The North American Electric Reliability Corporation (NERC) announced the largest public NERC CIP fine ever given, with a $10 million fine levied in response to 127 separate violations across an organization. As is normal, NERC did not identify the organization involved, although the language in the Notice of Penalty (NOP) makes it clear that the single organization represents multiple individual companies across various NERC regions. The violations encompass each of the CIP standards, but almost all of the violations were self-reported by the entity, with only 13of them being discovered during Compliance Audits. The self-reports were submitted beginning in 2015 and continuing through 2018. Some of the penalties were related to not identifying assets which should have been subject to the CIP standards. For example, there were violations for not identifying and categorizing assets correctly, and then also violations for not including those assets in Disaster Recovery Plans or baseline configurations.
One of the reasons NERC shares Notices of Penalty such as this is so that the industry as a whole can see where other organizations have struggled with security compliance and can learn and improve the security of the entire industry. For this reason, NERC and the regional auditors will strive to identify the root causes for violations, so that not only the organization involved can improve, but so can other organizations.
NERC identified issues which were common to contributing to the violations across all the different standards, including:
- Lack of management involvement in the NERC CIP compliance program
- Divide between the security and compliance efforts at the companies
- Organizational silos across business units
The organization has not only identified mitigation activities to help prevent ongoing CIP violations, but has also made changes to the organization as a whole which are designed to increase senior leadership involvement in compliance oversight and create a centralized CIP oversight department. The company also committed to make more resources available to compliance and security efforts, including through the use of annual compliance drills.
The company is also making more targeted, specific efforts to mitigate the risk from the violations and to help ensure that their security and compliance programs are more effective going forward. This includes revising their IT program to ensure it meets the NERC CIP standards, and then ensuring each business unit adheres to the corporate IT security program.
The company that was fined in this case is not the only company struggling with organizational silos or with integrating their disparate teams, such as IT, security, and operations, into one cohesive organization. As the OT/ICS industry has become more digitized, this has become a common pain point among many of our customers. IT and security teams are becoming more and more responsible for OT/ICS networks and assets. The people on the IT teams generally want to work successfully with the operations teams, but they sometimes don’t know where to begin to do so. This is why it is important to have people and tools that can bridge the divide between the separate teams.
Having an integrated IT/OT cybersecurity program helps to reduce the risks associated with having assets which bridge both the IT and OT domains. The ability to achieve end-to-end visibility into all devices on both the IT and OT networks is the first step in building a comprehensive IT/OT cybersecurity strategy. It is often said in the IT security world that you can’t secure what you don’t know you have. It could just as easily be said, though, that you can’t demonstrate device compliance to regulatory standards if you don’t know what devices you have (I know, it doesn’t roll off the tongue as easily). Traditionally, keeping an accurate asset inventory for OT devices was a Herculean task, which could often involve multiple trips out to remote locations in order to find, record, and verify the asset inventory. However, by immediately and automatically discovering every device which connects to a network, this task can become an automated process, allowing organizations to save both time and money while also reducing cybersecurity risk by having an accurate asset inventory.