Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Tony Howlett, CISO, SecureLink
By Tony Howlett, CISO, SecureLink
Sponsored Article

NERC Updates May Force Utility Companies into Better Cybersecurity

Once implemented, these upcoming regulations will ensure electrical utilities are safer from cyber threats, especially those brought in by third parties.

Breaches and incidents at utility and other energy-related companies have been rising faster than an electric bill in a Texas summer. In 2019, a power plant in Ukraine was attacked and the power went out in the area for about an hour due to the problems it caused. And in February 2020, a gas pipeline in the US was shut down for two days after an ransomware incident. According to a study done by Allianz, 54% of critical infrastructure providers report attacks that attempted to control systems. 

All signs point to attacks not abating anytime soon. These sites make great targets for ransomware groups looking for critical infrastructure that cannot afford to be down. They are also targeted by cyberterrorists and nation-state actors looking to create real-world mayhem out of digital efforts. One would think this would be a wake-up call for utilities to get serious about cybersecurity efforts. However, according to the "State of the Electric Utility 2020" report from Utility Dive, 37% of U.S. utility companies have not completely implemented their cybersecurity programs.

NERC Updates Are Coming 
Nothing lights a fire under a regulated industry faster than a regulation change that could bring fines or sanctions. Upcoming updates to the cybersecurity portions of North American Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) rules have many utilities and other covered companies scrambling to figure out the implications for their cybersecurity programs and to implement any necessary solutions. Sorting through the various elements of NERC regulations and rules can be confusing and frustrating; they are often highly technical in nature, and they use a lot of acronyms. It doesn't help that some of the terms they use are the same as IT terms, such as EAP and LEAP.

Understanding New Rules and Regulations
NERC is a nonprofit quasi-governmental agency that sets forth the standards for CIP. Much of this standard refers to non-cyber functions of the electric generation business, but given the incursion of automation technology and connectivity in most plants now, more elements are being added all the time to deal with cybersecurity, and this latest batch is no exception.

Having just gotten past the January 1, 2020, effective date of CIP 003-7 on Security Management Controls, companies now will have to make sure they are ready for the July rules. These changes focus on updates to the security perimeter requirements and change control all while introducing a new category of controls, CIP 013-1, which covers supply chain risk. Here is an overview of the changed or added sections with key takeaways on each. 

CIP 005-6 Cybersecurity — Electronic Security Perimeter
This section defines fairly detailed rules for firewalls, DMZs, and network segmentation requirements for protected assets. Added requirements center around the implementation of CIP-005-6 parts R2.2.4 and R2.2.5, which stipulate that they must have methods for determining how many active vendor remote access sessions they have at any given time and a way to disable these sessions. 

Many general remote access solutions don't differentiate between internal and vendor sessions and don't allow granular management and control over individual sessions. If you have one of these systems or no system at all and are just using VPN connections, you will have to develop some custom controls to monitor this activity and manually pull the reports you need to show compliance. Implementing a vendor management system that focuses on third-party access can help you isolate and track vendor sessions separate from internal sessions and make this job a whole lot easier. 

CIP 010-3 Cybersecurity — Configuration Change Management and Vulnerability Assessments
These controls are designed to prevent unauthorized changes to systems and also stipulate regular vulnerability assessments and tests to make sure systems are not susceptible to such modifications. There are a number of elements to this section, but the only changes that will be made for July 2020 implementation are R1.1.6, R1.6.1, and R1.1.6.2, which require you to verify the identity of any software you use in your supply chain and its integrity. This can be done by checking hashes and having processes for software downloads that stipulate known sites, checking certificates, and more. Most of this is fairly easy to implement, unless you have a large software development operation. Some software development tools will do some of this for you as well. 

CIP 013-1 Cybersecurity — Supply Chain Risk Management
This adds a new section to the CIP standards and probably represents the area that's least implemented in full by covered entities. It details the development and deployment of a formal supply chain risk management program. An astonishingly large number of organizations don't have a written program to track third-party risk, even those managing a large population of vendors doing critical tasks. Section 1.2 describes the various requirements you must have for vendors and supply chain partners, including notifications of breaches on their end, onboarding and offboarding of their users in your systems, and software integrity verification. 

Finally, it all has to be reviewed and signed off on by the enterprise's CIP Senior Manager at least every 15 months, with documentation of compliance per the R2 and R3 rules. While this may seem like a lot of things to get done, there are many technology solutions out there that can help get technical controls in place, such a Vendor Privileged Access Management (VPAM), and various vendor risk assessment platforms and exchanges to do risk assessments. The key is getting started with your program policy and procedure documents, for which there are many templates available on the Internet and consultants willing to put them together for you. 

Are You Prepared for the Updates?

Hopefully, these new rules are the "burning bridge" that get electrical utilities moving toward full implementations of cybersecurity programs that include all the contemporary best practices that NIST and other standards expect. It may be a race to the finish, but once implemented, these regulations will make sure electrical utilities are safer from cyber threats, especially ones brought in by third parties. And for utility IT security departments pressed to get all this in place by July, they can rest easy for a while after that. After July 2020, the next NERC CIP updates that include cyber controls are in July 2022. 

NERC Resources:

About the Author: Tony Howlett, CISO, SecureLink
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Tony is currently the CISO at SecureLink.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/8/2020 | 8:12:18 AM
Re: A Bit Confusing, Indeed...
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
Due to comment spam on our site, we have changed our comment system to block all posts that include URLs. We are seeking a longer-term solution that would allow for URLs.
User Rank: Apprentice
3/24/2020 | 12:28:27 PM
A Bit Confusing, Indeed...
I spent some time this morning reviewing the referenced standards. They seem to be much too prescriptive, and much of the work done reinvents the wheel (discussing firewall best practices, training standards, etc.). The focus should be on the unique aspects of the sector which make cyber challenging, not 58 pages on cybersecurity controls (while incident response only gets 25). I agree this sector warrants high attention but disagree with thier approach so far...

Secondly, this industry reminds me of the healthcare sector 10 years ago...who is supposed to be helping these entites interpret and implement this guidance? Expertise is limited - greenfield for new jobs (and consulting contracts)?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.