Last month, we released a collection of insights on threats facing North American electric utilities. The threat intelligence team here at Dragos provided an in-depth discussion regarding trends, industry observations, and potential mitigations. If you an asset owner/operator, vendor, or system integrator in the industry, it’s worth noting the tactics, techniques, and procedures leveraged by the various activity groups targeting power systems. By understanding how an adversary may compromise critical infrastructure, we can, as defenders, better protect the underlying systems and processes we operate to provide reliable power to customers.
One thing we also did in that document was examine some of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements to help focus defenders on existing controls that may already be used in regulated environments. The NERC CIP Reliability Standards, as many already know, describes a programmatic approach to cybersecurity that addresses criticality of systems and assets, the protections that need to be in place, and are part of a large regulatory machine that include penalties for noncompliance. These standards are written by industry, and approved by the Federal Energy Regulatory Commission (FERC), to provide a security posture across the nearly 1,800 utilities in North America that operate the nation’s Bulk Electric System (BES). But that security posture is, as often noted, the minimum of what to achieve and will never prescribe utilities how to achieve it. It’s the ultimate choose-your-own-adventure and we’re all along for the ride!
This is one of the reasons why the recent threat perspective is a “must read” for anyone involved with reliable operation of the BES. The NERC CIP Reliability Standards, while exhaustive in many ways, does not cover anything regarding threat management. Utilities are on their own to define what threat management means and how they will respond to the increased capabilities across activity groups. It is easy to argue that regulations will lag behind threat and vulnerabilities—and that is true—but it is another to not incorporate a threat program into a utility’s overall security posture.
At the end of the day, the NERC CIP Reliability Standards are just one element of a utility’s cybersecurity program. It should not be considered a silo.
NERC CIP and Risk Management
Recall that the classic risk equation is defined as: Risk = f(threat × vulnerability × impact)
Within the concept of NERC CIP compliance, impact is defined by CIP-002 and a vulnerability management program is defined within CIP-007. But the glaring lack of threat management (regardless of your position on regulatory requirements) means that CIP, as an overall cybersecurity discussion, is not inclusive of overall risk.
This battle with risk in NERC CIP compliance has existed since before the standards were actually… well… standards. In 2006, FERC noted that:
For interconnected control systems of various entities, an acceptance of a cyber risk by one entity is actually an acceptance of risk for all of those connected entities because the entity that initially accepted the risk is now the weak link in the chain. The concern is that there does not seem to be any oversight that would allow for the determination of the cybersecurity posture for an interconnected control network.
This is because NERC CIP, as a set of standards in the eyes of FERC, address cybersecurity for the entire Bulk Electric System, not just an individual utility. While each utility incorporates the requirements (and absolutely benefits from doing so), the purpose of the standards explicitly refers to the “reliable operation of the BES,” not the utility’s operations itself. This is why, for example, CIP-002 has thresholds for High and Medium Impact that some utilities in the BES will never operate. Never mind that the loss of a 100MW generation facility or a small 138kV transmission substation near a town could be catastrophic for nearby communities and customers—the Bulk Electric System would likely be fine. As such, relying on NERC CIP as the only response for a utility’s cybersecurity program would ignore the overall scope of the standards to be BES-driven.
Risk management, as a field, is much older than the CIP standards or even cybersecurity. We manage risk in electric utilities all the time—safety risk, reliability risk, financial risk. Each of these disciplines stem from the same risk management principles, including risk “acceptance, tolerance, mitigation, and transfer.” Utilities that rely on NERC CIP being their only cybersecurity requirements are missing the benefits from a robust, and flexible, risk management program that provides a more in-depth understanding of their people, processes, and technologies. Similar to cybersecurity, safety and financial risk management deals with “threats” and “vulnerabilities,” but they are managed in board-level discussions that involve future projections, insurance, and metrics. As utilities mature across cybersecurity, there should be an expectation on our industry to work in a analogously mature fashion to manage cyber risk.
Incorporating Threat Management with CIP Requirements
It’s not totally fair to say that NERC CIP does not address cyber risk. In a few short months, CIP-013 will introduce risk management concepts for supply chain and external dependency management. For the first time since “risk acceptance” was removed by FERC in the original version, utilities will be asked to “identify and assess cybersecurity risk(s)” across purchased equipment and software. While there are many approaches that can be leveraged in these assessments—from the Cybersecurity Capability Maturity Model (C2M2), NIST SP 800-161, and other standards—one thing utilities should also consider: threat intelligence and threat management.
By incorporating threat feeds into the assessment process, utilities gain extra assurance about what threat actors are targeting. For example, the aforementioned Dragos threat perspective for electric utilities highlighted activity groups targeting VPN access. That could be useful information when implementing CIP-013 controls around procuring VPN software. Similarly, being able to gain additional insights into the tactics, techniques, and procedures used in the wild can be informative when working with vendors on supply chain risk management.
While CIP-013 has some notable attention across industry, there are other great methods for leveraging threat management and intelligence to compliment any utility’s NERC CIP program. Let’s consider CIP-005 R1, which establishes the Electronic Security Perimeter (ESP). Part 1.5 requires utilities to “have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.” While there are many ways to achieve the what of this requirement, one how could include an OT-specific technology that leverages threat intelligence to determine “malicious communications” within the ESP. Similar technologies can also support CIP-007 R4 and help utilities not only understand what occurs during a cybersecurity incident, but also recover quicker—making the job a little bit harder for the bad guys targeting power systems.
An internal threat intelligence team trained on NERC CIP or a NERC CIP compliance team trained on threat management can be of great value to any utility, regardless of your compliance program. By tying threats to compliance requirements, our industry can gain a deeper understanding of how our systems are not only protected—but how they can be misused or degraded by adversaries.
Comprehensive Utility Cyber Risk Management
NERC CIP should not be treated as a standalone compliance silo. Cybersecurity is not isolated to just specific sites or systems. Instead, NERC CIP, like other reliability concepts, is “how we do business” as utilities. After all, compliance is considered “the third line of defense” for security programs. With threat activity groups gaining more capabilities to compromise power systems, we need to do more as a community to embrace NERC CIP with an overall cyber risk management program. We need to understand the impacts, vulnerabilities, and threats across cybersecurity for our industry and tailor approaches that make sense to each environment and system we operate. That is our job as grid defenders.
And that is not to say that NERC CIP is an easy set of requirements or that there are not challenges with compliance in general. Thousands of utilities operate the most complex machine ever invented, 24×7, in order to maintain our way of life. Nothing about that is easy or devoid of challenges. Cyber risk, like reliability and safety risk, can be managed. And as threats grow, we need to mature in order to continue to protect our communities.
In the coming months, we’ll continue to explore risk management techniques for industrial control systems and critical infrastructure. Stay tuned.
About the Author
Jason D. Christopher is the Principal Cyber Risk Advisor at Dragos, where he combines his 15+ years of experience with industrial control systems, risk management, and regulatory knowledge to help clients create sustainable cybersecurity strategies. He previously served as the CTO for Axio, a cyber risk management SaaS company, and managed their utilities and energy sector portfolio. Prior to Axio, Jason was a technical researcher at the Electric Power Research Institute focusing on security metrics and information assurance. Before working in the private sector, Mr. Christopher held various roles across the US Department of Energy and Federal Energy Regulatory Commission where he led programs across the NIST Cybersecurity Framework, the Cybersecurity Capability Maturity Model (C2M2) and the NERC Critical Infrastructure Protection Standards, among other efforts.
He is a certified SANS Instructor and teaches ICS 456: Essentials for NERC Critical Infrastructure Protection and holds a Bachelor of Science in Computer Engineering from Binghamton University and a Master of Engineering in Electrical Engineering from Cornell University.