By Gary Sevounts, Symantec Corp.
SCADA/EMS and DCS systems were initially designed with reliability in mind, rather than security. Due to the increasing integration of business information systems, power grids are open to more potential vulnerabilities, making it more critical than ever to develop a more secure power system. While the increase in integrated information is a key factor in the success of utility business transactions, it creates opportunity for potential attacks.
Proper security measures must be taken to ensure power system availability is not compromised and new vulnerabilities cannot overtake the system. Engineering, operations and IT departments must collaborate to secure the power grid so consumers are not put at risk and, more importantly, do not receive disruption to their utility services. Utilities struggle with the cost of employing an around-the-clock IT manager, yet those very managers are integral in securing systems by identifying and reducing risks associated with the increasing number of vulnerabilities.
Awareness and compliance are necessary for the power industry to be successful in securing their collective, interconnected systems. The industry-established North American Electric Reliability Corporation’s (NERC) critical infrastructure protection (CIP) standards, known as “NERC CIP,” comprise a set of guidelines the industry can follow to mitigate risks and vulnerabilities surrounding the power and energy industry. By encompassing the merits of both security technologies and good investments in processes, people and awareness, NERC CIP is intended to help electric organizations close gaps between their current compliance postures and an enhanced posture safeguarding both security and asset availability.
Complying with NERC CIP Standards
There are five steps an organization must undertake to comply with NERC CIP standards. The first step is critical asset identification and risk assessment. When the initial risk assessment is performed, vulnerabilities in the network can be identified and security gaps in the SCADA environment can be bridged. Step two requires security policy creation and updates. The developed policies should consider the unique nature of each business, organization and network when the related policies are in development. Administrators must monitor and enforce policy compliance.
The third step calls for disaster recovery planning. Backup and restoration procedures must be assessed to ensure power operations are uninterrupted when faced with vulnerability. Step four requires a deployment of protective measures also known as security and recovery. These measures will enable networks to be compliant with identified policies. The fifth and final step is to monitor and manage networks on a regular basis to ensure compliance with NERC CIP, and to make the organization more compliant as it matures.
Organizations following the recommended five steps to NERC CIP compliance may also tailor each of the steps for their continued benefit. When implementing NERC CIP standards, administrators should be aware of different roles each entity plays in power system operation. It is critical that assets are protected, and vulnerabilities are identified and handled. According to NERC, Standards CIP-002 through CIP-009 should be applied using reasonable business judgment.
NERC Standards: CIP-002 through CIP-009
NERC developed its critical infrastructure protection standards to protect electric utilities from cyber attacks. Standards CIP-002 through CIP-009 were designed to provide a secure framework for the identification and protection of critical assets to support reliable operation of the bulk electric system. These guidelines currently replace the temporary precautions adopted in 2003 and 2004 as the NERC Cyber Security Standard 1200 and 1300, respectively. The eight NERC standards are:
CIP-002: Critical Cyber Asset Identification calls for organizations to identify and document critical cyber assets that support the reliable operation of the bulk electric system. The risk assessment should include an assessment of operational risk and network vulnerability. In addition, all policy documentation should be reviewed to determine its effectiveness in policy and practice, followed by a gap analysis and security awareness review.
To meet all the requirements of CIP-002, organizations must define and catalog all critical assets as well as all critical cyber assets. The asset inventories should then be reviewed quarterly to ensure their relevance.
CIP-003: Security Management Controls calls for organizations to have minimum security management controls in place to protect critical cyber assets. It begins with a security policy that clearly states executive management’s commitment to security and covers the security principles, standards and regulatory requirements to which the organization is subject. In addition, an information classification scheme should be defined and applied to all data related to critical cyber assets, and centralized authentication mechanisms must be put in place to provide the technology base for security management controls. Finally, change management and change control processes, as well as policy creation and management tools, can be implemented to comply with this standard.
CIP-004: Personnel and Training requires that personnel having authorized remote network or unescorted physical access to critical cyber assets have an appropriate level of personnel risk assessment, training and security awareness. To meet this standard, security awareness programs, background checks, access rights management processes and reviews, and security training must all be implemented.
CIP-005: Electronic Security Perimeter calls for the identification and protection of the electronic security perimeter inside which all critical cyber assets reside as well as all access points on the perimeter. Tools such as network firewalls, VPNs, two-factor authentication, encryption and vulnerability assessment tools can help ensure perimeter security.
CIP-006: Physical Security is aimed at undertaking the implementation of a physical security program for the protection of critical cyber assets. This standard can be met by implementing a physical security plan, conducting regular document reviews, establishing physical access controls, and logging and monitoring physical access to areas containing critical cyber assets.
CIP-007: System Security Management calls for organizations to define methods, processes, and procedures for securing the systems determined to be critical cyber assets as well as the non-critical cyber assets within the electronic security perimeter. Security patch management, malicious software prevention solutions, cyber vulnerability assessment tools, security status monitoring technologies, and procedures for the proper disposal and redeployment of decommissioned systems can facilitate compliance with this standard.
CIP-008: Incident Response ensures the identification, classification, response and reporting of cyber security incidents related to critical cyber assets. Meeting this standard requires a comprehensive, well-defined incident response plan and documentation.
CIP-009: Disaster Recovery ensures that recovery plans are in place for critical cyber assets and that these plans follow established business continuity and disaster recovery techniques and practices. Such a recovery plan must be accompanied by backup and restore tools to ensure recovery, and testing of recovery processes as well as of backup media.
Compliance is mandatory for all organizations responsible for planning, operating, and using the bulk electric system. NERC states that maintaining power system reliability is necessary both to ensure a robust competitive marketplace for electricity and to protect the public health, welfare and safety. Failure to comply with NERC reliability standards could place markets and end-use customers at risk and jeopardize the security of the interconnected electric system.
Complying with the standards usually does not require an initial investment in technology products or services. Organizations can utilize existing firewalls, antivirus, intrusion detection systems, and similar tools that have already been validated for use in a DCS/SCADA environment. All entities associated with power systems, and keeping them secure, will benefit from the expertise and guidelines that NERC has set to protect our nation’s critical power infrastructure.
As senior director of industry solutions for Symantec Corp., Gary Sevounts is responsible for the definition and introduction of enterprise security solutions in the electric power industry. With more than 13 years of experience in information technology including five years in information security, Sevounts has been at the forefront in designing effective practices to assist utilities in complying with NERC CIP standards.
Five Steps to NERC CIP Compliance
- ID critical assets and assess risks.
- Create/update security policy.
- Develop disaster recovery plan.
- Deploy protective measures.
- Monitor and manage networks on a regular basis to ensure compliance.