Featured Insights

2019 Strategic Planning:Smart Utilities Report

NERC CIP Low-Impact Compliance Drives Opportunity to Improve Operational Technology Security

The U.S. Department of Homeland Security (DHS) named cyberattacks on critical infrastructure one of the nation’s most serious and potentially devastating security challenges. According to DHS, U.S. utilities face down millions of attempted cyberattacks every day. Recognizing the threat these attacks pose to the national power grid, federal regulators actively are working to strengthen protections.

For years, the primary focus was to protect the high- and medium-impact assets that make up the bulk electric system (BES). From a compliance perspective, low-impact assets (LIAs) presented less risk and therefore took a backseat as utilities focused on perceived risk-adjusted higher-priority efforts. But in April 2018, the Federal Energy Regulatory Commission (FERC) finalized a ruling of North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) reliability standard 003-7 that requires utilities to extend proper cyber protections to all LIAs on the grid by 2020, including transient assets.

The revised NERC CIP standard (Cyber Security — Security Management Controls) requires that utilities adopt consistent and sustainable security management controls that include the following:

  1. Improving electronic access controls to low-impact BES cyber systems.
  2. Mandating security requirements for mobile electronic devices such as thumb drives and laptops. 
  3. Requiring utilities to develop a response policy in the case of a system threat. 

Utilities recognize the critical role that cybersecurity plays in ensuring the future health, reliability and resilience of the electric grid. Respondents to Black & Veatch’s 2019 Strategic Directions: Smart Utilities Report survey, an annual survey of American utilities, continue to name cybersecurity as one of the driving forces behind grid modernization efforts.

However, the distributed nature of these projects — from the multiple site types to the sheer volume of low-impact field devices and distributed geographical nature of assets — makes implementing this new NERC-CIP standard an intimidating task. While the consequences of noncompliance are severe, ranging from fines to sanctions, those penalties do not compare to the chaos and damage that would result should one of these critical networks become compromised by a malevolent cyber intrusion.

Where does the industry stand in bringing itself into compliance with this NERC CIP mandate?

An Industry on the Move

According to the 2019 Black & Veatch Strategic Directions: Smart Utilities Report survey, utilities are working toward compliance. More than a quarter of survey respondents have completed assessments of their LIAs, and more than half are currently working on these LIA assessment activities. Thirteen percent have completed their LIA assessment planning activities and are pending execution. Utilities are also implementing site-based network data monitoring and protection systems such as instruction detection systems (75 percent) and firewalls (92 percent).

Black & Veatch helped WFEC achieve three objectives:

  1. Perform a site survey and inventory to identify all cyber assets and candidate BES cyber assets and include photo and video documentation.
  2. Compile a per-site list of discovered data flows (including IP source and destination addresses, source and destination protocol ports and a per-site list of any unknown application flows of protocols).
  3. Install and configure new LEAP protection devices at each LIA site and facilitate data flow identification that enabled LEAP protection devices to be planned, stages, configured, tested, deployed and verified. 

In addition to these primary objectives, the project achieved several innovative milestones for approaching low-impact assessment project execution:

  • All the physical work was accomplished in one site visit, which greatly optimized WFEC’s limited resources.
  • A complete picture of each low-impact site system was obtained.
  • LEAP protection was implemented as appropriate for compliance.
  • Low-impact logical bidirectional routed application protocol flows were identified and mapped.

Aside from ensuring that WFEC remains in compliance, the project helped strengthen WFEC’s security awareness and overall cybersecurity posture at each designated low-impact site. The project armed the utility with unprecedented levels of network information, such as a better understanding of the application flow within networks. By providing a full, accurate and up-to-date inventory, both logical and physical, WFEC is now better prepared for accurate and efficient asset management.

The Future of Compliance

Considering the thousands of LIAs that require compliance and cyber protections, a plan to assess and implement compliance can seem an impossible task. However, as our team of professionals found, utilities that take a proactive stance toward LIA compliance — rather than reactive — will find themselves with the unique opportunity to not only enhance future cybersecurity protections but also build a greater level of LIA operational awareness. Although the level of work necessary to complete these LIA compliance tasks may be daunting, the site visits, inventories and documentation will arm utilities with a much higher level of operational awareness than ever before. Using this awareness, utilities can reap larger benefits for protecting and optimizing the foundation for tomorrow’s smart grid.

A Case Study

Partnering with WFEC to Achieve Compliance

Black & Veatch, in partnership with Western Farmers Electric Cooperative (WFEC), recently optimized site visit effectiveness, which is often required to complete LIA compliance. With Black & Veatch assistance, WFEC found opportunities to accomplish multiple objectives during remote-location LIA site visits. WFEC accomplished network improvements and cybersecurity upgrades in addition to LIA compliance. Initially, WFEC’s task to implement LIA compliance seemed daunting. However, the project became achievable through the use of proven methods and the help of experienced Black & Veatch professionals. As the largest locally owned power supply system in Oklahoma, WFEC was determined to use this opportunity to enhance its overall security posture, not just to achieve

NERC CIP compliance. The breadth and depth of the project was significant, as it involved identifying, evaluating and protecting LIAs at 80 sites across the state of Oklahoma. The target sites included substations, pole boxes, power plants — anyplace where low-impact BES assets exist.

Together with Black & Veatch’s Network Services Group, WFEC accomplished multiple cybersecurity objectives without interrupting daily energy delivery operations. At each site, the WFEC and Black & Veatch project team performed a complex evaluation and upgrade that included multiple tasks. The team established and verified cable connections, conducted a physical device inventory, conducted logical application sensing and established equipment protections. The team LIA presence enabled a rare opportunity to acquire a photo and video site logs, which are essential artifacts to demonstrate compliance and document the site’s environment.