Low-impact assessments are now on the industry’s To-Do list
Recognizing the growing threat that cyber-attacks pose to the national power grid, the U.S. federal government is working to strengthen its protection of our critical infrastructure. According to the U.S. Department of Homeland Security, the U.S. utility sector faces millions of attempted cyber intrusions per day.
To support this effort, in early 2018 the Federal Energy Regulatory Commission (FERC) approved a North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) reliability standard that increases protections of less-critical assets, “low-impact cyber systems” that make up most of the cyber assets within the bulk electric system (BES).
From a compliance perspective, these less critical facilities constitute a lower risk to the BES and have typically taken a backseat as utilities have worked to protect designated high- and medium-impact assets. But because today’s electrical systems are networked, this opens vulnerabilities for cyber intrusion. With the newly established compliance date of January 2020, low-impact assessments are now on the industry’s To-Do list. Here are some steps to take to conduct a successful NERC-CIP Low-Impact Assessment.
Step 1: Understand Compliance Definitions and the Relevance to Your Utility
The revised standard CIP-003-7 (Cyber Security-Security Management Controls) is designed to protect these low-impact assets (LIAs) by requiring utilities adopt consistent and sustainable security management controls. To help navigate the complexities of NERC compliance, a practical first step is to understand the intention of two key compliance definitions:
Requirement R2-5.1a, Attachment 1 ‘Low-Impact Rating (L)’
BES Cyber Systems not categorized in high impact or medium impact default to low-impact. Note that low-impact BES Cyber Systems do not require discrete identification.
Requirement R2, Attachment 1, Section 3 – Electronic Access Controls
Under the low-impact categorization … assets will be protected in the areas of cyber security awareness, physical access control, and electronic access control, and they will have obligations regarding incident response.
In other words, you don’t have to detail what’s out there, but you do have to take steps to protect it.
So where does that leave us? Entities are not obligated to obtain discrete identification of the low-impact systems and related assets; however, they are obligated (and wise) to protect those that communicate with a bi-directional protocol like TCP/IP. To create effective electronic access controls for low-impact BES Cyber Systems (that have bi-directional routable protocol communication or dial-up connectivity to devices external to the asset containing the low-impact BES cyber systems) we must understand IP protocol-based application flow in to, out of, and within a given system location.
Step 2: Accept Smart Devices with Bi-Directional Protocols are Here to Stay
If utilities are going to keep the “smart” in smart grid, then they’re going to encounter bi-directional protocols in an ever-expanding area of electric power creation and delivery. For better or worse, a comprehensive low-impact accounting effort will most certainly include careful identification and qualification of low-impact systems and their related assets, now and for the foreseeable future as utilities continue to modernize the grid. However daunting this task may seem, utilities have been implementing this new standard and best practices have come to light.
Step 3: Realize NERC-CIP Compliance Leads to a Stronger Security Posture
Utilities would be best served if they avoid simply checking the boxes and instead, approach compliance as necessary to strengthening their overall security posture. Black & Veatch worked with one utility who elected to take advantage of project momentum by interpreting Requirement R2-5.1a as unambiguous identification of all low impact assets, including an inventory approach for both equipment and logical data flows. By doing this, they are better prepared to scale security protections as they, inevitably, change to meet future requirements.
Black & Veatch recommends identifying, evaluating and protecting as many LIAs as possible. The target sites should include substations, pole boxes, power plants; anyplace where low-impact BES assets might exist. The breadth and depth of the project can be significant, affecting every single one of your operational groups.
Do not underestimate the level of complexity that may exist and consider an outside partner to help manage and execute the project to ensure you don’t miss important logical cybersecurity assets or vulnerabilities. If you need help defining a level of effort, reach out to Black & Veatch for a customized proposal.
Step 4: Define Success
Depending on your NERC-CIP status, resources and timeline, your utility may be at different levels of compliance. Therefore, it’s important to set tasks and objectives that define success for your specific utility. For instance, do you know what low-impact data flows need protection? It’s important to set parameters to determine what’s considered a bulk electric cyber asset, then identify, properly categorize and document the low-impact system or element. Have you identified and mapped data flows? This should include Internet Protocol (IP) source and destination addresses, source and destination protocol ports and a per-site list of any unknown application flows or protocols. And, it is important to seek this identification over a sufficient period within the project that ensures intermittent protocol flows are also identified. This data can be used to paint a clear picture of logical data-flows and provide filtering information for implementing Low-Impact BES Cyber System Electronic Access Point (LEAP) protections.
Step 5: Integrate Project Tasks to Ensure Efficient Deployment
Compliance programs are replete with challenges, but these can be minimized with early recognition, careful planning and the ability to integrate as many tasks into a single site visit as possible. It’s likely site surveys and inventory will mandate in-person evaluations for physical device inventory and qualification. Careful upfront planning will allow site teams to also gather pictures and video to log each site’s physical asset layout. If needed, the site team can also add additional LEAP protections on the site visit.
Because compliance initiatives have so many moving parts, planning can be extensive. To assist in orchestrating all the requirements, Black & Veatch employs its proven execution methodology, PAADIO (Planning, Assessing, Architecting, Detail Designing, Implementing and Optimizing) to keep the project running as efficiently and smoothly as possible.
Here are some additional tips to create foundation for project success.
- Project Coordination and Planning – Launch a project by setting the overall timeline, training requirements, point-of-contacts, site types, locations, resourcing and budget.
- Field Awareness – Consider resources and logistics to support multi-disciplined teams conducting site visits in parallel. Project planning should focus on Who, What, Where and When. The operational territory can be divided up geographically and each field team assigned a logistically optimized path to visit a certain number of sites per day. And above all else, the execution plan must account for the safety and well-being of the human resources involved.
- Tools – Determine tools to help define which assets are truly low-impact and require compliance inclusion. There are electronic data-capturing analysis tools to help automate the application flow analysis process, and the LEAP protection filtering configuration can also be automated. Other tools may include secure project web portals to collect and distribute project data on a need-to-know basis and communicate in real time.
- Training – By taking the time to train field teams, implementation schedules can be significantly reduced. Black & Veatch recommends safety trainings, discussing terms and definitions, preparing for operational impacts, and Proof of Concept (POC) field trials where teams walk through substation testing to further enhance tools and define method and procedures. For instance, a staging lab process may need to be developed to ensure properly pre-configured LEAP protection devices and spares are always available.
Aside from ensuring your utility remains in compliance, following these steps can help strengthen your security awareness and protection posture across your low-impact systems. They will arm your utility with unprecedented levels of network information, such as a better understanding of the application flow within networks. By providing a full, accurate and up-to-date assessment, your utility will be better prepared for accurate and efficient asset management.
It is understandable to be intimidated by a project covering hundreds of square miles, multiple site types and thousands of low-impact field devices. But, with a well-defined process that leverages lessons-learned efficiencies gained from similar projects, it most certainly can be achieved. Given low-impact devices attractiveness as a bad actor’s entry point in to the larger network, it is time and effort well spent.