attacks by nation states, rogue factions and, in some cases, even employees with privileged access to those facilities.

Attacker Motives

Attackers have a variety of motives for taking an electrical grid offline. These can vary from accidental actions to revenge or terrorism. 

No matter the motive, attackers need minimal resources to launch an attack, and taking the grid offline can cause havoc. 

In 2003, the northeastern United States plunged into a blackout. When overhanging foliage disrupted electrical transmissions, a software glitch failed to trip safeguards to redistribute the load. The failure’s cascading actions caused an outage for 508 facilities that generate power and 265 facilities that distribute power.

Since that incident, safeguards and minimum thresholds are in place to ensure standards. For example, the North American Reliability Corporation (NERC) has a goal to “assure the effective and efficient reduction of risks to the reliability and security of the grid.” NERC created guidelines to help ensure the reliability of electrical distribution across the vast areas it serves. 

The introduction of these guidelines in 2016 did not come too soon. An attack on a Ukrainian electric utility, which involved the Industroyer malware (aka CrashOverride) and an incident at a Middle Eastern oil and gas refinery in which attackers used TRISIS malware to exploit a Triconex Safety Instrumented System underscore the increasing threat of cyberattacks on critical infrastructure.

While there have not been many penalties for failure to comply with the NERC guidelines, in January 2019 the Wall Street Journal reported that NERC fined Duke Energy $10 million for 127 Critical Infrastructure Protection (CIP) and other security violations that occurred between 2015-2018. This is more than triple the last fine NERC levied against an organization. 

Many news agencies covering this story cited interconnectivity and interdependence of grid providers, which created clear and present danger and needed to be strongly addressed. Specifically, when one agency does not fully comply with published guidelines, it becomes a weak link in the chain for all other providers. 

So what should utilities and energy providers do to make sure they meet minimum NERC standards? While this is not an exhaustive list, below are three key areas to help comply with NERC standards:

1. Ensure you can identify and classify the Bulk Electrical Systems (BES) assets in your OT environment. A cardinal principle of cybersecurity states: “You can’t secure what you don’t know exists.” To secure your control systems, as well as to comply with NERC CIP, you should identify what you have. For example, deploy ICS security technology that automatically discovers and maps all of your ICS devices (even dormant ones) and keeps an up-to-date inventory of these assets. This includes operator and engineering workstations, controllers (PLCs, RTUs and DCS controllers) and other devices.
2. Deploy consistent and sustainable security controls that protect your BES and safeguard against misoperation. Alerts enforce security management policies on unauthorized ICS access and activity. This comprehensive audit trail helps generation owners and operators establish responsibility and accountability, as well as preventing malicious or erroneous activities that could lead to plant misoperation or instability.
3. Manage system security by specifying select technical, operational and procedural requirements that support the protection of BES cyber systems against compromise that could lead to BES misoperation or instability. This can be accomplished by deploying an ICS security system that detects both rule violations and anomalous behavior. This system should be able to detect malicious code activities on your network and devices, including malware propagation, abnormal communications, network attacks on controllers and direct attacks via connected compromised laptops. Furthermore, alerts enable your security staff to mitigate threats before they lead to misoperation or instability. 

NERC’s enforcement of security guidelines should be viewed as a minimum-level security blueprint to help raise the tide and lift the security posture of all electrical and utility providers. 

Learn more

Download this white paper to learn more about the NERC-CIP dashboards and reports available in SecurityCenter Continuous View.