The power generation industry in North America is experiencing two major, overlapping cybersecurity challenges: increased threats from external attackers and meeting the requirements of the revised North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard.
Several cyberattack campaigns targeting the electrical grid have been documented recently including Dragonfly 2.0, Industroyer, and Triton/Trisis.
In response to these and other threats, NERC introduced CIP version 5, which classifies systems and assets by High, Medium and Low impact. Most generating stations have been classified as Low impact.
While the only cybersecurity requirement that applies to a Low designation is a method to control “external routable connectivity” (in most cases, a firewall), the Federal Energy Regulatory Commission (FERC) has made it clear that it intends to order increasingly strict cybersecurity controls for the Lows which means that power and grid companies will have to increase their security posture to the new minimum standard in order to be in compliance.
Below are six ways power plants can improve their cybersecurity hygiene and comply with NERC CIP.
Identify/categorize BES devices
Performing ICS device discovery and keeping an up-to-date inventory of them provides a foundation for securing these assets. Common devices include operator and engineering workstations, and controllers (PLCs, RTUs and DCS controllers). It is important to categorize devices, even dormant ones, by model and manufacturer, and include the firmware versions and serial numbers. In the event of a security incident, this information will help accelerate remediation and recovery efforts.
Implement security controls
These controls should include full audits of all ICS activities, notably controller engineering tasks such as logic updates, configuration changes and firmware uploads/downloads. Detailed audits enable power generator owners and operators to establish responsibility and accountability, while preventing malicious or erroneous activities that could lead to mis-operation or instability of the plant.
Identify and log remote access
To minimize the risk of a compromise, it is vital to be able to identify and log machine-to-machine remote access sessions, as well as interactive ones. Alerts should be sent in real time if access activity is new, unauthorized or both–and should provide detailed information on each connection including whether any changes were made. This functionality enables security staff to detect perimeter breaches and ensure system safety.
Monitor physical access
NERC CIP mandates that generators have the capability to identify changes made to controllers by direct physical access, such as employees or integrators connecting to a device with a serial cable or a USB device. The mitigation measures are identical to those of remote access attacks.
To comply with NERC CIP’s recovery plan specifications, organizations must have capabilities that support the continued stability, operability, and reliability of the BES in the event of an attack.
Basic to this plan is maintaining a comprehensive audit trail of changes to all devices on the ICS network, and a record of device baselines through regular “snapshotting”. All this information, which should be backed up and stored offsite, enables a controller or system to be restored to a previously known good state.
Implement change and vulnerability management
Configuration change management enables organization to keep a continuously-updated list of asset inventory as well as the version numbers of all software, patch levels and firmware on ICS controllers. This information can be compared regularly against new vulnerabilities when these are issued. In addition, this capability provides valuable evidence if an audit is needed.
To comply with NERC CIP’s regulation about vulnerability assessments, organizations should conduct a minimum of at least one assessment every 15 months and document their findings. The only way to effectively accomplish this both at the network and device level is to combine network activity monitoring with active device integrity checks.
Following these six steps will not only enable power plant operators to satisfy NERC CIP guidelines, but also establish processes and procedures that can help provide the visibility, security and control to prevent cybersecurity threats from affecting operational technology environments.
About the Author: Mille Gandelsman is CTO of Indegy, where he leads the company’s technology research and product development. Prior to Indegy, he led engineering efforts for Stratoscale and spent several years managing cybersecurity research for Israel’s elite intelligence corps. Mille is an IDF Talpiot graduate with over 15 years of experience in ICS and cybersecurity.