Compliance with critical infrastructure protection (CIP) standards is in itself not enough to prevent potentially devastating cyber attacks on the electricity generation and distribution system. Attackers have routinely breached infrastructures in the financial services and retail sectors that were 100 percent compliant with regulations.
A manual process that tracks access authorizations, for example, might meet CIP standards but be prone to errors. Similarly, simply logging security events from devices might comply with current standards, but fail to alert specialists in time to respond to an attack.
Optimal Protection is Imperative and Urgent
The evolution of smart grid technology that connects information technology with operational technology , energy management systems and consumers has opened up new avenues of attack and potentially more vulnerabilities. The rise of distributed energy sources and decentralized generation across the network further increases the risk.
December, 2016 ”CrashOverride/ Industroyer” attacks in the Ukraine demonstrated that cyber attackers can and do target power grids. A successful attack could subject large populations to major power outages, causing enormous business disruption and economic damage.
Increased vulnerability, combined with potentially devastating impacts, make it imperative and urgent for utilities to achieve optimal protection of smart grids.
Reaching Optimal Protection
Utilities are at varying stages along a CIP maturity curve. Some are merely maintaining compliance with North American Electric Reliability Corp. (NERC) CIP standards, while others have achieved compliance and are working on sustainability and automation initiatives.
The optimal level, however, is advanced security for high-risk assets. It gives utilities greater operational control, improved situational awareness, lower risk and better control of operations and maintenance costs. It also better prepares utilities for the impact of future disruptive technologies.
Most importantly, utilities that achieve optimal protection are far less likely to experience a catastrophic event.
Four steps can help utilities reach a state of advanced security:
Understand the current NERC posture. Utilities should diagnose their NERC posture through an analysis of their processes and controls. To do this, they should develop an in-depth understanding of the audit trail before developing an end-to-end process to obtain the required evidence of compliance.
Establish a sustainability strategy and governance framework. An important part of the sustainability strategy is determining which staff members are responsible for continually assessing the effects on the organization of new NERC standards.
Create an actionable plan for creating foundational components. This includes making exception management, evidence collection, validation and reporting both repeatable and automated.
Begin industrializing key NERC CIP processes. The utility should initially target high-value areas, which are those determined by an assessment to pose the greatest need for manual efforts and highest potential for a cyber attack.
While these steps help create sustainable NERC CIP compliance program, reaching the goal of advanced, optimal security requires additional actions.
Implementing an automated identify-and-access management system, for example, results in better protection than an error-prone manual system can provide. Similarly, upgrading from security event logging to a security monitoring system that integrates with a broader cybersecurity operations center greatly improves grid protection. This is especially true when a utility also implements a security information and event management platform that automatically alerts cybersecurity specialists to any sequence of related events that might indicate a wider breach.
The ultimate objective
Compliance with the NERC CIP program is mandatory for U.S. utilities and can serve as the foundation for enhanced security throughout the enterprise. The ultimate objective, however, should be a state of advanced security, going beyond the compliance checklist to protect the power grid and the people who depend upon it. Otherwise, as demonstrated in by what happened in the Ukraine, when an adversary's cyber capabilities match their malic