Safeguarding Critical Infrastructure, Information Security, Operational Resiliency and Regulatory Compliance

Advanced technology enable power utilities infrastructure to transform into smart utilities by increasing transmission capacity, connectivity, sensing and self-healing capabilities. In the past decade utility industry has undergone massive transformation with converging Information Technology (IT) and Operational Technology (OT), legacy power-generation assets, digitally renewable energy sources and distribution systems. While this trend of integrated grid connectivity has pushed the industry towards higher efficiency, emission reductions and sustainable power generation, it has also made the industry vulnerable to security and cyber threats.

To safeguard critical infrastructure, strengthen information security, enhance operational resiliency and meet regulatory compliance, it is becoming mandatory for utility companies to improve their cyber security levels to adhere to “North American Electric Reliability Corporation” (NERC) compliance. To promote and implement the security standard in the utilities company, a voluntary organization “North American Electric Reliability Corporation” (NERC) was formed on June 1st, 1968.

NERC and its Asset allocation

The NERC critical infrastructure protection standards, known as NERC CIP, a regulatory authority ensures the appropriate security controls of critical infrastructures and stringent standards to protect Beneficial Electrification (BES) and its users and customers, CIP standards provide a cybersecurity framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity of North America's BES .

NERC reliability stander can monitor and protecting the below utilities ecosystem

Bulk Electric System

Critical Assets

Cyber Assets

Generation Plants

Transmission Stations

Transmission Lines

Transmission towers

Generation Plants

Transmission Stations

Control Center

Supervisory Control and Data Acquisition Systems (SCADA)

Energy Management Systems (EMS) Distributed Control Systems (DCS)

NERC Current Stander and its implication

In the year of 2003 a largest Northeast Blackout was placed in the power grid of the United States and Canada. The blackout effected estimated 50 million people and NERC onboard a technical team to investigate the outage and results Critical Infrastructure Protection (CIP) Standards was evolved for more stringent standard to protect the utilities system of the North American power grid.

NERC CIP v6 is the most recent version of policy guidelines by which critical cyber assets must be protected whereas NERC CIP V5 is designed on the top of CIP 2 with strong security to enhance the reliability of the Bulk Electric System.

CIP Version 5 Standards

Advance technologies like IoT, AI and RPA which results increasing the large volume of data in system and also increases the chances to exposure cyber risk. CIP V5 is introduced to reduce cyber risk. CIP V5 focuses on monitoring the access control of networking and third-party remote access 2. Below is the CIP V5 security standard applicability.

Standard

Category

Purpose

Level of impacts

CIP-002-5

BES3 Cyber System Categorization

Process that identifies all BES Cyber Systems impacting the Bulk Electric

System

High, Medium, or low

CIP-003-5

Security Management Controls

Documented cyber security policies

High and Medium

CIP-004-5

Personnel and Training

Training content on cyber security policies; physical & electronic access controls, handling of BES Cyber System Information and its

storage

CIP-005-5

Electronic Security Perimeter

Polices External Routable Connectivity,

High and Medium

CIP-006-5 –

Physical Security of BES Cyber Systems

Polices for Physical security plans that include the applicable specified requirements

High and Medium

CIP-007-5

Systems Security Management

Standard for system security by specifying technical, operational,

and procedural requirements

High and Medium

CIP-008-5

Incident Reporting and Response Planning

Reportable Cyber Security Incident plan

High and Medium

CIP-009-5

Recovery Plans for BES Cyber Systems

Control procedure to protect data and supply data for the investigation of an event requiring execution of a BES Cyber System recovery

plan

High and Medium

CIP Version 6 Standards

Day by day malware threat has been increasing in supply chain and July 2015 FERC issued Notice of Proposed Rulemaking (NOPR) to modify & update the CIP Version 5 standard on low impact BES cyber asset, removable device, Transient cyber asset, and communication network. The proposed V5 modification is considering as CIP V64..

List of modification

Standard

Category

Purpose

CIP-003-6

Security Management Controls

Protect BES cyber system

CIP-004-6

Personnel & Training

Training, and security awareness to protect BES cyber system

CIP-006-6

Physical Security of BES Cyber Systems

BES cyber system physical access Management

CIP-007-6

Systems Security Management

Technical, operational, and procedural requirements to protect BES cyber system

CIP-009-6

Recovery Plans for BES Cyber Systems

Recovery plan for BES Cyber system’s reliability functions

CIP-010-2

Configuration Change Management and Vulnerability Assessments

Requirement to and manage the transient assets and removable media and Protect & detect from unauthorized changes

CIP-011-2

Information Protection

Prevent unauthorized access to BES cyber systems

In addition to modification -below are the new terms proposed by NERC

Transient Cyber Asset and Removable Media
Revised BES Cyber Asset (BCA)
Protected Cyber Asset (PCA)
Removable Media
Transient Cyber Asset
Low Impact BES Cyber System Electronic Access Point (LEAP)
Low Impact External Routable Connectivity (LERC)

Utilities Challenges to transform CIP V5 to CIP V6

High Infrastructure cost – To upgrade to CIP V6 and preserve asset ratings, Utilities Service Providers are required to upgrade to advance technology, platform, field devices.
Potentially budgetary impact for scope expansion.
The upgrade from CIP V5 to CIP V6 would require Utilities to include Change Management process – People, Process and Technology.
Implementation of security policy on on-premises and cloud infrastructure for the multi technology IT environments
Streamline the decentralized Identity and access management Smart Grid, Dynamic Load Control (DLC) systems. Supervisory Control and Data Acquisition (SCADA), Industrial Control Systems (ICS); advanced metering infrastructure, transmission assessment and other critical applications for running the utility business.
Investment to meet the security maturity curve as per utilities benchmarking.
Develop and implement methods to transient assets and removable media and protect & detect from unauthorized changes
Utilities Service Providers are facing difficulties to incorporate the vast NERC CIP scope within the stipulated deadline and run the risk of incurring high infrastructure and service costs.

Conclusion

The aim of NERC CIP is to standardize the mandatory security and baseline the cyber security for the utilities and promote education, training of industry personal on system and security awareness. NERC is invested in updating NERC CIP standards to incorporate policy weakness, strength, risk and operational impact to industry and manpower. Over the past decade, we have seen more and more utilities companies incorporating automatic NERC compliance into their business strategy to align their organization to regulatory compliance and safeguard against cyber threats.

Sources