By Gowri Rajappan and Matt Lawrence
Cybersecurity is a top concern for utilities and power companies – the Ukraine grid cyberattack late last year was a wake-up call to take the matter seriously. With the number of devices and connection points to the grid increasing every day, the chance for a breach is much higher than ever before, and so are the stakes.
Laptops and removable storage media such as USB thumb drives are among the weakest links in grid security, since both can bring malicious software into protected substation environments. Regulators have taken notice: the North American Electric Reliability Corporation (NERC) has developed new critical infrastructure protection (CIP) requirements for transient cyber assets and removable media that are designed to prevent these kinds of breaches.
Starting in April 2017, anyone who works on a utility or power company’s medium or high impact system, including contractors, needs to comply with the standards and use locked-down devices to prevent unauthorized access points to the network. Companies need to take steps now in order to avoid serious regulatory and financial consequences.
The new NERC CIP requirements: What they entail and the impact on the industry
The new CIP-010-2 R4 requirement for transient cyber assets and removable media affects laptops used in substations. Companies will need to transform their laptops into “locked-down” devices in order to comply with the new regulations. The particular guidelines utilities will need to comply with by April 2017 include:
- Transient cyber asset management: Teams must manage the transient cyber asset individually or by group in an ongoing manner to ensure compliance with applicable requirements at all times, particularly before connection to a BES cyber system.
- Transient cyber asset authorization: For each transient cyber asset, teams must authorize users, locations and uses, which are limited to what is necessary to perform business functions.
- Software vulnerability mitigation: Teams must use one or a combination of methods to mitigate vulnerabilities and risks posed by unpatched software on the transient cyber asset, including security patching, system hardening and using a live operating system and software executable only from read-only media.
- Introduction of malicious code mitigation: Teams should use antivirus software and application whitelisting to mitigate malicious code from entering substation environments.
- Unauthorized use mitigation: Teams should restrict physical access, use full-disk encryption with authentication and multi-factor authentication to mitigate risk of unauthorized use of transient cyber assets.
The goal of these requirements is to protect control centers and substations from malware and other cybersecurity threats. Violations may result in penalties of up to $1 million per day per incident.
How to prepare: Four steps for compliance
There are several steps companies can take now to prepare for the new requirements and avoid hefty legal and financial consequences. Success starts with safeguarding your transient cyber assets by having special purpose laptops or tablets that are only used for testing – this will ensure your devices are secured and locked-down without interfering with the test interface. Replacing thumb drives with a safe alternative, such as secure network data transfer technology from a test laptop or tablet, will retain all the data transfer capability of removable media without bringing outside risk. Other immediate actions to take include:
- Understand the requirements and how they impact you. Knowing how each requirement affects your company and what you need to do to ensure compliance is crucial. This will set the stage for the specific actions your organization needs to take.
- Make sure everyone in the company knows what’s expected. It’s not just full-time employees or executives who will need to adhere to the new rules — everyone coming into the company, even contractors, will need to follow the new NERC CIP standards. From a liability standpoint, the company is the responsible entity and needs to ensure compliance of everyone that works under them to avoid getting fined.
- Implement a robust, holistic cybersecurity policy across the company. Many companies are just hardening a laptop, but that only addresses some of the requirements and may be out of compliance if necessary updates to the laptop aren’t applied regularly. Teams need to integrate cybersecurity measures into everything they do. Developing a cybersecurity program with clearly articulated policies, plans and evidence of compliance is a great place to start. The program should also define roles, appropriately authorize users and manage and track transient devices to help protect your assets.
- Create a long-term plan for success. Operations and tools considered customary now, like USB drives for transferring data, may not be available to teams down the road in light of the cybersecurity risks they carry. Asking a lot of questions and working together to find solutions will be critical for compliance. Success means looking at both the short and long term — updating software and making sure its approved and reviewed by third-party experts might be one of the steps companies take immediately to meet the new requirements in the short term, but it’s also important to understand how complying with these new rules tie back to your company’s business objectives.
The new NERC CIP requirements are designed to meet the rapidly evolving technology demands of the power industry, while still ensuring grid reliability. The risks of non-compliance are high and companies need to start taking steps now in order to meet the enforcement deadlines. These guidelines will change the way teams work from the field to the office. To really be successful and compliant, you can’t put a Band-Aid on the issue by hardening laptops and focusing on avoiding fines. You need a holistic, proactive approach to cybersecurity that integrates into all your business processes and protects your critical testing data.
Gowri Rajappan is a smart grid specialist at Doble Engineering Co. and Matt Lawrence is senior director of solutions at Doble Engineering Co.