Successfully Addressing NERC CIP Cybersecurity Standards

The power industry is perhaps the furthest along in hardening their cybersecurity defenses due to the work of the North American Electric Reliability Corporation (NERC) on the critical infrastructure protection (CIP) cybersecurity standards—now at version 6.

Power magazine: Tackling NERC CIP and Cybersecurity at America’s Largest Gas-fired Cogeneration PlantIn a Power magazine article, Tackling NERC CIP and Cybersecurity at America’s Largest Gas-fired Cogeneration Plant, this electrical energy and steam energy producer shares their story of their path to addressing these standards and hardening their cyber-defenses.

Upon being classified as a medium-impact bulk generating asset per the CIP v6 standards, this meant the plant:

…would need to comply with NERC CIP Standards 2 through 11, after having no prior NERC CIP obligations. This meant the facility needed a formal, documented process for patch management, configuration management, security event monitoring, and more.

The plant had 120 people with two responsible for the control systems. This additional requirement was borne by these two folks. They investigated ways to accomplish the required areas, such as patch management.

Based on the quantity of control system-related workstations and the process to identify the required patches, and then:

…logging-on, loading, and rebooting each station before moving onto the next…

When this whole process, required to be performed monthly, was performed manually, it took more than a month to complete.

In addition to these patching efforts:

…the two operators were also tasked with managing malware protection, annual vulnerability assessments, and configuration management—all in addition to regular distributed control system (DCS) responsibilities.

With the manual patching approach not being viable, not to mention the other areas of NERC CIP obligations, they explored other options from other suppliers.

The most comprehensive solution would require working with four different companies to install four different systems that would each address a specific aspect of the plant’s security program.

This approach would be difficult due to cost as well as time required to develop and implement the process, procedures, reporting and training.

The third approach was to work with the Emerson Cybersecurity Services team:

Unlike the other suppliers, Emerson not only knew the operators, the plant, and its system, but also had for years been developing and deploying a full-featured cybersecurity suite that had many of the elements plant operators had been evaluating from other vendors.

The Power and Water Cybersecurity Suite is a:

…customizable cybersecurity suite integrates hardware and virtualized software modules to provide a variety of security management functions not only for its own Ovation control system [hyperlinked added] network, but also for control systems supplied by other vendors.

On their path to meeting the standards, patch management was the first step. The suite’s patch management module:

…employs an agent-based solution that inventories software, determines patch needs in each workstation and server, and installs the patches. Standard reports document vulnerabilities, patch deployments, patch status, inventory, and trends for each individual device and at aggregated levels.

From a 45-day manual process, this automated approach cut it to a week and a half.

Building on this success, next on the path to meeting the standards were:

…configuration management, SIEM [Security Information and Event Management], backup and restore, and malware prevention.

One other key requirement of becoming a medium-impact asset was to perform a vulnerability assessment every 15 months. The plant worked with the Emerson team:

…to conduct a comprehensive cybersecurity assessment. The first step involved an inventory and documentation of all cyber assets…

A team of 4 engineers:

…spent two weeks physically walking through the plant—even crawling under desks to trace wires—to document the entire system down to the instrument level. As part of this process, they noted the location, asset tag, and how each component was connected to other devices and systems, both internal and external.

After this data was collected and analyzed, the Emerson cyber-security services team prepared a comprehensive vulnerability assessment report:

The 30-page report contained specific, actionable recommendations about what to do immediately, what to do in the short term, and what to do in the long term to improve the plant’s security posture and meet NERC CIP obligations.

Reach the article for more on what the report contained and recommendations to help achieve the NERC CIP requirements.

You can connect and interact with other Power and cybersecurity experts in the Power and Ovation groups in the Emerson Exchange 365 community.