Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Tony Howlett, CISO, SecureLink
By Tony Howlett, CISO, SecureLink
Sponsored Article

NERC Updates May Force Utility Companies into Better Cybersecurity

Once implemented, these upcoming regulations will ensure electrical utilities are safer from cyber threats, especially those brought in by third parties.

Breaches and incidents at utility and other energy-related companies have been rising faster than an electric bill in a Texas summer. In 2019, a power plant in Ukraine was attacked and the power went out in the area for about an hour due to the problems it caused. And in February 2020, a gas pipeline in the US was shut down for two days after an ransomware incident. According to a study done by Allianz, 54% of critical infrastructure providers report attacks that attempted to control systems. 

All signs point to attacks not abating anytime soon. These sites make great targets for ransomware groups looking for critical infrastructure that cannot afford to be down. They are also targeted by cyberterrorists and nation-state actors looking to create real-world mayhem out of digital efforts. One would think this would be a wake-up call for utilities to get serious about cybersecurity efforts. However, according to the "State of the Electric Utility 2020" report from Utility Dive, 37% of U.S. utility companies have not completely implemented their cybersecurity programs.

NERC Updates Are Coming 
Nothing lights a fire under a regulated industry faster than a regulation change that could bring fines or sanctions. Upcoming updates to the cybersecurity portions of North American Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) rules have many utilities and other covered companies scrambling to figure out the implications for their cybersecurity programs and to implement any necessary solutions. Sorting through the various elements of NERC regulations and rules can be confusing and frustrating; they are often highly technical in nature, and they use a lot of acronyms. It doesn't help that some of the terms they use are the same as IT terms, such as EAP and LEAP.

Understanding New Rules and Regulations
NERC is a nonprofit quasi-governmental agency that sets forth the standards for CIP. Much of this standard refers to non-cyber functions of the electric generation business, but given the incursion of automation technology and connectivity in most plants now, more elements are being added all the time to deal with cybersecurity, and this latest batch is no exception.

Having just gotten past the January 1, 2020, effective date of CIP 003-7 on Security Management Controls, companies now will have to make sure they are ready for the July rules. These changes focus on updates to the security perimeter requirements and change control all while introducing a new category of controls, CIP 013-1, which covers supply chain risk. Here is an overview of the changed or added sections with key takeaways on each. 

CIP 005-6 Cybersecurity — Electronic Security Perimeter
This section defines fairly detailed rules for firewalls, DMZs, and network segmentation requirements for protected assets. Added requirements center around the implementation of CIP-005-6 parts R2.2.4 and R2.2.5, which stipulate that they must have methods for determining how many active vendor remote access sessions they have at any given time and a way to disable these sessions. 

Many general remote access solutions don't differentiate between internal and vendor sessions and don't allow granular management and control over individual sessions. If you have one of these systems or no system at all and are just using VPN connections, you will have to develop some custom controls to monitor this activity and manually pull the reports you need to show compliance. Implementing a vendor management system that focuses on third-party access can help you isolate and track vendor sessions separate from internal sessions and make this job a whole lot easier. 

CIP 010-3 Cybersecurity — Configuration Change Management and Vulnerability Assessments
These controls are designed to prevent unauthorized changes to systems and also stipulate regular vulnerability assessments and tests to make sure systems are not susceptible to such modifications. There are a number of elements to this section, but the only changes that will be made for July 2020 implementation are R1.1.6, R1.6.1, and R1.1.6.2, which require you to verify the identity of any software you use in your supply chain and its integrity. This can be done by checking hashes and having processes for software downloads that stipulate known sites, checking certificates, and more. Most of this is fairly easy to implement, unless you have a large software development operation. Some software development tools will do some of this for you as well. 

CIP 013-1 Cybersecurity — Supply Chain Risk Management
This adds a new section to the CIP standards and probably represents the area that's least implemented in full by covered entities. It details the development and deployment of a formal supply chain risk management program. An astonishingly large number of organizations don't have a written program to track third-party risk, even those managing a large population of vendors doing critical tasks. Section 1.2 describes the various requirements you must have for vendors and supply chain partners, including notifications of breaches on their end, onboarding and offboarding of their users in your systems, and software integrity verification. 

Finally, it all has to be reviewed and signed off on by the enterprise's CIP Senior Manager at least every 15 months, with documentation of compliance per the R2 and R3 rules. While this may seem like a lot of things to get done, there are many technology solutions out there that can help get technical controls in place, such a Vendor Privileged Access Management (VPAM), and various vendor risk assessment platforms and exchanges to do risk assessments. The key is getting started with your program policy and procedure documents, for which there are many templates available on the Internet and consultants willing to put them together for you. 

Are You Prepared for the Updates?

Hopefully, these new rules are the "burning bridge" that get electrical utilities moving toward full implementations of cybersecurity programs that include all the contemporary best practices that NIST and other standards expect. It may be a race to the finish, but once implemented, these regulations will make sure electrical utilities are safer from cyber threats, especially ones brought in by third parties. And for utility IT security departments pressed to get all this in place by July, they can rest easy for a while after that. After July 2020, the next NERC CIP updates that include cyber controls are in July 2022. 

NERC Resources:

About the Author: Tony Howlett, CISO, SecureLink
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Tony is currently the CISO at SecureLink.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/8/2020 | 8:12:18 AM
Re: A Bit Confusing, Indeed...
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
Due to comment spam on our site, we have changed our comment system to block all posts that include URLs. We are seeking a longer-term solution that would allow for URLs.
User Rank: Apprentice
3/24/2020 | 12:28:27 PM
A Bit Confusing, Indeed...
I spent some time this morning reviewing the referenced standards. They seem to be much too prescriptive, and much of the work done reinvents the wheel (discussing firewall best practices, training standards, etc.). The focus should be on the unique aspects of the sector which make cyber challenging, not 58 pages on cybersecurity controls (while incident response only gets 25). I agree this sector warrants high attention but disagree with thier approach so far...

Secondly, this industry reminds me of the healthcare sector 10 years ago...who is supposed to be helping these entites interpret and implement this guidance? Expertise is limited - greenfield for new jobs (and consulting contracts)?
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, R390 driver branch, contains a vulnerability in its installer where an attacker with local system access may replace an application resource with malicious files. Such an attack may lead to code execution, escalation of privileges, denial of service, or...
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of se...
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.