A look at some critical infrastructure protection (CIP) regulations affecting protection & control (P&C)

Cyber criminals persist in targeting critical infrastructures across regions of the USA, Canada, and Mexico, plaguing power and utility companies with mounting costs to defend against – let alone recover from – sophisticated attacks.?

To combat these threats to grid reliability, Critical Infrastructure Protection (CIP) standards defined by the North American Electric Reliability Corporation (NERC) set criteria for physical and cyber security of electrical facilities that owners, operators, and users of bulk power must abide. Of the six regional organizations that enforce CIP and other NERC standards, three – the Western Electricity Coordinating Council (WECC), the Midwest Reliability Organization (MRO), and the Northeast Power Coordinating Council (NPCC) – have jurisdictions in grids in both the US and Canada. Of these, WECC also has jurisdictions in portions of northern Mexico.?

NERC CIP audits in the US are consistent across the country; all six regional organizations follow the evidence review methodology described in the standards themselves. The NERC website (www.nerc.com ) makes plain the standards that are “active and subject to enforcement” while also spelling out the details and requirements of each.?

In NERC regions outside of the US, CIP standards are followed but with different implementation and enforcement per agreements between NERC and energy regulators in Mexico and Canada. In the Canadian province of Alberta, for example, the Alberta Electric System Operator (AESO) is presently phasing in the latest versions of NERC CIP standards, some of which will come into effect October 1, 2024. Similarly, other provinces in Canada are also devising their own implementation strategies and enforcement timelines of NERC CIP standards.?

Regardless of the territory or whether enforcement is in effect now or will be later, CIP standards call for evidence that demonstrates vigorous cybersecurity over periods of time across numerous procedural and technical situations.?

CIP Mandates?

Take for instance NERC CIP-010-4 (CIP-010-AB-4 in Alberta), Configuration Change Management and Vulnerability Assessments. Notably, this standard is in its fourth version, underscoring how compliance is an unending process, requiring companies to continuously advance their programs in step with evolving regulations. CIP-10 and other NERC standards, including CIP-005-7 (CIP-005-AB-7 in Alberta) Electronic Security Perimeter(s) and CIP-007-6 (CIP-007-AB-5 in Alberta) System(s) Security Management, deal in matters directly involving both operational technology (OT) and information technology (IT).?

Having the wherewithal to manage the cybersecurity requirements of just these three CIP standards, let alone compliance measures for the rest of the NERC catalog, stems from balancing the priorities of OT (data availability) and IT (data protection). The balance can easily be thrown off by CIP-auditable elements colliding with other aspects of NERC compliance, like approaches to field worker laptop cybersecurity that impact productivity with NERC PRC-005-6 (CIP-005-AB2-6 In Alberta) Protection System, Automatic Reclosing, and Sudden Pressure Relaying Maintenance.?

Transient Cyber Assets?

CIP-010, CIP-005, and PRC-005 are just three among several NERC standards that pertain to one O&M activity specifically: relay testing. The spotlight NERC puts on relay testing reveals numerous areas of concern regarding bulk electric system security and reliability intersected by modern protective relays. As computerized components (“cyber assets”) of substation protection and control networks (“cyber networks”), any periodic connection between relays and laptops technicians use when testing (“Transient Cyber Assets” aka “TCAs”) must be secure.?

CIP TCA standards are comprehensive, calling for measures such as physical and virtual hardening, user assignment and authentication control, anti-virus and operational software updating, and computer image configuration management. Other CIP standards related to TCA management add requirements concerning relays themselves, like cybersecure access and configuration change authorizations that come into play when updating firmware and protection settings.?

TCAs could host dozens of software applications, whether for various makes and vintages of relays and relay test equipment, or for job aids like settings files, spreadsheets, and workorder tools. For these reasons and others, staying on top of CIP TCA mandates while not disrupting productivity for PRC-005 can be challenging any given day. At scale, deploying even small changes to cybersecurity defenses or reliability testing processes can significantly impact IT and relay technicians alike, costing them their productivity. Further, such occurrences trouble compliance officers since any failure to document and report NERC auditable matters on time invokes corrective measures that affect operations even further and carry the risk of substantial financial penalties.?

Security Patches?

Another concern is whether firmware and software applications are secure in the first place. Second to that is knowing their status on cyber devices like relays, TCAs, and other computer assets.??

How many installations are there and which devices are they on? Was security verified prior to installation? Are there updates available from the vendors and are those sources secure? If updates are available, are they really needed, by when, deployable how, which devices get them, and is every step tracked and documented???

Getting answers is easier said than done. Regardless, the evidence NERC wants to see, per CIP-010 and CIP-007, must contain proof that anti-virus/anti-malware security software is being consistently patched and kept up-to-date with the latest available versions. On top of that, firmware and operational software must be updated, operating systems must be scanned, and baseline device configurations must be managed. Behind the scenes, many IT and O&M processes must happen to handle patch management properly – and NERC requires evidence of each of those occurring as well.?

Moving Forward?

Cybercrime is incessant. Power and utility companies are defending their networks against cyberattacks that continually grow in severity and sophistication. In the public interest of grid reliability, NERC CIP cybersecurity standards press owners, operators, and users of bulk power across regional jurisdictions to meet numerous obligations including many that impact P&C operations, like TCA and security patch management. Maintaining computer equipment security amid P&C work despite novel cyber threats and busy operations are complex responsibilities burdening professionals every day in the North American interconnected electric power landscape.

Authored by: Joe Stevenson ?