Protecting Critical Cyberassets Through NERC CIP Mandates

by Todd Nicholson, Industrial Defender

For a bulk electricity provider, developing and maintaining a strong cybersecurity posture can be challenging for many reasons.

Systems used for the safe, reliable operation of bulk electric power infrastructure are known as industrial control and supervisory control and data acquisition (SCADA) systems. They were designed and installed 15 years ago–before the Internet age and without cybersecurity in mind. These systems were air gapped, meaning they were not connected to anything outside the four walls of the protected plant environment.

Click here to enlarge image

Current integration of critical infrastructure and business information networks is introducing new cybersecurity risks and vulnerabilities. Many of these systems operate critical components of the electric power grid to facilitate generation, transmission and distribution (T&D).

A January 2003 incident underscores the type of vulnerabilities these systems experience. An unknown source released the SQL Slammer Worm that disrupted many Internet services for several hours. It also affected the bulk electric system controls of at least two electric power entities.

No unintentional control system actions or service interruptions occurred, but for several hours both electric power entities lost their ability to execute operations from their primary control centers.

Another incident that year affected the reliability and availability of the bulk electric system. The 2003 blackout caused power outages for more than 50 million people in the northeastern corridor of the United States and Canada. Though the cause was not directly attributable to cybersecurity, its far-reaching effect further demonstrates the need to improve reliability and availability of the current bulk electric system.

The North American Electric Reliability Corp. (NERC), a not-for-profit designed to “ensure that the bulk electric system in North America is reliable, adequate and secure,” submitted to the Federal Energy Regulatory Commission (FERC) on Aug. 28, 2006, eight critical infrastructure protection (CIP) reliability standards to safeguard critical cyberassets (CCAs). The purpose of the standards is to ensure that all entities responsible for the reliability and availability of the North American bulk electric system identify and protect CCAs that control or could impact bulk electric system reliability. The NERC CIP standards became mandates Jan. 17, 2008, and bulk electricity entities found noncompliant may be penalized up to $1 million per day, per violation, depending on a violation’s severity.

Several elements of the NERC CIP standards focus on cybersecurity challenges associated with protecting the bulk electric system, including electronic security perimeter (ESP) protection (CIP-005) and systems security management (CIP-007).

The CIP-005 standard requires identification and protection of the ESP(s) in which all CCAs reside, as well as all perimeter access points. This should also include documentation of all communications that pass through the ESP. External access to all cyberassets within this perimeter must be controlled, monitored and logged 24/7/365. Additionally, security monitoring should detect and alert for unauthorized attempts to access the network.

The CIP-007 standard requires responsible entities to define processes and procedures for securing systems that are determined to be CCAs, as well as noncritical cyberassets residing within the ESP(s).

It is recommended that bulk electricity asset owners and operators take a defense-in-depth approach to securing CCAs within the control system environment and meeting the CIP-005 and CIP-007 requirements. Hardware and software solutions are available to help asset owners satisfy requirements. A defense-in-depth cybersecurity solution, which is deployed within the control system environment, consists of a layered cybersecurity approach with the following:

“-Universal threat management (UTM): A UTM device is an appliance used to secure the ESP. It is a firewall device with enhanced features including stateful packet inspection, network anti-virus protection, network intrusion-detection system (NIDS), intrusion-prevention system (IPS) and additional built-in authentication mechanisms. A UTM device also may be used to establish a demilitarized zone (DMZ) network that sits between the corporate information technology network and the control system network. This network configuration enables users to access real-time plant data in the DMZ area without having to directly access the industrial control system or SCADA network.

“-NIDS: The NIDS is a network sensor appliance device that can detect attacks, rogue systems and unauthorized traffic within the perimeter of the industrial control or SCADA network. The NIDS sensor also can detect new devices that are added to the network, such as a laptop accessing the network through a wireless access point.

“-Host intrusion-detection system (HIDS): HIDS sensors protect host devices that reside on the network and can detect control-application problems, internal or external intrusions and performance bottlenecks on critical servers or human-machine interfaces. HIDS sensors are available on various computing platforms that use Unix, Linux or Windows operating systems. HIDS devices can monitor specific control-system applications and report on platform-specific events, including failed login attempts, password age, user login counts, event logging and the detection of removable media.

“-Secure-line sharing switch (SLSS): Bulk electricity providers have a network of electric substations to transmit and distribute power to commercial and home users. Many North American substations use dial-up technology to communicate. An SLSS may be used to monitor dial-up telephone lines for communication to CCAs that require dial-up connectivity.

“-Security event management (SEM): The SEM console is used for network monitoring, control, alarm management, analysis, storage and reporting of security and performance information. It also is capable of capturing historical data that can be used to create data analysis trends, graphs and reporting. The SEM device also may be used to support the NERC CIP compliance auditing process with its reporting capability.

Another option is to employ a third-party, cybersecurity monitoring service to enhance the posture of the control system network environment. The service monitors, manages and reports on the cybersecurity environment through a 24/7/365 security operations center staffed with industrial control and SCADA system security experts. Each bulk electricity asset owner and operator maintains a unique power generation and T&D environment that requires a comprehensive cybersecurity solution to protect against risks and vulnerabilities and meet the NERC CIP mandates.

Currently, the most effective way to address cybersecurity concerns associated with this environment is to implement a layered, defense-in-depth cybersecurity strategy.

Todd Nicholson is chief marketing officer of Industrial Defender. He has more than 17 years of experience in corporate and product marketing, product strategy, business development and sales working for emerging and mature technology companies including Digital Equipment, EMC, IBM and InfiniSwitch. He has a bachelor of science in business administration from Nichols College. Reach him at

Why Electric Utilities Must Reassess Security Practices

by Matt Hines, Core Security Technologies

As with most organizations, electric utilities have a daunting task in warding off the many cyberattacks that manifest themselves throughout information technology infrastructure, applications and devices. What differentiates electricity providers from companies in industries that do not support critical grid operations, however, is that successful attacks carried out on electricity systems can result in catastrophes beyond primary cybersecurity challenges such as protecting electronic data.

Electric utilities are likely the last constituency that needs reminding of the potential impact interruptions pose to their services. Much of their operational focus and spending has ensured their assets and facilities remain locked down behind stout, physical defenses from razor wire to motion-detecting cameras. Uptime and availability were priorities in this space long before the age of information technology ever dawned and the terms became underlying goals within almost every industry.

Electric companies have had to worry about attackers cutting their lines or otherwise physically disabling their services. The range of threats that can be modeled using information technology systems–in particular, the ability to deliver targeted, sophisticated attacks over public-facing networks including the Internet–offer would-be assailants opportunity to disrupt electric grids from anywhere in the world.

Senior CIA analysts reported in January 2008 that the agency had conclusive evidence of targeted cyberattacks against electricity providers in other regions of the world, including campaigns that had affected entire cities. While this threat aimed specifically at electricity providers has advanced, risks posed by the spiraling complexity of information technology operations throughout these same organizations have grown exponentially.

Some fail-safe measures established to keep grids running after Sept. 11 and Hurricane Katrina–increased adoption of remote-access capabilities and information technology-driven failover applications, for example–have also broadened the range of threat vectors available to cyberattackers.

On another front, researchers including those from Core Security’s CoreLabs research group recently discovered that attackers could remotely exploit multiple vulnerabilities throughout critical infrastructure technologies, including the same SCADA systems used by many utilities. CoreLabs, when providing vulnerability data to providers of the involved systems, also observed that the SCADA vendors had insufficient processes to respond to such reports and protect their customers.

The processes and technologies electric companies use to address these security challenges must be multifaceted, comprehensive and proactive.

In addition to the layered, defensive, information technology security protections electric companies already have adopted–anti-virus, intrusion detection, gateway filtering and access control systems–electric companies must engage in exhaustive information technology vulnerability-management efforts to protect operations and prepare their information technology infrastructure for future required compliance audits under the NERC CIP mandate.

This more proactive method of vulnerability management should include elements from strict policy enforcement that prevents systems including SCADA technologies from exposure to public-facing networks as product makers demand, to the scoping of security vulnerabilities across all of their information technology infrastructure, endpoint devices and applications.

Electric utilities must also adopt more rigorous, internal information technology application-development controls, including the use of source code analysis tools, network and application vulnerability scanning technologies, as well as regular, extensive penetration testing to minimize coding errors, improper configurations and other weaknesses that could allow unauthorized parties to infiltrate operations and carry out attacks.

As with protecting their physical grid operations from attacks, utilities must aggressively layer defensive information technology security solutions and use vulnerability-management practices, including penetration testing, to close off any potential Achilles’ heel in their information technology operations and those of their business partners.

Matt Hines is marketing communications manager at Core Security Technologies, a Boston-based maker of security-testing software. Prior to joining Core Security, Hines worked for more than a decade as a reporter and blogger following the information technology security sector for publications including Dow Jones, CNET, eWeek and InfoWorld.

Previous articlePOWERGRID_INTERNATIONAL Volume 14 Issue 5
Next articleNew Mexico Gov. Bill Richardson Protests DOE Smart Grid Grant Guidelines

No posts to display