Leveraging ServiceNow to Protect Bulk Electric System Cyber System Information (BCSI)

The Bulk Electric System Cyber System Information (BCSI) refers to a category of information related to cybersecurity within the Bulk Electric System (BES). The Bulk Electric System is a critical part of the electrical grid in North America, and it encompasses the high-voltage transmission lines, substations, power generation facilities, and associated equipment that are essential for the reliable operation of the electrical grid.

BCSI is a specific term used in the context of the North American Electric Reliability Corporation (NERC) and its regulatory framework. NERC is responsible for establishing and enforcing standards for the reliability and security of the Bulk Electric System in North America.

BCSI includes information related to the cybersecurity of the components and systems that make up the Bulk Electric System. This information is crucial for identifying and mitigating cybersecurity risks and threats to the electrical grid. It may encompass details about the security measures, vulnerabilities, threats, incident response plans, and other aspects of cybersecurity within the Bulk Electric System.

NERC's cybersecurity standards, such as the Critical Infrastructure Protection (CIP) standards, require entities responsible for the Bulk Electric System to protect and secure BCSI to ensure the overall reliability and security of the grid. Proper protection of BCSI is essential to safeguard against cyberattacks and to maintain the integrity and availability of the electrical grid.

Why is protecting BCSI important?

Protecting the Bulk Electric System Cyber System Information (BCSI) is critically important for several reasons:

Grid Reliability: The Bulk Electric System (BES) is the backbone of the electrical grid, providing electricity to homes, businesses, and critical infrastructure. Ensuring the reliability of the BES is essential for maintaining a stable and continuous power supply. Protecting BCSI helps prevent cyberattacks that could disrupt or damage the grid, leading to power outages and potential cascading failures.

National Security: The electrical grid is a critical part of a nation's infrastructure. A cyberattack on the grid could have severe national security implications, affecting not only the economy but also public safety and emergency response capabilities. Protecting BCSI is vital to safeguard against potential threats to national security.

Economic Impact: Disruptions in the electrical grid can result in significant economic losses. Businesses rely on a stable power supply to operate, and any prolonged power outage can lead to financial losses, affecting industries, employment, and economic growth. Protecting BCSI helps mitigate the economic impact of cyberattacks on the grid.

Public Safety: Power outages, especially those caused by cyberattacks, can affect public safety in various ways. Loss of power can disrupt traffic signals, communication systems, and emergency response services. Protecting BCSI is essential to maintain public safety and ensure that critical services continue to function during emergencies.

Data Security: BCSI may include sensitive information related to the cybersecurity of the grid. Protecting this information helps prevent the compromise of data that could be exploited by malicious actors to launch cyberattacks. It also helps protect the privacy and security of individuals and organizations connected to the grid.

Cybersecurity Resilience: Safeguarding BCSI is a fundamental part of enhancing the resilience of the electrical grid against cyber threats. Resilience involves the ability to withstand and recover from cyberattacks and other disruptions. Protecting BCSI is an integral component of building a more resilient grid.

Regulatory Compliance: Entities responsible for the Bulk Electric System must comply with regulatory standards, such as the Critical Infrastructure Protection (CIP) standards set by the North American Electric Reliability Corporation (NERC). Compliance with these standards, including those related to BCSI protection, is legally required and ensures the grid's security.

Prevention of Cyberattacks: Cyberattacks on the electrical grid can have severe consequences, ranging from power outages to potential damage to physical infrastructure. Protecting BCSI helps in preventing cyberattacks or at least detecting them early, enabling timely responses and mitigations to minimize their impact.

How utilities can use ServiceNow to protect BCSI?

Utilities protect Bulk Electric System Cyber System Information (BCSI) through a combination of cybersecurity practices and measures to safeguard the integrity and security of the electrical grid. These measures are essential to mitigate cyber threats and vulnerabilities. Here are some of the key ways in which utilities protect BCSI and how the ServiceNow platform can assist:

Cybersecurity Standards and Compliance

Utilities must adhere to cybersecurity standards established by regulatory bodies such as the North American Electric Reliability Corporation (NERC). Compliance with standards, such as the Critical Infrastructure Protection (CIP) standards, is a foundational step in protecting BCSI.

The ServiceNow Integrated Risk Management solution allows utilities to manage these standards across all of the assets and can be leveraged to automate processes to ensure adherence to these standards.

Access Control

Utilities implement strict access controls to limit and monitor access to BCSI. Only authorized personnel with a legitimate need to know should have access. Access permissions are regularly reviewed and updated.

ServiceNow customers have full control of entitlements granted to each of their users in a ServiceNow instance. ServiceNow easily integrates with a customer’s own directory services and supports all authentication and authorization standards customers may use.

For more information on ServiceNow's access management capabilities see the authentication and authorization section of the Securing the ServiceNow Platform

Encryption

BCSI should be encrypted to protect it from unauthorized access during transmission or while stored on servers and devices. Encryption ensures that even if data is intercepted, it remains confidential.

ServiceNow offers customers full application and database encryption with column level encryption with customer controlled keys.

For more information on ServiceNow's platform security encryption options see: Securing the ServiceNow Platform

Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS)

Utilities employ firewalls and IDS/IPS systems to monitor network traffic for suspicious activities and block or report potential threats in real-time.

ServiceNow integrates and has certified spokes with many IDS/IPS solutions. ServiceNow customers can utilize mid-servers to pull information securely from IDS/IPS systems into the ServiceNow platform for automation of processes and asset management. For a list of IDS / IPS vendors with certified spokes, see Security Operations Integrations by Use Case.

For more information on this process within the platform, see logging and monitoring ServiceNow security infrastructure section of the Securing the ServiceNow Platform.

Security Information and Event Management (SIEM)

SIEM systems help utilities monitor and analyze security events and incidents across their network. They provide a centralized view of the security landscape and can trigger alerts for potential breaches.

ServiceNow integrates with a multitude of SIEM solutions such as Splunk. We also provide a Log Export Service for customers to bring in logs on premise to house for the retention windows required by NERC CIP. For details on SIEM solutions with certified spokes to ServiceNow, see Security Operations Integrations by Use Case.

For more information on how ServiceNow manages SIEM within the instance and with a customers SIEM solution, see the security logging and monitoring section in the Securing the ServiceNow Platform.

Regular Audits and Assessments

Utilities conduct regular cybersecurity audits and assessments to identify vulnerabilities and weaknesses in their systems. These assessments help in proactive threat mitigation.

ServiceNow helps utilities accelerate the audit and assessment process. With our Integrated Risk Management solution, utilities can automate reporting and evidentiary collection for customers.

Incident Response Plans

Utilities develop and maintain incident response plans that outline procedures for responding to cybersecurity incidents. Having a well-defined plan ensures a swift and organized response to mitigate threats and minimize damage.

The management of incident response (IRP) plans is bread and butter for ServiceNow. The ServiceNow Integrated Risk Management solution can house these plans, schedule annual reviews and incorporate these plans into the end to end incident response process should an event occur.

Please refer to our Security Incident Response Process Guide | Vancouver Release for more information.

Employee Training and Awareness

Utilities train their personnel to recognize and respond to cybersecurity threats. Employees are often the first line of defense, so their awareness and ability to follow security best practices are crucial.

ServiceNow's Human Resource Service Delivery along with Integrated Risk Management can track and manage this training, remind users about required training and leverage performance analytics for evidentiary support that personnel have completed the necessary training.

Vendor and Supply Chain Security

Utilities assess and manage the cybersecurity practices of third-party vendors and suppliers to ensure that they do not introduce vulnerabilities into the BES.

ServiceNow's Third Party Risk Management integrates internal and external data for a comprehensive view of the third-party ecosystem and fosters effective governance, cross-functional integration, and ongoing monitoring, which in turn enhances compliance, rapid evaluation, and consistent assessments, converting risks into opportunities for value creation. For more details on ServiceNow's module for managing third party risk see Third Party Risk Management Overview Video.

Physical Security

Physical security measures, such as access control to substations and control centers, are implemented to prevent unauthorized personnel from physically accessing critical infrastructure.

Much of the obligation around physical security falls under the registered entity however ServiceNow has rigorous standards protecting the infrastructure that is secured in the ServiceNow cloud and within their physical locations and data centers.

For more information on how ServiceNow provides physical security to its physical locations refer to Securing the ServiceNow Cloud , and go to the section for data center physical security and environmental controls.

Patch Management

Utilities keep software and hardware systems up to date with the latest security patches to address known vulnerabilities. Regularly applying patches is vital for cybersecurity.

ServiceNow's Security Operations solutions helps utilities manage the end to end patch management process. Recently, ServiceNow released a demo specifically addressing the challenges here with OT and IT assets which are part of the NERC CIP 7 and 10 standards. The demo can be found here: ServiceNow NERC CIP 7 and 10 demo

Data Backups

Regular and secure data backups are essential to ensure that critical BCSI can be restored in case of a cyber incident. Backups should be stored in a separate, secure location.

Utilizing the ServiceNow Business Continuity Management module can help customers manage their CIP BC/DR processes end to end and tie them directly to your control structure housed in ServiceNow's Integrated Risk Management module. This will give you a complete end to end management of your BC/DR processes.

ServiceNow creates backups using its advanced high availability (AHA) architecture. Please refer to the supporting documentation below on ServiceNow's business continuity and disaster recovery policies and procedures. For more details on how ServiceNow manages our BC/DR see Advanced High Availability White Paper .

Continuous Monitoring

Utilities use continuous monitoring tools to keep an eye on their network, systems, and BCSI for any signs of suspicious or anomalous activity.

ServiceNow integrations with dozens of continuous monitoring tools used by utilities. In many cases this information that is collected can create automation opportunities by opening requests to mitigate risks identified by these tools. For a list of continuous monitoring tools ServiceNow has certified spokes, see Security Operations Integrations by Use Case.

For more information on how the ServiceNow provides continuous monitoring see the security logging and monitoring section in the Securing the ServiceNow Cloud .

Threat Intelligence

Utilities gather and utilize threat intelligence to stay informed about emerging cyber threats and vulnerabilities, allowing them to adapt and enhance their defenses accordingly.

While ServiceNow provides threat intelligent capabilities with our Security Operations solutions, ServiceNow also integrates with tools that provide these services. ServiceNow can enable orchestration and process automation to quickly address threats as soon as they are identified.

Protecting BCSI is an ongoing and dynamic process that requires a combination of technology, policies, procedures, and a commitment to cybersecurity at all levels of the utility organization. It's vital for maintaining the reliability and security of the electrical grid. The ServiceNow platform can enable utilities to improve their cybersecurity posture, improve compliance processes to ensure we are doing everything we can to secure BCSI information.

Additional Supporting Materials

Majority of all core documentation in supported in this article can be found in the ServiceNow ServiceNow Core Directory located at:?

CORE Directory - CORE ( servicenow.com )

Instructions on how to access ServiceNow Core Directory