Electrical Grid Security: NERC CIP, Cyber Threats and Key Challenges
Electrical grid security has been getting a lot of attention recently. It started fairly quietly, and then when it was a featured story on a news program, it rose to the top of the collective consciousness. However, the news stories that followed were focused entirely on the physical vulnerabilities of the US power grids. Few, if any stories covered the cybersecurity angle of securing the grids.
The physical grid machinery has remained woefully unprotected against attack. The physical power generating infrastructure of several power companies has been attacked in the United States just this past year. This may be because grid operators did not foresee the possibility of attacks from domestic sources in spite of ample indications of the planning of such attacks.
Fortunately, the logical functioning of this critical infrastructure has been better prepared and continues to improve as the power companies corporate structures have become connected to the internet – which can be a gateway to the power generation structure.
What is NERC CIP?
The North American Electrical Reliability Corporation (NERC) has operated for over 27 years to protect the power grid. It developed the Critical Infrastructure Protection (CIP) standards to enforce rules to keep the Bulk Electrical System (BES) operational. Power industry cybersecurity, or, to be more specific, Power Generation Cybersecurity for Medium and High Impact sites, as defined by NERC CIP, is the cybersecurity of the critical infrastructure for providing power throughout the US.
In most industries, if an entity doesn’t comply with the rules set out by a governing organization, their operation can be halted. We recently saw this with the shuttering of some banks. Other measures to protect consumers can involve decertifying, or otherwise stopping an organization’s ability to transact certain types of business, such as if a company cannot adequately fulfill the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
If an electrical supplier falls out of compliance with NERC CIP standards, the electric company cannot just turn off the power. The method used to guarantee compliance is through strict fines. Is it even possible to fully disrupt a Bulk Electric System through a cybersecurity vulnerability? In fact, it is possible, and that is precisely what NERC CIP seeks to prevent.
Threats targeting critical infrastructure
NERC CIP guidelines are keenly focused on nation state attacks, and remote command and control, because if an external entity wants to attack the US and bring down the electric infrastructure, it could be accomplished by targeting one area to take down all the assets. By controlling the connection that allows that external force into your environment, the problem becomes neutralized. This is why part of what Tripwire’s allowlisting capabilities monitors is whether a new port is opened and allowed to be open on a system.
NERC CIP has very specific controls that, when followed, reduces the risk of a breach tremendously. By knowing what software is allowed to be installed in an environment, what users are allowed to be on each system, what ports are allowed to be open on a system and what application has that port open – and being alerted when something unexpected shows up in those areas, the power companies can be sure that there is no remote command and control is in place on their systems.
A lot of times, a nation state attack is not just a fast operation to shut down a system. That is, they don’t take it down immediately upon getting in. Similarly, ransomware attackers have adopted this technique as well. They gain access, look around, and put some things in place so they can get back in if they are discovered. And in a lot of cases, to regain access means having an available port to connect to somewhere within the environment. If an electrical operator knows each port that is open in the internal environment, what it’s doing, why it’s there, and why it’s open, then, when a new logical port opens up, it will stick out like a sore thumb. This level of visibility makes it nearly impossible for an attacker to remotely gain command and control of any assets.
Of course, there are also non-technical methods that electrical organizations need to implement those controls. Most of the utilities have a Risk & Compliance team that works with the IT and Security teams to ensure that the audits of the environment will pass. They perform a review of the compliance reports prior to when the 35-day reporting period ends. NERC CIP specifies that all of the information about software, ports, users, services, etc., in the environment are tracked, and updated reports are completed every 35 days for BES high impact rated systems. Otherwise, they must self-report, and have a mitigation plan in place. There can be fines if there isn’t a plan, or if the failure to provide reports goes on too long.
Key challenges and ways to solve them
One of the biggest challenges is that there may be too few people to perform the required remediation. It ends up becoming a background task at a lot of places because they lack the resources to perform all the patching or other needed configuration updates. The staff at most electrical suppliers work long hours, and they still cannot keep up with all of the changes required to stay within the requirements for compliance.
Tripwire Enterprise (TE) is a baselining engine. The NERC CIP reporting revolves around changes to the NERC CIP baseline, so Tripwire is a natural way to find the information required and build reports. Tripwire’s allowlisting solution defines the lists of allowed ports, services, software, etc., on each device and the data baselined by TE about each of those is compared to the allowed list of ports, software, etc. The result is an assessment. The NERC CIP baseline is the list of what is running, and allowed on the system. Allowlisting also produces a list of anything found that is not on the allowed list. Those items have to be remediated – or justifiably added to the allowed list.
Protecting the electrical grid is no easy task. While the latest news cycle focuses on the physical vulnerabilities to these locations, it is comforting to know that any systems that are connected to the internet are better protected through the efforts of NERC, and the staff at these facilities.
Tripwire is a valuable resource in helping keep this area of critical infrastructure safe.