Want to Improve Bulk Electric System Cybersecurity? Focus on Specific NIST Controls
In late June 2020, the Federal Energy Regulatory Commission (FERC) released a Notice of Inquiry1 (NOI) in which they asked detailed questions about the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the risk and impact of a coordinated cyberattack on the bulk electric system (BES). A recurring question throughout the NOI was whether low-impact cyber systems should be subject to the same North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards currently required of medium- and high-impact BES cyber systems.
The policy outcome that arises from this attention on the BES will need to balance the government interest in protecting the nation against a coordinated cyberattack and industry concerns about regulatory burden. This is especially important as low-impact systems are usually smaller and often have fewer resources than their larger, medium- and high-impact system counterparts. To balance these interests, one potential solution would be to implement certain NERC CIP controls and NIST concepts for low-impact cyber systems that will have the most impact:
- NERC-CIP’s Asset inventory (CIP 002-5.1a)2 coupled with
- NIST Cybersecurity Framework’s3 continuous monitoring concept and segmentation (DE.AE-1, DE.AE-2 and DE.AE-3)
According to the Center for Internet Security’s Top 20 Controls,4 hardware and software asset inventory controls are considered “basic” and listed as the first and second most important controls in their list of twenty. NIST describes the critical nature of asset inventory for the energy sector this way: “Without an effective asset management solution, organizations that are unaware of any assets in their infrastructure may be unnecessarily exposed to cybersecurity risks.”5 Asset inventory is widely recognized as a foundational step in many cybersecurity standards because organizations cannot protect assets of which they are unaware.
Medium- and high-impact BES cyber systems require asset inventory,1 but is explicitly not required for low-impact BES cyber systems.2,6 Taking asset inventory a step further and recognizing that a point-in-time asset inventory is not as valuable as a continuous asset monitoring program, the U.S. Department of Energy (DOE)7 and the U.S. Army Corps of Engineers8 have both suggested to FERC that the electric sector should adopt the NIST concept of information security continuous monitoring,9 which would provide real or near-real-time visibility into all connected assets. The DOE’s suggestion is particularly significant in light of its own rulemaking10 regarding insecure bulk power system equipment and potential mitigation practices.
Without knowing what assets are on the network, there is no way to manage connected assets or vulnerabilities effectively. Accurate and continuous asset inventories enable higher-level cybersecurity functions, which in turn enable the defense-in-depth strategy advocated by NERC1 and FERC.12 With an accurate and continuous asset inventory, low-impact BES cyber systems would be able to enforce dynamic network segmentation, which would effectively minimize or eliminate the risk of lateral movement within connected systems. Even NERC has suggested that low-impact BES cyber systems implement both network monitoring and segmentation following an incident at a low-impact facility in 2019.13
In addition to the cybersecurity benefits of continuous monitoring and segmentation, adherence to these principles could serve to fulfill another function for low-impact BES cyber systems. In roughly the same timeframe as the FERC NOI, the DOE also released a Request for Information (RFI)14 seeking comment on how to enforce President Trump’s executive order on “Securing the United States Bulk Power System.”15 The executive order declares that the bulk power system is a target for malicious actors and effectively prohibits “any acquisition, importation, transfer or installation” of bulk power system equipment in which a foreign adversary has any interest; foreign adversaries are currently defined as: China, Cuba, Iran, North Korea, Russia and Venezuela.
The executive order and the DOE’s RFI indicate that strategies to mitigate the impact of insecure bulk power system equipment may require functional methods to “identify, isolate, monitor or replace” insecure equipment. An official DOE ruling is expected to occur later in 2020.16 Continuous monitoring and segmentation could potentially fulfill forthcoming policy requirements from the DOE while also alleviating FERC’s concern regarding the risk of a widespread coordinated cyberattack on low-impact cyber systems.
There is an increasing need to secure our bulk power system from cyberthreats, as evidenced by FERC and the DOE’s recent requests for comment on the topic. To get ahead of forthcoming regulation and proactively address concerns about a coordinated cyberattack, electric utility owners and operators should consider the value that continuous monitoring and segmentation can offer in addressing both compliance and security.
For more information on how Forescout helps optimize risk management and accelerate compliance for Electric Utilities, download our Electric Utilities Solution Brief.
- FERC Potential Enhancements to the Critical Infrastructure Protection Reliability Standards https://www.ferc.gov/sites/default/files/2020-06/E-5-061820.pdf
- NERC CIP Standard CIP-002-5.1a — Cyber Security — BES Cyber System Categorization: https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-002-5.1a.pdf
- NIST Framework for improving critical infrastructure security: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- Forescout ebook: Center for Internet Security Controls: https://www.forescout.com/company/resources/sans-20/
- James McCarthy, et. al., National Institute of Standards and Technology, National Cybersecurity Center of Excellence, Special Publication 1800-23: Energy Sector Asset Management for Electric Utilities, Oil, & Gas Industry, page 1, September 2019.: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/esam-nist-sp1800-23-draft.pdf
- Noting that “an inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required.” North American Electric Reliability Corporation (NERC), CIP-003-8 – Cyber Security – Security Management Controls, page 6, July 31, 2019.
- FERC’s report, Cybersecurity Incentive Policy White Paper: https://www.ferc.gov/sites/default/files/2020-06/notice-cybersecurity.pdf. As referenced, DOE encourages incentives to deploy continuous network monitoring in its framework of incentives. This objective not only aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework security controls for automated and continuous monitoring, but will also facilitate the efforts of DOE and industry participants to develop and deploy these capabilities across the energy sector.
- Potential enhancements to the Critical Infrastructure Protection Reliability Standards: United States Army Corp of Engineers: https://elibrary.ferc.gov/eLibrary/filedownload?fileid=15607859
- Kelley Dempsey, et al., National Institute of Standards and Technology (NIST), Special Publication 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
- United States Department of Energy, Request for Information, Securing the United States Bulk-Power System, 85 Fed. Reg. 41023, July 8, 2020.: https://www.federalregister.gov/documents/2020/07/08/2020-14668/securing-the-united-states-bulk-power-system
- NERC Results Based Standards: Defining “defense-in-depth” as: Defense-in-depth is created when there is an appropriate portfolio of performance, risk-, and competency-based mandatory reliability requirements that complement and reinforce each https://www.nerc.com/pa/Stand/Pages/ResultsBasedStandards.aspx
- Federal Register: Potential Enhancements to the Critical Infrastructure Protection Reliability Standards, paragraph 2, June 24, 2020: https://www.federalregister.gov/documents/2020/06/24/2020-13618/potential-enhancements-to-the-critical-infrastructure-protection-reliability-standards
- North American Electric Reliability Corporation (NERC), Lesson Learned: Risks Posed by Firewall Firmware Vulnerabilities, pages 2-3, September 4, 2019.: https://www.nerc.com/pa/rrm/ea/Lessons%20Learned%20Document%20Library/20190901_Risks_Posed_by_Firewall_Firmware_Vulnerabilities.pdf
- Federal Register: Securing the United States Bulk Power System: https://www.federalregister.gov/documents/2020/07/08/2020-14668/securing-the-united-states-bulk-power-system
- Executive Order on securing the United States Bulk Power System. Exec. Order No. 13920, 85 Fed. Reg. 26595, May 1, 2020.
- Quoting a DOE official, “The Department anticipates publishing a notice of proposed rulemaking later this year, at which time interested parties will have another opportunity to provide comments.” Maggie Miller, Proposed rules to protect bulk power grid from foreign targeting raise concerns, The Hill, August 30, 2020.: https://thehill.com/policy/energy-environment/514221-proposed-rules-to-protect-bulk-power-grid-from-foreign-targeting