Exceeding Compliance Standards for Smart Grid Security
By Jim Guinn, II, Accenture
The danger of cyberattacks on electric power networks is no longer theoretical. As cyber threats proliferate, utilities, regulators and governments are grappling with how best to respond.
The evolution of smart grid technology that connects information technology (IT) with operational technology (OT), energy management systems and consumers has opened up new avenues of attack and potentially more vulnerabilities. The rise of distributed energy sources and decentralized generation across the network further increases the risk.
Breaches by a wide range of potential attackers could have devastating impacts along the entire electricity value chain, from generation to consumers. Effective responses to secure smart grids against potential cyber breaches are both imperative and urgent.
As many in the electricity industry know, the North American Electric Reliability Corp. (NERC) has created a series of critical infrastructure protection (CIP) standards to improve the reliability and security of the U.S. power grid. All U.S. bulk electric system owners and operators must comply. The standards apply to multiple components including generation, substations and energy management systems, and cover both physical and IT cybersecurity.
With the NERC standards in place, U.S. utilities face a challenge of at least two parts. First, they must achieve CIP standards, an expensive but essential task. Secondly, and maybe more importantly, they must go beyond the CIP standards, doing even more to protect critical infrastructure assets from attacks.
As the recent details around the CrashOverride and Industroyer attacks in the Ukraine have shown, power grids, including those in the U.S., are targets of adversaries’ malicious intent. A successful attack could subject large populations to major power outages, as well as cause enormous business disruption and economic damage.
Assessing the Situation
An effective NERC CIP compliance program begins with a comprehensive assessment of the utility’s own state of preparedness and its current risk factors. In this phase, the utility categorizes its major assets, identifies compliance requirements and determines where gaps exist. The utility typically then ensures that robust processes are in place to manage those gaps and report on progress in closing them. This entails defining and executing remediation plans-with clear priorities established-and addressing the gaps in a consistent and timely fashion with documented and audited results.
As the NERC guidelines make clear, however, compliance is an ongoing process rather than a one-time event. As new threats emerge, so will new standards, and utilities must have the security and compliance skills and resources in place to keep up.
Getting the Right Capabilities in Place
To respond to both identified CIP challenges and those on the near horizon, utilities should adopt repeatable process engineering that alerts an enterprise when identified exceptions-defined as changes that trigger notification-are due to expire and when remediation plans are overdue. This can make exception management, evidence collection, validation and reporting both repeatable and automated.
Another important capability is access to on-demand or liquid services, which can flex up and down to provide optimal management of operational costs and overheads. While CIP controls require ongoing oversight, many compliance activities-such as access and authorization reviews, cybersecurity vulnerability assessments, incident response planning and recovery planning-are periodic, with peaks and troughs in activity. Using on-demand services helps utilities focus their people on core roles while realizing significant cost efficiencies.
Reaching Optimal Protection
Utilities are at varying stages along a CIP maturity curve. Some are merely maintaining compliance with NERC CIP standards, while others have achieved compliance and are working on sustainability and automation initiatives. The optimal level, is the implementation of advanced security for high-risk assets. At this level, utilities have greater operational control, improved situational awareness, lower risk, better control of operations and maintenance costs, and are better prepared for the impact of future disruptive technologies. Most importantly, these utilities have stronger power grid protection and are less likely to experience a catastrophic event.
Follow are the four steps to a state of advanced security for utilities:
1. Understand the current NERC posture. Utilities should diagnose their NERC posture through an analysis of their processes and controls. To do this, they should develop an in-depth understanding of the audit trail before developing an end-to-end process to obtain the required evidence of compliance.
2. Establish a sustainability strategy and governance framework. An important part of the sustainability strategy is determining which staff members’ roles and responsibilities include continually assessing the effects on the organization of new NERC standards.
3. Create an actionable plan for creating foundational components. As mentioned above, the foundational components of a sustainable program, such as automated and repeatable processes and evidence collection to demonstrate compliance, should be in place in anticipation of new standards.
4. Begin industrializing key NERC CIP processes. The utility should initially target high-value areas, which are those determined by an assessment to pose the greatest need for manual efforts and highest potential for a cyberattack.
These are important steps toward a sustainable NERC CIP compliance program, but there are additional actions that utilities should take to reach the goal of advanced security. Attackers have routinely breached infrastructures in the financial services and retail sectors that were 100 percent compliant with regulations.
A manual process that tracks access authorizations, for example, might meet CIP standards but be prone to errors. An automated identify-and-access management system provides better protection and helps the cause of advanced security. Similarly, simply logging security events from devices might comply with current standards, but greater protection requires a security monitoring system that integrates with a broader cybersecurity operations center, along with a security information and event management (SIEM) platform that correlates operational technology and information technology events. This automatically alerts cybersecurity specialists to any sequence of related events that might indicate a wider breach.
Compliance with the NERC CIP program is mandatory for U.S. utilities and can serve as the foundation for enhanced security throughout the enterprise. The ultimate objective, however, should be a state of advanced security, going beyond the compliance checklist to protect the power grid and the people who depend upon it. Otherwise, as demonstrated in by CrashOverride and Industroyer, when an adversary’s cyber capabilities match their malicious intentions, grids will be compromised.
Jim Guinn, II, is managing director, cybersecurity leader for energy, utilities, chemicals and mining, Accenture Security. Guinn has more than 25 years of deep industry experience and business acumen, he plays a strategic role in setting the direction and overseeing the delivery of operational and enterprise security solutions for Accenture’s Resources business. Cybersecurity is at the core of Guinn’s experience-he specializes in securing assets from industrial control systems to enterprise applications, including the implementation of these systems for large-scale energy and utility organizations. Guinn has a proven track record of assisting companies with their business strategies through execution across the entire hydrocarbon and mineral value chain.