New NERC CIP standards: Why utilities shouldn’t wait to deploy
On May 9, the North American Electric Reliability Corporation (NERC) officially adopted new Critical Infrastructure Protection (CIP) requirements for Internal Network Security Monitoring (INSM). This is one of the last steps before Federal regulators make it an official standard for utilities and the electrical power grid industry.
What does it mean? Compliance for CIP-015-1 is coming to your utility. Utilities will need monitoring tools with deep and wide asset intelligence and network control. In the past, standards focused on protecting the electronic security perimeter of networks, but this approach left blind spots within the internal network.
There is a lot to protect. According to ASIS, there are:
- 7,300 power plants
- 300,000 transmission and distribution stations
- 160,000 miles of high-voltage transmission lines
- 5 million miles of local distribution lines
- 145 million households in the US alone
The industry will have three years to deploy monitoring for the new standard which is typical. The procurement process for a sizable utility company can take 12 to 18 months. And deployment at scale over a large territory can take a year or more.
Unfortunately, attacks on utilities and the power grid are mounting.
NERC recently reported virtual and physical weak spots in the power grid grew in the range of 23,000 to 24,000 last year. The National Institute of Science and Technology recorded 2,000 system vulnerabilities — at a pace of about 60 additional threats per day.
Last October, Bruce Walker, former assistant secretary for the Energy Department’s Office of Electricity, told a House Energy & Commerce subcommittee that “the most important evolving threat to the electric grid is associated with cybersecurity and physical security.”
New NERC CIP standards compliance: What is CIP-015-1?
The US Federal Energy Regulatory Commission (FERC), who oversees compliance for the electrical grid, issued Order No. 887 in January 2023 directing NERC to “develop requirements within CIP Reliability Standards for INSM of all high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC).”
Here are the goals of the CIP standard as detailed in the Federal Register:
- Any new or modified CIP Reliability Standards should address the need for responsible entities to develop baselines of their network traffic* inside their CIP-networked environment.
- Any new or modified CIP Reliability Standards should address the need for responsible entities to monitor and detect unauthorized activity, connections, devices and software.
- Any new or modified CIP Reliability Standards should require responsible entities to identify anomalous activity to a high level of confidence by:
- Logging network traffic
- Maintaining logs and other data collected regarding network traffic
- Implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques and procedures from compromised devices
*Network traffic goes beyond tracking volume. The objective is to monitor network communications and protocols – and remove blind spots.
As our research shows, deep lateral movement within OT environments is possible. There is ‘network crawl space’ with links between security zones at deep system levels like Purdue level 1. To close these gaps, a Purdue Level 1 device that sits between segments still needs a corresponding perimeter security profile.
The bottom line? You need continuous network monitoring to be able to see, know and capture more activity – including ‘hidden’ activity.
Go deeper: Learn how to simplify NERC compliance with continuous network monitoring.
What’s driving new CIP monitoring standards? Anomalous activity
Over the last few years, network assets of all stripes are being exploited regularly within critical infrastructure. It has happened in Denmark and Ukraine. It has happened at a water utility near Pittsburgh.
Too often, attackers find entry points in IT software, embedded devices, or other IoT assets that are often ‘unmanaged’ – such as IP cameras. In 2023, five OT protocols were repeatedly targeted: Modbus, Ethernet/IP, Step7, DNP3, and IEC10X. Most attacks target protocols.
“The proposed CIP-015 standard for internal network security monitoring introduces mandatory measures for detecting suspicious activities within utility networks,” explains Dr. Robin Berthier, a network auditor and cybersecurity research scientist. “This standard bolsters the grid’s defense mechanisms by enhancing visibility and response capabilities.”
Webinar: Watch experts discuss the trends and specific threats of exposed ICS and OT in critical infrastructure.
The influence and effects of the SolarWinds cyber attack on compliance
Here’s another way to think about it: The SolarWinds cyber attack from 2020 was four years ago. That attack focused on software updates within SolarWinds’ Orion IT application. The goal was for the updates to appear as ‘normal’ as possible operating in the background with barely a trace of anomalous activity. And it did.
SolarWinds is the named attack in the Federal Register for CIP-015-1 and is a major reason for the need for wider and deeper monitoring:
“The notice of proposed rulemaking also pointed to the SolarWinds attack as an example of how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations.”
Since then, there have been other attacks and anomalous ‘pre-positioning’ happening within critical infrastructure. The US Federal government’s CISA has been weighing in against these actions from countries, including China and Russia. Utilities and other critical infrastructure organizations are struggling to see all the entry points and activity within their networks. These attacks will only become more sophisticated.
SEC regulators brought charges against the CISO of SolarWinds last October for committing fraud and internal control failures – and bars him from being a company director or officer.
And here’s another reason utilities need to act on improving CIP monitoring and compliance: Fines. In 2019, an unnamed company was fined $10 million — which was the largest NERC CIP fine to date.
Learn how we can help you streamline NERC CIP compliance.