WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
0 likes•22 views
This white paper emphasizes the critical importance of Critical Infrastructure Protection (CIP) in the energy sector, highlighting the vulnerabilities of the U.S. electric grid to cyber threats from various actors, including state-sponsored threats and cybercriminals. It outlines the need for energy companies to comply with NERC CIP standards to protect both physical and cyber assets and mitigate risks that could disrupt the bulk electric system. The document stresses proactive measures, continual investment, and comprehensive security policies to safeguard against potential cyberattacks and maintain grid reliability.
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
- 1. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 1 of 17 The Importance of Critical Infrastructure Protection in the Energy Sector August 15th , 2022
- 2. The Importance of CIP in the Energy Sector White Paper Page 2 of 17 © Copyright 2022 Certrec. All rights reserved. Copyright © 2022 Certrec All rights reserved. This white paper or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the publisher, except in the case of brief quotations covered by the fair-use exception permitted by copyright law. www.certrec.com www.regsource.us www.certrecsaas.com
- 3. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 3 of 17 Contents Executive Summary............................................................................................................................................4 The Importance of Critical Infrastructure Protection in the Energy Sector..................................................5 Introduction .......................................................................................................................................................5 Critical Infrastructure Protection for Facilities................................................................................................6 Critical Infrastructure Protection for Cyber Systems .....................................................................................7 Physical Systems and CIP (Hardware).............................................................................................................7 NERC CIP-002-5 – BES System Categorization........................................................................................................... 7 NERC CIP-003-8 – Security Management Controls...................................................................................................... 9 NERC CIP-004-6 – Personnel Training......................................................................................................................... 9 NERC CIP-005-6 – Electronic Security Perimeter....................................................................................................... 10 NERC CIP-006-6 – Physical Security of BES Cyber Systems .................................................................................... 10 NERC CIP-007-6 – System Security Management ..................................................................................................... 11 NERC CIP-008-6 – Incidence Reporting and Response Planning .............................................................................. 11 NERC CIP-009-6 – Recovery Plans for BES Cyber Systems ..................................................................................... 11 NERC CIP-010-3 – Configuration Change Management and Vulnerability Assessments........................................... 12 NERC CIP-011-2 – Information Protection.................................................................................................................. 12 NERC CIP-012-1 – Communications Between Control Centers ................................................................................. 12 NERC CIP-013-2 – Supply Chain Management.......................................................................................................... 13 NERC CIP-014-2 – Physical Security.......................................................................................................................... 13 Software-Related CIP: From Malware to Phishing Emails ............................................................................ 13 Potential Threats and their Consequences .................................................................................................. 14 Short-term and Long-term Consequences of Breaches ................................................................................ 14 Conclusion ....................................................................................................................................................... 15 References and Resources ............................................................................................................................ 17
- 4. The Importance of CIP in the Energy Sector White Paper Page 4 of 17 © Copyright 2022 Certrec. All rights reserved. Executive Summary The U.S. electric grid provides electricity to millions of homes and businesses via a complex and vulnerable network of power plants, transmission lines and distribution centers. It is essential to daily life and commerce in America. One of the greatest cybersecurity threats to the electric grid involves ICS or “industrial control systems.” ICS manage electrical processes and physical functions like opening and closing circuit breakers. To reduce costs, improve energy conservation and grid reliability, ICS are merging with information technologies which rely on the Internet to enable remote control and monitoring. But this also creates huge opportunities for “hacktivists,” state-threat actors and criminals (cyber-ransomers) to access operational technology (OT). A successful cyberattack can cause serious disruption to people’s lives from annoying effects like no Internet, no streaming, no TV, and no cell phone service to life threatening events like broken traffic signals, inoperative life- saving medical equipment, no water pumped, or no heating or cooling. According to the U.S. Department of Homeland Security, even a short-lived attack on the power grid could cause substantial interruptions to security systems and important lines of communication. In 2022, the number of risks to critical infrastructure have escalated due to the increase in cyber ransom crimes, nation-state threat actors and of course the Russian Ukraine war. Nation-threat actors work for a hostile government (take Iran, North Korea, China, or Russia for example – U.S. Intelligence Annual Threat Assessment) to disrupt or compromise our lives and in the case of critical infrastructure, create incidents by taking down nuclear, energy, financial or technology sectors. (see https://www.certrec.com/blog/shields-up-cisa-guidelines-against- cybersecurity-threats/ The CISA (Cybersecurity and Infrastructure Security Agency (CISA) is a newly formed US federal agency working tirelessly to tackle cyber threats, and to develop secure and reliable infrastructure.) has warned all the industrial stakeholders in the country to be prepared and to take proactive measures against any malicious cyber activity.
- 5. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 5 of 17 The Importance of Critical Infrastructure Protection in the Energy Sector Introduction In 2022, it is high time for electrical companies to maintain high critical energy infrastructure protection standards. From substations to enterprises, energy-based companies should be able to meet CIP compliance. Whether it is the physical protection of facilities from vandalism, terrorist acts, and other security breaches, or the protection of software and hardware assets from increasingly sophisticated cyber criminals, it is essential for energy companies to cope with these challenges by updating their CIP policies and procedures. The decision to not do so can be disastrous, not only for them, but for the overall Bulk Electric System (BES). The best way to ensure that they are meeting the required standards is by becoming CIP compliant. Whereas, most companies are relatively proficient in the physical protection of facilities, as that has been the traditional focus, many do not have stringent enough IT policies for the protection of their critical hardware and software infrastructure. Not addressing those vulnerabilities can negate the hard work done through physical facility protection. It is essential to target all these three areas of CIP in the modern world, that is, physical facility protection, hardware protection, and software protection. The focus of these companies should be to leverage modern-day tech tools and hardware while having comprehensive IT policies in place to meet all necessary regulations. In a tech-driven world, making accurate predictions about potential breaches has become incredibly difficult.
- 6. The Importance of CIP in the Energy Sector White Paper Page 6 of 17 © Copyright 2022 Certrec. All rights reserved. A reluctance to use up-to-date software and hardware can lead to a serious breach. It damages onsite facilities, ruins market credibility, and compromises the security of electricity supply. If you’re an electric utility operating in North America, you have to meet the NERC CIP regulations. The North American Electric Reliability Corporation (NERC) comes under the Federal Energy Regulatory Commission (FERC). The objective of NERC is to safeguard the reliability of the Bulk Electric System within USA and Canada. The functional entities to which this standard applies are transmission owners, generator owners, and distribution providers. Let’s delve a little deeper into each area, focusing more on the cyber side of things. Critical Infrastructure Protection for Facilities Traditional physical security of the facility is a more understood topic; therefore, we will not dig too deep into it, however, it cannot be stressed enough that without the physical components working in perfect order, the facility can be compromised and can be rendered inoperable. To guarantee that energy facilities remain secure and free from attacks, a considerable amount of proactive thought and effort has to be put into the physical security of the plants. The fact that most plants are situated in remote areas and are massive in size, it can become quite a challenge to secure and monitor them effectively. To add to that challenge, fluctuating fuel costs due to the turbulent geopolitical situation, and other economic disruptions post-COVID, can make it tempting for utilities firms to prioritize operational budgets over security budgets. However, when you are a vital cog in the power grid, a lapse in security can cause disruptions to the whole grid, leading to massive penalties and fines. It is, therefore, more prudent to invest that money in the actual physical security of the facility to mitigate the chances of physical attacks through vandalism or terrorism. Physical security of the facility deals with its perimeter. We will now discuss the security of cyber assets within the perimeter.
- 7. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 7 of 17 Critical Infrastructure Protection for Cyber Systems Today, cyber security falls under the umbrella of a defense strategy. It is a perfect phrase highlighting the modern threats affecting the energy sector. This is where foundational elements and practices come into play. Organizations need to be mature enough to meet NERC CIP compliance in the digital age. Companies should also clearly understand all the frameworks and how they tie together with various aspects of regulatory compliance. At its core, CIP or Critical Infrastructure Protection refers to a combination of requirements to ensure the security of assets integral to operating bulk electric systems in the United States. In the context of the US energy sector, CIP compliance requires a significant investment, proactive efforts, and a progressive mindset among organizations. Since there is a substantial risk at play, it is crucial for utility and industrial players to keep up with regulatory changes. But one thing is certain; the time for utility companies to prepare and implement CIP changes is now. Physical Systems and CIP (Hardware) The foundational standards in NERC CIP state-specific requirements that energy companies must meet in order to create unique control mechanisms, identify critical assets, enforce physical security of the systems, and recover affected assets. Here are primary standards that are applicable to all security and network systems for utilities: NERC CIP-002-5 – BES System Categorization With this standard, energy companies can identify and classify BES Cyber Systems or Assets. The objective of the NERC CIP-002-5 standard is to ensure the enhanced protection of assets. At the same time, this standard makes sure there are no compromises that might make the BES unstable or disrupt operations.
- 8. The Importance of CIP in the Energy Sector White Paper Page 8 of 17 © Copyright 2022 Certrec. All rights reserved. The level of categorization is all about grading several BES Cyber Assets or Systems based on the degree of interruption to the power supply. It focuses the entity on the period of interruption rather than the cause of the power disruption. The broad categorization of Cyber Systems in this standard includes: Protected Cyber Assets PACS or Physical Access Control Systems Electronic Access Control NERC CIP-003-8 – Security Management Controls. The focus of this standard is to help energy companies increase transparency and accountability across the board and further protect BES Cyber Assets. Practically, utilities need to rely on an experienced senior manager to develop sustainable policies around security controls. CIP-002 is designed to provide entities the capability to identify and categorize their Bulk Electric Systems (BES) Cyber Systems and associated BES Cyber Assets. Once identification and categorization of BES Cyber Systems has been completed, impact levels determine which standards are applied based on the identification. Registered entities are categorized as low, medium, and high impact. The standard also outlines additional controls such as the frequency of Categorization review and review approval. Also note that any single entity may have more than one impact level, which is why it is important to understand all applicable impact levels so that the correct standards are applied based on the categorization. Once the impact level has been defined, standards are applied. For examples, security management controls for low impact BES Cyber Systems are addressed in the CIP-003 standard. Medium and High Impact system protection requirements are addressed in CIP-003 through CIP-011. CIP-012 is applicable to all impact levels and addresses protection of communication links and transmission of sensitive data between BES communication centers. More recently, risks to the BES supply chain have come to the forefront. CIP-013 seeks to mitigate risks to Medium and High impact BES Cyber Systems with the implementation of security controls defined in the standard as it relates to the supply chain. Finally, while not based on impact level but where applicable, CIP-014 addresses protection of Transmission Stations and Transmission Substations which, if physically attacked, could result in instability, uncontrolled separation, or cascading within the interconnection. The level of categorization is all about grading several BES Cyber Assets or Systems based on the degree of interruption to the power supply. It focuses the entity on the period of interruption rather than the cause of the power disruption.
- 9. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 9 of 17 The broad categorization of Cyber Systems in this standard includes: Protected Cyber Assets PACS or Physical Access Control Systems Electronic Access Control NERC CIP-003-8 – Security Management Controls. The focus of this standard is to help energy companies increase transparency and accountability across the board and further protect BES Cyber Assets. Practically, utilities need to rely on an experienced senior manager to develop sustainable policies around security controls. NERC CIP-003-8 – Security Management Controls Security management controls are addressed in CIP-003 and are designed to ensure that consistent and sustainable security controls are applied, based on the system categorization, to mitigate risk that could result in mis-operation or instability of the BES. Additionally, CIP-003 addresses security controls as they relate to low impact systems and identifies which security management controls relate to medium and high impact systems. For example, the domains of cyber security awareness, physical and electronic controls, cyber incident response plans and malicious code mitigation for transient cyber assets and removable media for low impact systems are addressed in CIP-003. Moreover, the standard covers review of policies and the plans required to support policies as well as who is responsible for BES cyber security policy review. Additionally, for medium and high impact systems, CIP-004 - Personnel and training; CIP-005 – Electronic Security Perimeters; CIP- 006 – Physical security of BES Cyber Systems; CIP-007 – System security management; CIP-008 – Incident reporting and response planning; CIP-009 – Recovery plans for BES Cyber Systems; CIP-010 – Configuration and change management and vulnerability assessments; CIP-011 – Information protection; and declaring and responding to CIP Exceptional Circumstances are identified as being applicable to medium and high impact levels. Of interest is the fact that requirements differ based on impact level and external communications needs (e.g., does the entity have remote connectivity, is it at a control center). NERC CIP-004-6 – Personnel Training This NERC CIP standard aims to train contractors and employees. With sufficient training, NERC CIP 004-6 standard will help companies reduce the likelihood of cyber-attacks targeted to BES Cyber Systems. The personal training consists of raising cyber security awareness among staff. In addition, it paints a clear picture of the access and risk management controls for employees and contractors. Personnel and Training are the focus of CIP-004-6. The intent of this standard is to ensure that appropriate levels of risk assessment for personnel are addressed, and that training and cyber awareness are incorporated into the entity’s programs, plans and procedures. Types of personnel reviews, based on need, are outlined as are the timeline review requirements regarding personnel risk assessments. Requirements for frequency of training events, and training content are also outlined in this standard as are requirements related to access and access revocation.
- 10. The Importance of CIP in the Energy Sector White Paper Page 10 of 17 © Copyright 2022 Certrec. All rights reserved. NERC CIP-005-6 – Electronic Security Perimeter This standard aims to heighten the protection level of BES Cyber Assets and prevent potential instability and operational interruption. Furthermore, the NERC CIP-005-6 standard focuses on having complete control over network access to all critical assets. In any case, this standard propels utilities to develop a dedicated ESP or Electric Security Perimeter around their cyber assets. Once a virtual barrier exists, entities can track interconnected data flows. And any critical assets outside the boundaries of ESP must become part of the leading network via a dedicated Electronic Access Point (EAP). Companies should also maintain their network segments, control remote access points, and use data encryptions. This standard aims to heighten the protection level of BES Cyber Assets and assist with the prevention of potential instability and operational interruption by establishing an Electronic Security Perimeter (ESP) using Electronic Access Control or Monitoring Systems (EACMS) to allow only authorized inbound and outbound traffic to BES Cyber Systems. Cyber assets outside the ESP are routed through controlled Electronic Access Points (EAP). Requirements are established for remote interactive access to include dial-up requirements, encryption, and multi-factor authentication. Software for systems protection is also addressed in the standard and may include Intrusion Detection Systems (IDS) and application firewalls. Additional requirements the capability to identify remote vendor access and the capability to terminate remote vendor access on demand. NERC CIP-006-6 – Physical Security of BES Cyber Systems This standard involves physical and operational controls in connection with a physical security perimeter, testing and maintenance program, and a visitor control program. In the physical security perimeter, entities must restrict their physical access via procedural controls and existing operational documents. In the visitor control program, entities must implement a protocol to manage all visitors in the last 90 days. And the testing and maintenance program of this standard requires entities to test electronic Physical Security Perimeter on an annual basis. Plans are established to define operational and procedural controls for physical access. Controls address unescorted physical access, unauthorized physical access, alarms and personnel notification to personnel and groups identified in the entity’s Incident Response (IR) plan. Specifics such as monitoring for physical access control systems, automated logging of personnel based on level of access, retainment of logs and protection of cabling and other components used for communication within an ESP. If physical restrictions are not available, implementation of other types of controls to mitigate risk are required and methods are addressed. The standard also addresses visitor control such as requirements for visitor escorts, logging requirements, and visitor log retention. Additional requirements, depending on impact level and physical access control configurations, include maintenance and testing of physical access control systems.
- 11. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 11 of 17 NERC CIP-007-6 – System Security Management Here, entities must define operational and technical elements and processes. The idea is to enhance the security of systems in the ESPs of BES Cyber Systems. Typically, these components include security patches, system access controls, security event monitoring, ports and services, and prevention of malicious code. Applicable protection requirements may include port management in that only required ports are enabled, port ranges are managed. Physical port managed is required as well where removable media is concerned. Another aspect of system security management addresses patch management to include processes for tracking patches on a regular basis, evaluating applicability of those patches and installation of patches based on applicability. Plans should also have processes that address when a patch shall be applied, explanations if a patch can’t be installed as planned. Should patch installation be delayed, mitigations should be in place, or should be implemented, if the patch cannot be installed as planned. Requirements for mitigation of malicious code introduction are defined as well as management of virus software to include signature or definition management, and system hardening. Monitoring is another key aspect of CIP-007. Required logging of specific events are identified, alert requirements are defined based on event type, log retention requirements and review of those logs are covered. Other requirements include a means to enforce authentication of interactive user access, management of generic group accounts and personnel that have access to those group accounts, user password parameter requirements, password change requirements, and limitations regarding unsuccessful authentication attempts are addressed. NERC CIP-008-6 – Incidence Reporting and Response Planning Here, entities must prepare incident reports and create guidelines that work as a response. The incident reporting and response planning standard allow energy entities to document, identify, classify, report, and respond to incidents associated with critical assets. At its core, this CIP standard compliance divides into incident response plan, implementation of incident response, and final review and communication of the incident response plan. Roles and responsibility requirements for response groups and individuals are addressed along with the procedures that define incident handling to include containment, eradication, and incident resolution. Time requirements for incident response plan testing, types of testing, any lessons learned and requirements to update the incident response plan based on testing are also addressed. Evidence requirements related to evidence retainment for reportable cyber security events are included in the standard. NERC CIP-009-6 – Recovery Plans for BES Cyber Systems Here, entities must find the best way to recover from a potential cyber incident that may impact the BES systems. With this standard, entities must put in place a recovery plan and follow predetermined plans for business continuity and disaster recovery.
- 12. The Importance of CIP in the Energy Sector White Paper Page 12 of 17 © Copyright 2022 Certrec. All rights reserved. Plans will include conditions for activation, roles, and responsibilities of those involved with the recovery process, how backup and storage of information is implemented, data backup validation and preservation of data related to a cyber security incident as it relates to activation of the plan. Test requirements of the plan regarding the test environment, actual data used for testing, recovery plan updates for lessons learned, and notification of those with a role in the plan where an update is required and has been implemented are additional security requirements of this standard. NERC CIP-010-3 – Configuration Change Management and Vulnerability Assessments In this standard, entities must highlight all the requirements related to their security policy to ensure there are no unauthorized modifications to the BES Cyber Systems. This standard aims to increase the current protection level by performing vulnerability testing and checking system configuration controls. On top of configuration change management, the CIP-010-3 standard covers compliance areas like configuration monitoring, which requires 35 days for unauthorized baseline changes and vulnerability evaluation every 15 months. Here, entities are required to develop baseline configurations for Operating Systems, open-source software, custom software, network ports and implemented security patches. Baseline changes evolve and must go through a process that include authorization of proposed change, documentation and updating of the official baseline configuration after a baseline change has been implemented for the defined period. Cross checking of the potential effects of the change, as it relates to other CIP standards, is required to ensure security requirements are not impacted by changes to the baseline. Testing in the appropriate environments, requirements for software verification and monitoring the baseline configuration for changes are addressed. Vulnerability assessments are another component of CIP-010, and address requirements such as how often to test, types of tests and documented assessments when new Cyber Assets are to be introduced into the production environment. NERC CIP-011-2 – Information Protection Information protection, addressed in CIP-012, seeks to mitigate risks to the BES by specifying requirements related to the protection of BES information. The first step in protection is to properly identify BES Cyber System Information which should be included in the entity’s information protection plan as should how information is handled, stored, transmitted, and used. The plan shall address how assets, used in conjunction with BES Cyber System Information, will be handled if the asset is to be reused, or if the asset is to be disposed. NERC CIP-012-1 – Communications Between Control Centers Protection of communication between control centers is the focus of CIP-012. Plans are required to address the protection of Real-time Assessment (RTA) and Real-time Monitoring (RTM) data from modification, unauthorized use, and unauthorized disclosure. Requirements addressing shared responsibilities between separately owned entities are defined as well.
- 13. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 13 of 17 NERC CIP-013-2 – Supply Chain Management The need to address supply chain cyber security risks are becoming well known, and CIP-013 addresses those needs. This standard is applicable to medium and high impact systems as well as their Electronic Access Control and Monitoring System, and Physical Access Control Systems. Security risk management plans, and approval requirements, are at the heart of the standard and include risk assessments for procurement of vendor equipment, software, and services. Risks associated with transitioning from one vendor to another are also addressed. Other items include requirements for vendor notification of incidents related to their products, how vendor incidents will be addressed by the vendor, vendor access, notification by the vendor if remote or onsite access is no longer required, and other vendor actions. NERC CIP-014-2 – Physical Security Instability, uncontrolled separation, or cascading within an Interconnection are major concerns for Transmission stations and Transmission substations. CIP-014-2 seeks to mitigate risks associated with these potential events through the implementation of NERC requirements. Requirements include risk assessments by the Transmission Owner that identify Transmission stations or Transmission substations that, if damaged, could cause the aforementioned events. Verification of risk assessments performed by the Transmission Owner, verification standards, notifications and timelines associated with notifications by the Transmission Owner are documented in CIP-014. Criteria required of the Risk Assessment evaluation include physical characteristics, history, intelligence gathering methods, other evaluation criteria and report parameters also fall under CIP-014. Software-Related CIP: From Malware to Phishing Emails In the energy sector, cyber security leaders need an extensive understanding of different cyber security threats. Phishing The severity and regularity of phishing attacks have increased tenfold. Phishing attacks involve establishing fake communication via an email or other communication channel. A typical phishing attack tricks the recipient into executing a set of integrated instructions that leads to a breach of confidential financial information and customer data. With phishing attacks, cybercriminals now systematically steal sensitive data like login information. Cybercriminals also use phishing attacks to install malware on the receiver’s device. Malware Like other industries, potential malware threats are a major risk for energy companies. Technically, malware refers to malicious software like ransomware, viruses, worms, and spyware. Cybercriminals activate the malware once a user clicks on an attachment and link. After that, it leads to the installation of a harmful program. After activation, Malware can block network access, obtain secure information from the drive, and disrupt individual components, making the entire security infrastructure inoperable.
- 14. The Importance of CIP in the Energy Sector White Paper Page 14 of 17 © Copyright 2022 Certrec. All rights reserved. Denial of Service A typical DoS or Denial of Service cyber-attack floods a network or computer, which makes it impossible to respond to any requests. The function of DDoS or distributed DoS is also similar. However, DDoS cyber-attack stems from a wider computer network. Cybercriminals take advantage of this flood attack in order to interrupt the handshake process and execute a Denial of Service. Moreover, cyber-attacks now use several techniques to launch multiple DDoS attacks at the same time. Emotet According to CISA or Cybersecurity & Infrastructure Security Agency, Emotet is a modular and advanced banking Trojan. Primarily, it works as a dropper or downloader of existing banking trojans in the system. Recently, Emotet has become one of the most damaging and costly malware. Potential Threats and their Consequences Whether it’s malware, phishing attacks, password attacks, or denial of service, it incurs revenue losses for companies. And if the breach is big, it will significantly impact revenue generation. The truth is that revenue loss is inevitable in the event of a security breach. Around 30% of companies that encounter a security breach lose significant revenue. For instance, a potential data breach hampers a company's reputation in the energy landscape. In fact, after a data breach, the reputation of the company is never the same in the market. Similarly, a data breach makes it challenging to forecast accurate short-term and long-term revenue loss. Most breaches compromise the privacy of the customers and gain information about customer payments. If data security is breached, companies will have to build trust with customers from the ground up. On the surface, many cyber security threats come across as mild and harmless. However, they can wreak havoc on the operational capacity of utilities and even impact valuable assets. In some instances, hackers act as pranksters and try to commit several data breaches. Naturally, it forces energy companies to make changes in their cyber security strategy. One of the consequences of potential cyber security threats comes in the form of hidden costs. For example, the most common hidden costs, related to breaches and threats, involve taking care of legal fees. Short-term and Long-term Consequences of Breaches Companies usually have to spend on hiked insurance premiums, additional investigations, and PR. In 2022, cyber regulations are a reality that companies cannot afford to overlook. For instance, FCC fined AT&T $25 million over a customer data breach.
- 15. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 15 of 17 In line with potential threats, cybercriminals often steal blueprints, strategies, and designs of energy companies. In the long run, it damages the reputation of utilities in the industry. And companies operating in the energy sector are more vulnerable to these potential threats. Oftentimes, small companies assume they won’t be targeted. But the truth is that over 60% of attacks and threats are targeted toward small businesses. And that’s because these businesses often fail to comply with CIP standards, making them easier targets for cybercriminals. Today, executing a data breach plan takes less time than making an omelet. On average, more than 90% of successful data breaches take place within a minute. What’s startling is that it takes 80% of the companies’ weeks before they realize there has been a data breach. In hindsight, data breaches seem to have a short and long-term cost impact on businesses. The good news is that most business executives and cyber security professionals now take potential data breaches and subsequent threats seriously. On top of reputational damage, theft, and incurred financial losses, companies usually have to pay hefty fines. If the direct revenue losses are not enough of a punishment, companies can face potential monetary penalties for failing to comply with basic data protection regulations. But unlike the EU’s GDPR guidelines that impose fines and penalties on different degrees of violations, there is no counterpart in the US. Instead, Colorado, Virginia, and California have their own extensive data privacy laws in place. And these laws have various commonalities like the right to delete and access personal information and not to abide by the sale of PI. Companies with unstable cash flow typically suffer the most from a data breach. Contrary to misguided perception, cyber security threats and attacks extend beyond the IT space. Energy companies now need a comprehensive and up-to-date cyber security strategy to prevent potential cyber-attacks. Conclusion It is high time for energy companies to take NERC CIP compliance standards seriously. It is the best way to ensure effective and consistent power across different regions. With a strategic approach and the right tools, the energy sector can track, enforce, review, and maintain uniform CIP compliance. NERC CIP-based standards give energy entities a clear idea about the required scope and framework, and swift adoption of this framework helps companies prevent a potential disaster. However, utilities should be involved in the process and ready to make new changes in their cyber security strategy. On top of power utilities, industrial companies should also meet the CIP standards. The discourse around NERC CIP is not new, and there has been constructive criticism on how the energy companies should implement it. According to the TSA cyber security report, there are different requirements companies have to meet first. For starters, entities need to ensure network segmentation meets various requirements. The idea is to restrict operational technology (OT) protocols from passing through the IT systems via an encrypted end-to-end tunnel.
- 16. The Importance of CIP in the Energy Sector White Paper Page 16 of 17 © Copyright 2022 Certrec. All rights reserved. Furthermore, companies must run antivirus scans throughout OT and IT systems every week. There is also a requirement to implement patches in a predefined timeframe. In hindsight, the information security space is bound to evolve, and that means more attacks on the electrical grid across regional and national entities. With NERC CIP compliance, energy entities can meet standard business policies and regulations. It is the most practical way for organizations to protect their customers, natural resources, and crucial cyber assets that tie together with the Bulk Electric System. The hallmark aspect of CIP for most security leaders revolves around raising awareness and understanding the scope of specific assets that need enhanced security. In this context, an integrated cyber security and risk management solution can work wonders for companies and ensure CIP compliance. In retrospect, a risk- oriented, integrated, continuous approach to CIP compliance would allow security professionals to collect and review data in a centralized source and report to business and technical stakeholders in an effective and efficient manner. NERC CIP compliance is the most practical way for organizations to protect their customers, natural resources, and crucial cyber assets that tie up to the Bulk Electric System. (To find out how secure your critical infrastructure is, go to Certrec’s free online NERC CIP Health Check here.)
- 17. White Paper The Importance of CIP in the Energy Sector © Copyright 2022 Certrec. All rights reserved. Page 17 of 17 References and Resources i. https://www.energyglobal.com/special-reports/29062021/cips-energy-transition-fund-reaches-first- close/ ii. https://www.cisa.gov/energy-sector iii. https://docs.microsoft.com/en-us/microsoft-365/solutions/energy-secure-collaboration iv. https://www.techtarget.com/searchsecurity/definition/North-American-Electric-Reliability-Corporation- Critical-Infrastructure-Protection-NERC-CIP v. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx vi. https://www.cybersaint.io/blog/what-is-nerc-cip vii. https://verveindustrial.com/resources/blog/what-are-the-nerc-cip-standards-in-ics-security/ viii. https://blog.rsisecurity.com/what-are-the-10-fundamentals-of-nerc-cip-compliance/ ix. https://www.industrialdefender.com/what-is-nerc-cip/ x. https://www.ispartnersllc.com/blog/nerc-cip-standards-overview/ xi. http://www.subnet.com/solutions/nerc-cip.aspx xii. https://www.youtube.com/watch?v=OBzU1Hhdmt8 xiii. https://www.youtube.com/watch?v=LGU4l0SzuD8 xiv. https://www.youtube.com/watch?v=H9y__anQFVw About Certrec: Certrec is a leading provider of regulatory compliance solutions for the energy industry. Our SaaS and consulting services have helped hundreds of power- generating facilities manage their regulatory compliance and reduce their risks across nuclear, fossil, solar, wind, and other power plants. Certrec has helped more than 120 generating facilities establish and maintain NERC compliance, and we manage the entire NERC compliance program for 60+ registered sites in the US and Canada that trust us to decrease their regulatory and reputational risk. Certrec is ISO/IEC 27001:2013 certified and has successfully completed a SOC 2 Type 2 examination, resulting in independent verification of the standards of security, availability, reliability, and trusted services that we provide. This content is the proprietary information of Certrec. Certrec, the Certrec logo, and Certrec product names and logos are trademarks or registered trademarks of Certrec in the U.S. and other countries. The Certrec products described in this document are distributed under a license agreement restricting the use, copying, distribution, decompilation, or reverse engineering of the products. The Certrec products and services described in this document may only be used in accordance with their terms of use and corresponding license agreements. No part of this document may be reproduced in any form by any means without prior written authorization from Certrec. Certrec may amend, improve, or make changes to Certrec products or this document at any time without notice. THIS DOCUMENT IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. CERTREC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. Contact Us 6500 West Freeway, Suite 400, Fort Worth, TX 76116 817-738-7661 www.certrec.com Have you tried RegSource® yet? Try the industry’s leading source of regulatory compliance information! Click Free Trial to start your free trial, or visit www.RegSource.us/#pricing to compare the various plans.