The Integrator’s Role in NERC Compliance

Aug. 8, 2022
Being a trusted advisor to utilities end-users starts with these mandates

This article originally appeared in the August 2022 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.

Shifting consumer preferences and evolving threat landscapes and regulations have changed the energy utilities industry. Although much of the industry is still working with an analog, scale-driven, centralized approach, it is now shifting quickly to become a digital and distributed model.

Energy utility companies are looking to update and heighten critical security infrastructure and stay ahead of regulatory changes to meet modern demands. 

By familiarizing themselves with the changing regulations, systems integrators can be a great resource for utility customers. Since integrators often deploy hundreds of systems each year, they can help customers navigate the process of selecting a security system and ensure that the system supports compliance with NERC CIP – the Critical Infrastructure Protection plan of the North American Electric Reliability Corporation.

Integrators can help by partnering with customers to review NERC compliance standards to define where systems currently operating and protecting existing infrastructure need to be updated or replaced.

To help with this, here’s a summary of each of the NERC CIP requirements from two perspectives: First, the utility end-user; and then, the security integrator who should recommend a solution.

CIP-002-5.1a: Cybersecurity – management controls

A BES (Bulk Electric System) Cyber System, as defined by NERC, is “a group of cyber assets that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation…affect the reliable operation of the Bulk Electric System.”

Utility: Categorize different BES Cyber Systems based on potential impact levels (High, Medium, Low) to better understand how to manage vulnerabilities and protect these assets while regularly maintaining and reviewing them.

Integrator: Look for systems that can provide an up-to-date breakdown of all connected devices and their statuses. This will help the end-user simplify the review process, as it provides a clear view of all device statuses in real-time to know which requires immediate attention.

CIP-003-8: Cybersecurity – security management controls

Utility: Define and regularly review cybersecurity policies and establish clear responsibility and accountability, procedures, and plan of action in the event of any cybersecurity incidents in BES Cyber Security Systems.

Integrator: Recommend a security system that can help guide at utility’s security teams through their incident response with digitized standard operating procedures that are in accordance with organization-specific processes and compliance requirements. This will help reduce potential human error and ensure compliance while simplifying the audit and reporting process.

CIP-004-6: Cybersecurity – personnel and training

Utility: Minimize potential vulnerabilities and errors caused by employees when accessing BES Cyber Systems by conducting security awareness training programs, running regular background checks on employees with high levels of access, and ensuring that user accounts, account groups, role categories, and their specific privileges are accurate and up to date.

Integrator: Look for a system that can support a utility’s goal of managing identity and access rights based on each employee’s attributes – whether contracted or staffed – while being fully unified with the access control system. This will streamline efforts in managing different cardholder accesses for protected areas.

CIP-005-6: Cybersecurity – electronic security perimeter(s)

Utility: Secure access to BES Cyber Systems by keeping your critical assets within a designated electronic security perimeter to be able to closely monitor them in case of suspicious activity.

Integrator: Ensure all systems that are connected to the network infrastructure require secure authentication, communications that are encrypted using the latest security protocol, and users that have role-based permissions to access critical assets. Make sure an activity trail report of access is available to simplify investigations or audits.

CIP-006-6: Cybersecurity – physical security of BES cyber systems

Utility: Protect and manage physical access to BES Cyber Systems by defining a physical security plan to manage intrusions and unauthorized access into protected areas.

Integrator: Choose a physical access control system that can be seamlessly paired with a visitor management solution to heighten the utility’s security and ability to respond to incidents while meeting all compliance requirements. Ensure that a full reporting functionality is available to keep track of log access attempts and cardholder/visitor activity for incident investigations.

CIP-007-6: Cybersecurity – systems security management

Utility: Reinforce BES Cyber Systems protection by defining and implementing technical, operational, and procedural requirements that include open ports and services, patch management, malicious code detection and alert, event logs and user access control.

Integrator: To ensure security policies are actively enforced, look for systems that can provide system health dashboards, automatic firmware updates/patches, alerts on failed login attempts with activity trail as well as the ability to govern and synchronize user access rights that automatically updates within your identity and access management system. Consider a unified access control and identity management system to reduce the need to work with multiple disparate systems.

CIP-008-6: Cybersecurity – incident reporting and response planning

Utility: Put in place procedures to identify, classify, and respond to cybersecurity incidents and keep complete records of the incident and management process to report to the Electricity Information Sharing and Analysis Center (E-ISAC) for forensic analysis.

Integrator: A centralized system that keeps a complete log of network activity and access, as well as a full history of the asset configuration data, will simplify the investigation and recovery process when required. Look for technology partners that can provide emergency support in case of a catastrophic system failure or cyberattacks.

CIP-009-6: Cybersecurity – recovery plans for BES cyber systems

Utility: Define a recovery plan for the BES Cyber Systems in the event of a cyberattack on the BES.

Integrator: To better support potential disaster recovery, look for systems that provide a full failover and redundancy architecture, as well as the ability to distribute them across multiple servers and geographical sites. Place a Disaster Recovery Directory at an off-site location where it will kick in only when all other Directory servers are down.

CIP-010-3: Cybersecurity – configuration change management and vulnerability assessments

Utility: Develop a baseline configuration for each critical cyber asset and monitor them for any deviations from that baseline to better assess each asset’s vulnerabilities.

Integrator: Choose a system that can provide a comprehensive audit trail report that tracks all changes made by system administrators and the configuration of files so that they can be easily compiled for the NERC CIP compliance audit.

CIP-011-2: Cybersecurity – Information protection

Utility: Put in place measures to protect and securely handle the storage, transit, use, and retrieval of data related to BES Cyber Systems to prevent data theft or hacking.

Integrator: Be sure the utility only allows individuals who are essential to the operation of the BES to have access to the system, and ensure the information stored in databases is encrypted at rest and in transit. You may recommend a ‘minimal rights’ control mechanism for access with multi-factor authentication.

CIP-013-1: Cybersecurity – supply chain risk management

Utility: Develop a supply chain cybersecurity risk management plan to identify and assess risk to BES posed by vendor products or services.

Integrator: Ensure all critical vendor partners have clear cybersecurity guidelines, and make sure that integrator employees do not have access to the system by default without consent, particularly in system-to-system remote access.

CIP-014-2: Physical security

Utility: Identify and protect critical infrastructure within BES and implement measures to ensure their protection from physical attacks that may result in power outages.

Integrator: Recommend a unified physical security platform that enables the utility to manage video surveillance, access control, and perimeter intrusion detection systems together on a single pane of glass. This will give the utility complete visibility of the entire operation with the ability to view all local and remote sites on the same user interface. Additionally, take proactive measures to identify potential intruders at protected sites with solutions that enable monitoring beyond the fence line to pre-classify potential intruder threat levels, reducing nuisance alarms.

Greg Kemper is Regional Director, Enterprise at Genetec. Request more information about the company at www.securityinfowatch.com/10213771.
About the Author

Greg Kemper

Greg Kemper is Regional Director, Enterprise at Genetec. He has a deep knowledge of the security industry, with over 25 years of experience in video surveillance and access control.