By Certrec Corporation
The U.S. electric grid provides electricity to millions of homes and businesses via a complex and vulnerable network of power plants, transmission lines and distribution centers. It is essential to daily life and commerce in America. One of the greatest cybersecurity threats to the electric grid involves ICS or “industrial control systems.” ICS manage electrical processes and physical functions like opening and closing circuit breakers.
To reduce costs, improve energy conservation and grid reliability, ICS are merging with information technologies which rely on the Internet to enable remote control and monitoring. But this also creates huge opportunities for “hacktivists,” state-threat actors and criminals (cyber-ransomers) to access operational technology (OT). A successful cyberattack can cause serious disruption to people’s lives from annoying effects like no Internet, no streaming, no TV, and no cell phone service to life threatening events like broken traffic signals, inoperative life-saving medical equipment, no water pumped, or no heating or cooling.
According to the U.S. Department of Homeland Security, even a short-lived attack on the power grid could cause substantial interruptions to security systems and important lines of communication. In 2022, the number of risks to critical infrastructure have escalated due to the increase in cyber ransom crimes, nation-state threat actors and of course the Russian Ukraine war. Nation-threat actors work for a hostile government (take Iran, North Korea, China, or Russia for example – U.S. Intelligence Annual Threat Assessment) to disrupt or compromise our lives and in the case of critical infrastructure, create incidents by taking down nuclear, energy, financial or technology sectors. (see more here).
The CISA (Cybersecurity and Infrastructure Security Agency (CISA), a newly formed US federal agency working tirelessly to tackle cyber threats and to develop secure and reliable infrastructure, has warned all the industrial stakeholders in the country to be prepared and to take proactive measures against any malicious cyber activity.
So, it is high time for electrical companies to meet and exceed critical energy infrastructure protection standards. From substations to enterprises, energy-based companies must meet CIP compliance. Whether it is the physical protection of facilities from vandalism, terrorist acts, and other security breaches, or the protection of software and hardware assets from increasingly sophisticated cyber criminals, it is essential for energy companies to meet these challenges by updating their CIP policies and procedures. The decision to not do so can be disastrous, not only for them, but for the overall Bulk Electric System (BES).
Whereas most companies are proficient in the physical protection of facilities, many do not have stringent enough IT policies for the protection of their critical hardware and software infrastructure. Not addressing those vulnerabilities can negate the demanding work done through physical facility protection. It is essential to target all these three areas of CIP in the modern world, that is, physical facility protection, hardware protection, and software protection. Cyberattacks are a top ten global risk and the energy sector is number one among attacked industries.
Reluctance to use up-to-date software and hardware can lead to a serious breach. It damages onsite facilities, ruins market credibility, and compromises the security of electricity supply.
Critical infrastructure protection for facilities
It cannot be stressed enough that without the physical components working in perfect order, the facility can be compromised and can be rendered inoperable.
Because most plants are situated in remote areas and are massive in size, it can become quite a challenge to secure and monitor them effectively. But, when you are a vital cog in the power grid, a lapse in security can cause disruptions to the whole grid, leading to massive penalties and fines. It is, therefore, more prudent to invest that money in the actual physical security of the facility to mitigate the chances of physical attacks through vandalism or terrorism.
One of the biggest cyberattacks on critical infrastructure happened on the Colonial Pipeline on May 7, 2021. when the largest fuel pipeline in the U.S. fell victim to a ransomware attack and lost a $4.4 million ransom payment to a ransomware gang. 45% of fuel supplies to the East Coast had to shut down temporarily and Colonial suffered a huge credibility loss. The CEO apologized to the U.S. Senate.
Let’s now look at the security of cyber assets within the perimeter.
Critical infrastructure protection for cyber systems
CIP compliance requires a significant investment, proactive efforts, and a progressive mindset among organizations.
Physical Systems and CIP (Hardware)
The foundational standards in NERC CIP state specific requirements that energy companies must meet to create unique control mechanisms, identify critical assets, enforce physical security of the systems, and recover affected assets.
Here are the primary standards applicable to all security and network systems for utilities:
NERC CIP-002-5 – BES System Categorization
With this standard, energy companies can identify and classify BES Cyber Systems or Assets. The objective of the NERC CIP-002-5 standard is to ensure the enhanced protection of assets. At the same time, this standard makes sure there are no compromises that might make the BES unstable or disrupt operations.
The level of categorization is all about grading several BES Cyber Assets or Systems based on the degree of interruption to the power supply. It focuses the entity on the period of interruption rather than the cause of the power disruption.
The broad categorization of Cyber Systems in this standard includes:
- Protected Cyber Assets
- PACS or Physical Access Control Systems
- Electronic Access Control
- NERC CIP-003-8 – Security Management Controls.
The focus of this standard is to help energy companies increase transparency and accountability across the board and further protect BES Cyber Assets. Practically, utilities need to rely on an experienced senior manager to develop sustainable policies around security controls.
NERC CIP-004-6 – Personnel Training
This NERC CIP standard aims to train contractors and employees. With sufficient training, NERC CIP 004-6 standard will help companies reduce the likelihood of cyber attacks targeted to BES Cyber Systems. The personal training consists of raising cyber security awareness among staff. In addition, it paints a clear picture of the access and risk management controls for employees and contractors.
NERC CIP-005-6 – Electronic Security Perimeter
This standard aims to heighten the protection level of BES Cyber Assets and prevent potential instability and operational interruption. Furthermore, the NERC CIP-005-6 standard focuses on having complete control over network access to all critical assets.
In any case, this standard propels utilities to develop a dedicated Electric Security Perimeter (ESP) around their cyber assets. Once a virtual barrier exists, entities can track interconnected data flows. Any critical assets outside the boundaries of ESP must become part of the leading network via a dedicated Electronic Access Point. Companies should also maintain their network segments, control remote access points, and use data encryptions.
NERC CIP-006-6 – Physical Security of BES Cyber Systems
This standard involves physical and operational controls in connection with a physical security perimeter, testing and maintenance program, and a visitor control program. In the physical security perimeter, entities must restrict their physical access via procedural controls and existing operational documents.
In the visitor control program, entities must implement a protocol to manage all visitors in the last 90 days. And the testing and maintenance program of this standard requires entities to test Physical Security Perimeter on an annual basis.
NERC CIP-007-6 – System Security Management
Here, entities must define operational and technical elements and processes. The idea is to enhance the security of systems in the ESPs of BES Cyber Systems. Typically, these components include security patches, system access controls, security event monitoring, ports and services, and prevention of malicious code.
NERC CIP-008-6 – Incidence Reporting and Response Planning
Here, entities must prepare incident reports and create guidelines that work as a response. The incident reporting and response planning standard allow energy entities to document, identify, classify, report, and respond to incidents associated with critical assets.
At its core, this CIP standard compliance divides into incident response plan, implementation of incident response, and final review and communication of the incident response plan.
NERC CIP-009-6 – Recovery Plans for BES Cyber Systems
Here, entities must find the best way to recover from a potential cyber incident that may impact the BES systems. With this standard, entities must put in place a recovery plan and follow predetermined plans for business continuity and disaster recovery.
NERC CIP-010-3 – Configuration Change Management and Vulnerability Assessments
In this standard, entities must highlight all the requirements related to their security policy to ensure there are no unauthorized modifications to the BES Cyber Systems. This standard aims to increase the current protection level by performing vulnerability testing and checking system configuration controls. On top of configuration change management, the CIP-010-3 standard covers compliance areas like configuration monitoring, which requires 35 days for unauthorized baseline changes and vulnerability evaluation every 15 months.
Potential threats and their consequences
Whether it’s malware, phishing attacks, password attacks, or denial of service, successful breaches incur revenue losses for companies. And if the breach is big, it will significantly impact revenue generation. Around 30% of companies that encounter a security breach lose significant revenue. “Attackers are getting better all the time and as we make OT (Operational Technology) more Internet accessible, the threat surface enlarges. These hackers are trying to damage our country and disrupt business by causing mayhem through grid failures. They can introduce a virus into the system that is undetected immediately but explodes weeks later.” said Evans Heacock, Director of NERC CIP Services at Certrec.
Similarly, a potential data breach hampers a company’s reputation in the energy landscape. In fact, after a data breach, the reputation of the company is never the same in the market.
In addition to the obvious costs such as repairing the OT network and the IT systems as well as the actual electrical infrastructure there are several expensive hidden costs such as repairing public relations and paying legal fees. On the surface, many cyber security threats come across as mild and harmless. However, they can wreak havoc on the operational capacity of utilities and even cause blackouts. Can a cyber-attack cause a power outage?
“If there is a successful cyber-attack on the IT infrastructure, it can result in a total outage on the OT network, which can lead to a control center being taken offline.” said Steven Thomas, Executive Director, IT and Cybersecurity, at Certrec
Short-term and long-term consequences of breaches
Companies usually must spend on hiked insurance premiums, additional investigations, and PR.
In line with potential threats, cybercriminals often steal blueprints, strategies, and designs of energy companies. Overall, it damages the reputation of utilities in the industry. And companies operating in the energy sector are more vulnerable to these potential threats.
Today, executing a data breach plan takes less time than making an omelet. On average, more than 90% of successful data breaches take place within a minute. What’s startling is that it takes 80% of the companies weeks before they realize there has been a data breach.
On top of reputational damage, theft, and incurred financial losses, companies usually must pay hefty fines. If the direct revenue losses are not enough of a punishment, companies can face potential monetary penalties for failing to comply with basic data protection regulations.
Conclusion
Energy and utility companies have equipment separated by miles of empty space, and motivated hackers can cause widespread power outages risking the health and safety of millions of people.
After all the energy grid and utilities power our economy and everyday lives. In fact, nearly every aspect of our modern life relies on the grid operating as expected. As the grid infrastructure and ICS/OT systems become increasingly connected, they also become increasingly vulnerable.
Entities need to ensure network segmentation meets various requirements. The idea is to restrict operational technology (OT) protocols from passing through the IT systems via an encrypted end-to-end tunnel. Furthermore, companies must run antivirus scans throughout OT and IT systems at least every week and implement patches in a short, regular, predefined timeframe to prevent many of the malware infections from web, mobile or any other networks.
NERC CIP compliance is the most practical way for organizations to protect their customers, natural resources, and crucial cyber assets that tie up to the Bulk Electric System. (To find out how secure your critical infrastructure is, go to Certrec’s online NERC CIP Health check here.)
For a more detailed analysis, check out Certrec’s CIP White Paper.
Certrec, is a leading provider of regulatory compliance solutions for the energy industry. The company’s SaaS and consulting services have helped power-generating facilities manage their regulatory compliance and reduce their risks across nuclear, fossil, solar, wind and other power plants. Certrec has helped over 120 generating facilities establish and maintain NERC compliance and it manages the entire NERC compliance program for 50+ registered sites in the US and Canada. Certrec is ISO/IEC 27001:2013 certified and has successfully completed a SOC 2 Type 2 examination, resulting in independent verification of the standards of security, availability, reliability, and trusted services it provides.
