SCM and NERC: What You Need to Know

Security configurations are an often ignored but essential factor in any organization’s security posture: any tool, program, or solution can be vulnerable to cyberattacks or other security incidents if the settings are not configured correctly.

Staying on top of all of these security configurations can be a daunting responsibility for security or IT teams to focus on, which is where security configuration management (SCM) comes in.

While SCM can be a valuable tool for organizations across all sectors, it is particularly helpful for critical organizations required to comply with certain security standards and regulations. The North American Electric Reliability Corporation (NERC) develops and enforces a number of regulatory standards, including Critical Infrastructure Protection (CIP), to maintain the integrity and security of the electric grid. With SCM, electric utilities organizations can ensure that a significant source of security vulnerabilities is under control.

NERC CIP Standards

The standards of NERC CIP cover a range of security measures and practices for electric utilities organizations that generate or manipulate grid energy. These standards are absolute requirements for NERC organizations. In the United States, the reliability standards are approved by the Federal Energy Regulatory Commission (FERC), while Canadian provinces have their own approval processes.

Due to the importance of electric utilities to all vital aspects of life, the consequences of noncompliance can be quite severe. Monetary sanctions for organizations that fail to maintain compliance can reach a maximum of one million dollars per day per violation. Non-monetary sanctions can include “limiting activities, functions, or operations, or placing the violator on a reliability watch list of significant violators,” according to NERC.

There are a number of categories covered by NERC CIP, including not only cybersecurity policies but also considerations of physical security. The following are some of the areas currently subject to enforcement under NERC CIP:

• BES Cyber System Categorization (CIP-002-5.1a)
• Security Management Controls (CIP-003-8)
• Electronic Security Perimeters (CIP-005-7)
• System Security Management (CIP-007-6)
• Configuration Change Management and Vulnerability Assessments (CIP-010-4)
• Information Protection (CIP-011-3)
• Communications between Control Centers (CIP-012-1)
• Supply Chain Risk Management (CIP-013-2)

Security Configuration Risks and Challenges

Cybersecurity misconfigurations are a significant source of vulnerabilities and attacks. They can arise from a variety of causes, but many of the most common misconfigurations are default settings that nobody notices. The people in charge of configuring the settings on software and applications are not always cybersecurity experts and may not even be aware of the dangers of security misconfigurations and default configurations. Even those who have knowledge of security misconfigurations can still allow them to happen unwittingly or by simple human error.

It is vital to understand what security misconfigurations are and what to watch out for to avoid misconfigurations. The most common cybersecurity misconfigurations, according to the United States National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), are:

• Default configurations of software and applications
• Improper separation of user/administrator privilege
• Insufficient internal network monitoring
• Lack of network segmentation
• Poor patch management
• Bypass of system access controls
• Weak or misconfigured multifactor authentication (MFA) methods
• Insufficient access control lists (ACLs)
• Poor credential hygiene
• Unrestricted code execution

These security misconfigurations, among others, can pose a severe threat to an organization’s security. For organizations that are subject to NERC regulations, this can have widespread impacts on the energy grid and critical infrastructure.  

How SCM Can Benefit NERC CIP Requirements

The security of NERC organizations is of the utmost importance, and cybersecurity configuration is one of the most tedious and easily forgotten parts of maintaining an organization’s IT and security posture. It requires a great deal of attention, taking up time, labor, and other resources that could be better spent elsewhere. With the use of an SCM checker, organizations can easily ensure that all of their software and applications are correctly configured for the best balance of security and productivity.

There are some NERC CIP objectives that are not helped by SCM, such as those pertaining to physical security. Other areas, however, can benefit from the implementation of SCM, including security management controls and configuration change management.

Additionally, automated SCM checking can aid organizations suffering from staffing shortages by enabling cybersecurity and IT experts to spend more time on essential projects and less time on maintaining security configurations since a view of the configuration stance is visible and checked on a regular (daily, weekly) basis. Keeping configurations secure incrementally saves time.  The skilled workers on staff can dedicate more of their labor to tasks that can improve the security of the organization as a whole.

With the right reliable and trustworthy SCM vendor, organizations can rest assured with the knowledge that their security settings are correctly configured. This is a vital part of achieving and maintaining compliance with certain NERC CIP regulations. On top of helping the organization avoid penalties for noncompliance, SCM goes a long way toward protecting critical infrastructure against attacks and accidental cybersecurity incidents.

Conclusion

For organizations governed by NERC, it is essential to prioritize cybersecurity and ensure the integrity of critical infrastructure. The benefits of SCM go beyond regulatory compliance, helping organizations not only to prevent penalties but also to secure their software and systems against attacks. Security misconfigurations are a leading cause of cyberthreats and vulnerabilities that can provide bad actors with the opportunity to infiltrate the organization. With the implementation of SCM, the issue of security misconfigurations becomes far less threatening.