Utility companies are increasingly being targeted by cybercriminals. Although the highest profile utility cyber attack in recent memory was the May 7 ransomware attack on Colonial Pipeline that caused gas shortages on the East Coast, power companies of all kinds are popular with criminals for a reason: they can’t afford a shutdown and they have the money to pay a ransom.
Despite the dire consequences of an attack, not all power companies are confident in their ability to detect and repel a cyber attack. A survey from EY found that 58% of power companies feel unequipped to monitor their digital ecosystem, while a report from Ponemon found that 56% of power companies experienced one shutdown or operational data loss a year.
The importance of keeping the electrical grid up and running is why The North American Electric Reliability Corporation (NERC) developed the Critical Infrastructure Protection (CIP) standards.
What is NERC CIP?
The NERC CIP was implemented in 2008 to protect and secure the Critical Cyber Assets that are required for operating the Bulk Electric System (BES), also called the power grid. Since then, the CIP has been updated several times – four standards were recently added and will be subject to enforcement in the near future.
Certified by the Federal Energy Regulatory Commission (FERC), the NERC CIP standards focus on the safety of the power plants, control centers, transmission stations, lines, and towers that make up the power grid. It establishes a set of controls that create a robust information security posture and attempt to lower the likelihood of external and internal cyberattacks.
Right now, 12 enforceable standards are currently included in the NERC CIP:
- CIP-002-5.1a Cyber Security - BES Cyber System Categorization
- CIP-003-8 Cyber Security - Security Management Controls
- CIP-004-6 Cyber Security - Personnel & Training
- CIP-005-6 Cyber Security - Electronic Security Perimeter(s)
- CIP-006-6 Cyber Security - Physical Security of BES Cyber Systems
- CIP-007-6 Cyber Security - System Security Management
- CIP-008-6 Cyber Security - Incident Reporting and Response Planning
- CIP-009-6 Cyber Security - Recovery Plans for BES Cyber Systems
- CIP-010-3 Cyber Security - Configuration Change Management and Vulnerability Assessments
- CIP-011-2 Cyber Security - Information Protection
- CIP-013-1 Cyber Security - Supply Chain Risk Management
- CIP-014-2 Physical Security
These four standards will be enforceable in the near future:
- CIP-005-7 Cyber Security - Electronic Security Perimeter(s)
- CIP-010-4 Cyber Security - Configuration Change Management and Vulnerability Assessments
- CIP-012-1 Cyber Security - Communications between Control Centers
- CIP-013-2 Cyber Security - Supply Chain Risk Management
What are the penalties for non-compliance?
Organizations that operate Bulk Electric Systems have to be compliant with the standards that are currently in place. If they are not, they can be fined up to $1 million per violation per day. That’s the maximum fine; violators are often fined less but the fines are no less hefty: one of the largest penalties incurred by NERC was a 2019 fine of $10 million for 127 violations, some of which had been ongoing for months and others which had only been occurring for a few days.
The unidentified organization was cited for violations including not identifying and categorizing assets correctly, as well as violations for not including assets in Disaster Recovery Plans, among several other items.
Despite the fact that such large fines can be incurred, many organizations struggle to meet the CIP requirements. While power grids are controlled by often sprawling organizations, those organizations tend to be understaffed when it comes to cybersecurity professionals. Less than a decade ago, a report prepared by the U.S. government found that 55% of utility companies had just one person assigned to ICS/SCADA while 25% had no one assigned. With no one assigned to security and criminal’s intensified focus on the power grid, this can feel like a losing situation for Bulk Electric operators.
How security ratings can help with NERC compliance
Security ratings can stretch the resources of an understaffed organization that needs to comply with rigorous information security standards by letting a company monitor its vulnerabilities.
SecurityScorecard, for example, systematically scans and reviews information systems for publicly known vulnerabilities — the sorts of chinks in your cybersecurity armor that criminals are looking for as well. By continuously monitoring how your organization’s security posture appears to others online, you’ll be able to better define your risks, risk tolerances, and threats to your data environment.
Take the example of CIP standard 003-8 - Security Management Controls. The purpose of this protocol is to specify consistent and sustainable security management controls that establish responsibility and accountability to protect Bulk Electric Systems networks against compromise that could lead to misoperation or instability in the power grid. SecurityScorecard’s ratings enable utility organizations to define their own criteria for evaluating and categorizing risks to establish controls and monitor the effectiveness of those controls.
Another example is a twofer — CIP standards 013-1&2 - Supply Chain Risk Management; 013-1 is currently enforceable and 013-2 is soon to be enforced. The purpose of these standards is to reduce risk to the power grid by implementing security controls for supply chain risk management. The standards require a vendor management plan that addresses the following: software integrity and authenticity, vendor remote access, information system planning, and vendor risk management and procurement controls.
Companies are also required to continuously monitor third parties for continued compliance. SecurityScorecard enables vendor risk management and oversight by reviewing a variety of controls that establish best practices. As part of the vendor management program, your organization can align their categories to match the ten factors measured by our ratings. SecurityScorecard also continuously monitors the environment allowing organizations to maintain a continuous monitoring program outside of single point-in-time audits to ensure ongoing vendor security.
NERC CIP standards can be daunting; they change frequently and tax power companies’ resources. But by taking an outside-in look at your organization’s security posture, you’ll be well-positioned to monitor risk and prove compliance.