Because electric utility companies power almost everything we enjoy in today’s connected society, they’re facing mounting pressure to ensure operational continuity in the face of increasing cyberthreats that specifically target industrial control system (ICS) networks. These organizations have important obligations when it comes to securing their infrastructure, and the need to enhance ICS cybersecurity and ensure compliance with the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards has resulted in sizeable investments into ICS network monitoring technology.
Enhancing ICS Cybersecurity
The implementation of passive network monitoring tools has made it easier than ever for utility asset owners to maintain a real-time asset inventory by leveraging information from devices communicating over serial or TCP/IP based communication channels in substations. The always on and always listening asset detection capabilities save them costly and time-consuming site visits and improve the overall accuracy of the asset inventory.
These tools don’t just bring better visibility. They also come with the added benefit of continuously monitoring the network to detect both cybersecurity and operational risks. Because these solutions detect anomalies 24/7, a challenge that can arise is dealing with the sheer volume of alerts that they generate. Security operations centers (SOCs) are now sifting through these alerts daily to triage what issues are critical and what is just noise.
The latest release of SilentDefense, our ICS cybersecurity solution, helps utility companies solve this challenge by automating risk analysis with the Asset Risk Framework. This impact-based, automated risk scoring matrix combines multiple factors to deliver two intuitive risk scores, the security risk score and the operational risk score. The security risk score empowers SOC teams to immediately identify assets that have a high potential of being compromised, accounting for data like critical vulnerabilities affecting a device or direct internet connection, and/or for which there is actual evidence that a potential attack is ongoing, including indicators like port scan activity and exploit attempts. The operational risk score helps ICS engineers to quickly spot devices exhibiting signs of misconfiguration or malfunction that could cause unexpected downtime.
Simplifying NERC CIP Compliance
The NERC CIP standards were established to help asset owners in the utility industry better protect their infrastructure against evolving cyberthreats. Maintaining compliance with NERC CIP is more critical than ever, as evidenced by the $10 million fine issued this year, the largest public fine in NERC CIP history. As important as they are, complying with these requirements can be incredibly time-consuming and expensive.
Forescout has developed several functionalities that can help streamline NERC CIP compliance efforts. With our optional active module, ICS Patrol, utility asset owners can achieve a deeper level of visibility not accessible with passive monitoring alone. This component lets users access a host of tools to help manage compliance with the evolving NERC CIP requirements, including documentation of every user that has logged into a Windows system, confirmation of whether patches have been applied, and automatic identification of baseline, or “Golden Image”, deviations. In our latest release, users can further simplify the creation of NERC CIP reports in ICS Patrol and periodically document the network status to help prove compliance at specific points in time.
To learn more about how you can enhance cybersecurity and streamline NERC CIP compliance with OT network monitoring, download our NERC CIP eBook.