Navigating Cybersecurity with NERC CIP as the North Star
Working in the Electric Utility sector of critical infrastructure gives a person a very unique perspective on how many of the pieces of the puzzle fit together to provide uninterrupted services to a broad population. My personal experience as a software engineer in the electrical industry introduced me to the nuances that the average person doesn’t consider when they flip on a light switch. When I moved into the cybersecurity space, an entirely new realm was opened up.
The shifting sands of cybersecurity, along with regulations are sowing the seeds of vast changes, not only in the electrical sector, but in all utilities. However, when seeking direction in protecting the utility sector, the most mature model is the one presented by the North American Electric Reliability Corporation (NERC), specifically, the Critical Infrastructure Protection (CIP) guidance. The NERC CIP is the most mature of the utility control models and has just surpassed its 20th birthday.
Part of what makes NERC CIP relevant to critical industry verticals as a whole is that it was developed out of the attention brought about by the large East Coast power outage of 2003. Realization that malware lurking on systems giving command and control capability to and outside entity was a major risk to our infrastructure and safety and something had to be done to address that risk. Recent events in water management, food production and pipeline security have shone a bright light on making these sectors more secure as well. What better way to create new guidance than to borrow what works from an existing source?
Why More Guidance for Critical INfrastructure was Created
The need for more guidance in other sectors hit a tipping point in the last year. Both supply chain attacks, and trade wars lead to new protective responses, including the Pipeline System Security Directive, the Rail and Airport Operators Security Directive, and the Water/Wastewater 100-day plan. These are all aimed towards making the security of these critical systems more comprehensive.
Yet, it is still the early days of these new protective mechanisms. For example, the Pipeline System Security Directive is still voluntary. Also, the Transportation Safety Administration (TSA), which authored the directive has gone so far as to recommend that pipeline management should consider NERC CIP as the framework to follow. Likewise, TSA is looking to institute fines for violations, mimicking NERC CIP, but to a lesser extent. This is a very aggressive approach, as it moves compliance from voluntary to compulsory.
The questions that arise from all this are not unlike many of the other questions that surround other regulations. That is, is the guidance aimed towards Information Technology (IT), or Operational Technology (OT), or both and is the guidance attempting to achieve security, or compliance? Additionally, each of the above critical infrastructure verticals falls under a different jurisdiction of Sector Risk Management Agencies (DOE, EPA, TSA, etc.) and not centrally under CISA. Thus, the balkanized jurisdiction structure magnifies the complicating the matters of added expense due to redundancy, timeliness of implementation and consistency of cybersecurity policies, procedures and compliance to protect all critical infrastructure. Tactically, there are also the typical questions about audit and enforcement, such as how, and who will be the gatekeepers? After twenty years of NERC CIP, the rapid emergence of these new directives can be viewed as revolutionary – but also very necessary. It’s been shown over and over that companies do not provide satisfactory levels of system security without regulations that have teeth.
Predictions and Recommendations
Some organizations in the critical infrastructure have been practicing security that goes beyond the recommended requirements, and they started on this path prior to the new directives. Some because it was economical to do the same monitoring in Gas/SCADA and Water/Wastewater that they do in their NERC/CIP environments, others because the costs of around insuring against breaches is starting to have an effect. Many of the attacks of recent years, such as ransomware, and intellectual property theft are not going away, as they are too profitable for criminals to resist and becoming too costly for utilities to ignore.
The best recommendation is to start with asset tracking. Only after an accurate accounting of an organization’s assets can other steps be taken to protect any sector, including vulnerability assessment, network segmentation, change management, and log management. Most important with all of these is the configuration measurement and change detection. You can’t tell if something has changed without an accurate starting measurement (a baseline).
If your organization is newly examining the guidance and framework that works best, there are many to choose from, including those offered by the National Institute of Standards and Technology, (NIST 800-53), the Center for Internet Security (CIS Controls), and the International ElectroTechnical Commission (IEC 62443). Perhaps you may want to jump directly into NERC CIP to evaluate if that is the most appropriate course of action. Each framework is subtly different, but all follow the above basic control. Either way, there are enough resources to get started down the right path. Likewise, don’t hesitate. Even if you begin down the path of a certain framework and regulations change causing you to have to follow a different framework, many of the principles and the same and you can quickly pivot and continue down your cybersecurity journey.
It is understandable that these are big decisions to consider, but when we reflect upon how all industries have transitioned from an air-gapped or even non-IP environment, to a connected environment, it becomes clear that action must be taken.
Of course, Tripwire has tools that can help you achieve better security. Products, such as Tripwire Enterprise (TE) for file integrity monitoring (FIM) and configuration management (SCM) of your IT devices. On top of these critical controls, TE contains a vast policy library, including all those discussed above, to detect, measure, report and remediate policy violations. Specific, and critical to NERC CIP compliance, allowlisting is managed through Tripwire State Analyzer in tandem with TE. Vulnerability Management (VM) is provided by IP360 and all can be offered as a managed service through Tripwire’s Expert Operations (ExOps). For OT, or in the ICS environment, Tripwire has two OT passive asset discovery, inventory and vulnerability tools (Tripwire Industrial Visibility (TIV) and Sentinel (TIS)). Additionally, Log Management (LM) is provided via the integrated Tripwire Log Center product and a managed service is also available for TIV.
What makes Tripwire unique in protecting critical infrastructure is that the solutions can protect both IT and OT assets. Typically, asset management, change detection and cybersecurity policy enforcement occur separately between IT and OT. Through our numerous integrations, you have the ability to manage both from TE.
The industry is abuzz with “closing the gap between IT and OT”. Tripwire is already there and the gap is closed.
