On October 1, 2022, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) “Supply Chain Standards” will go into effect. According to NERC, new regulations are meant to provide guidance for supply chain risk management (SCRM) focused on software integrity and authenticity, vendor remote access protection, information systems planning and vendor risk management and procurement controls.
Compared to many other critical industries, electric utilities are ahead of the curve when it comes to implementing cybersecurity best practices. Power grids have evolved from relying on large, centralized power plants to allow distributed energy production, including smaller regional suppliers, renewable energy sources and private contributors with solar panels on their homes. Digitalizing the power grid enables electric utilities to better track energy production and consumption and to keep the power grid stable.
Digital transformation is a source of new risks despite the many positives it delivers to utilities.
Historically, substations used simple mechanical devices to monitor and control the power grid. Today, these devices have been replaced with networked controllers that report the measurements to a SCADA control center and can initiate control actions remotely. This shift requires connectivity to remotely access the substation networks.
The events stemming from SolarWinds and Log4J are shining a light on the supply chain risks. Third-party contractors are also a source of risk, as they may inadvertently bring infected equipment into the facility, onto the network or ignore other security policies.
As utilities work to comply with these new standards, they should consider how they can automate tracking all of their cyber assets, their configurations and changes; for example, by monitoring the maintenance operations of remote or on-site engineers. Ideally, a SCRM program will not only alert utilities to threats but can also facilitate secure access to critical assets. With that in mind, let’s explore how utilities can put these new standards into practice.
CIP-013-2: Supply Chain Risk Management
This first standard focuses on supply chain risk management. Organizations will be required to develop a risk management plan that addresses processes for internal and external risks. These internal processes include identifying and assessing cybersecurity risks from vendors’ products and services, verifying software integrity and authenticity, and enforcing controls for vendor-initiated remote access. The external processes will require vendors to notify utilities of cybersecurity incidents and to disclose product vulnerabilities.
However, there are many vendors that do not yet provide proactive vulnerability disclosure. It could be that these new NERC CIP standards will serve as a forcing function to motivate vendors to take a proactive approach with vulnerability disclosure; otherwise, electric utilities may need to re-evaluate their vendor relationships.
The good news is that once this type of vendor reporting is mandated and information about vulnerabilities becomes publicly available via CVEs, then the electric utilities can begin to continuously monitor for vulnerabilities that apply to their devices.
Identifying vulnerable devices is only the start. The key to minimizing risk is how quickly vendors can patch their vulnerabilities and how quickly utilities can implement these patches. It is notoriously difficult to patch devices in operational technology (OT) environments because they require downtime that utilities cannot afford. Consequently, utilities may need to consider other mitigation techniques, such as continuous network monitoring to detect attacks, network segmentation and zero trust security to minimize the risks of vulnerable assets that cannot be patched.
CIP-005-7: Electronic Security Perimeter(s)
This standard provides more specific and prescriptive requirements to control unauthorized access. Establishing an electronic security perimeter includes enforcing inbound and outbound access controls and monitoring network traffic to detect malicious communications.
This standard also provides guidance for establishing remote access management, including encryption, multi-factor authentication, monitoring for active remote access sessions and methods for terminating active remote access sessions. As a baseline, utilities need to be able to track connections and alert to unwanted behavior. More granular capabilities could include integration with network infrastructure or endpoints to set dynamic access control rules or to respond to threats, either automatically or with human interaction.
CIP-010-4: Configuration Change Management and Vulnerability
This third standard is intended to prevent and detect unauthorized changes to systems, as well as further protecting these systems with vulnerability assessment. Configuration change management requires establishing a baseline “golden image” to authorize, update and test new changes. The ability to verify the identity and integrity of software is critical since malicious software updates have emerged as a supply chain attack vector.
Furthermore, utilities are required to conduct an active vulnerability assessment at least once every three years and a paper or active vulnerability assessment every 15 months. A paper assessment tends to be time-consuming, error-prone and may otherwise miss more recent firmware changes. On the other hand, an active vulnerability assessment may be much more challenging since fragile OT assets may be incompatible with IT vulnerability scanning tools. Instead, utilities should assess their vulnerabilities with non-intrusive methods, such as passive network monitoring. Furthermore, this process should be conducted continuously to immediately identify vulnerable assets, so that appropriate mitigation techniques can minimize the risk.
A Higher Standard
NERC CIP is once again raising the bar with its supply chain standards. The threat landscape doesn’t end at the network perimeter because it is interdependent on the security practices implemented by other vendors and service providers.
In addition, effective cybersecurity programs go beyond “check the box” compliance. Electric utilities need to understand their supply chain risks to prioritize and plan their remediation. In order to understand these risks, it is imperative to understand what is connected to the network, where it is located, its vulnerabilities and other risk factors, such as how it interacts and influences the rest of the network and process control system. Once utilities are able to gain this sort of insight, then informed decisions can be made to reduce their attack surface.