Cyber security is a tremendous challenge for today’s power grid critical infrastructure. Here are some alarming data points about cyber security threats and vulnerabilities:

  • report in Time covered an investigation by USA Today that analyzed public records, national energy data and records from 50 electric utilities. The analysis revealed that the U.S. national power grid faces physical or online attacks approximately once every four days.
  • Admiral Michael Rogers, head of NSA & U.S. Cyber Command, noted in Forbes,
    China and other unnamed nations have “the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure.”
  • The Internet of Things (IoT) has reached the energy sector.  It’s the concept of a creating a smarter world where systems with local computing power are connected in order to share data and information – anywhere, anytime. So, for example, customers with solar energy systems in states like California and New Jersey, besides accessing their billing information online have additional connectivity via their own devices to their utility provider’s network to monitor the output, usage and also cost savings of their home solar energy systems. With so many more devices connected to a network, there are now more potential intrusion points for cyber threats – in other words: increased attack surface and cyber vulnerabilities.
  • Data breaches are very costly: Security Week reported a simulation by the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School and Lloyd’s of cyber attack on northeast power grid that would cause between $243 billion to more than $1 trillion in economic damage.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards evolved after the Great Northeast Blackout of 2003 that affected over 50 million people. Now there is an urgent and evolving need for more stringent standards to protect the Bulk Electric System (BES) of the North American power grid. NERC CIP v6 is the most recent version of policy guidelines by which critical cyber assets must be protected.

The Challenge: Transitioning to NERC CIP Compliance V6

The challenge for BES networks transitioning to and complying with NERC CIP V6 is multifaceted, requiring:

  • More stringent regulations than previous standards regarding policies, Asset Coverage, new Grouping of Cyber Assets (BES Cyber Systems), and Impact Ratings
  • Extensive change management processes and sensitive risk analysis
  • More auditable evidence for demonstrating compliance
  • Violations of compliance costing up to $1 million penalty per day
  • Enforcement of security policies across networks supporting today’s BES power grid comprised of multi-vendor, multi-technology heterogeneous IT environments that span physical and hybrid networks, and the cloud
  • Application connectivity management for Smart Grid; Dynamic Load Control (DLC) systems; Supervisory Control and Data Acquisition (SCADA) / other Industrial Control Systems (ICS); advanced metering software; load modeling; electric grid monitoring; transmission assessment; risk analysis; and other critical applications for running the utility business
  • Develop and implement methods to deter, detect, or prevent malicious code via transient assets, and provide proof of those methods.
  • Meet deadlines that significantly vary across NERC CIP versions

Maintaining continuous compliance and network security is extremely challenging in view of  the global cyber threats, approaching deadlines for NERC CIP V6 and the complex, IT environment for today’s power grid that also spans hybrid cloud. The Tufin Orchestration Suite solution provides the essential toolbox for today’s network security challenges and compliance with NERC CIP V6:

  • Manage and visualize network Cyber Assets and Cyber Systems through a single pane of glass across the physical and hybrid network, and the cloud
  • Control and ensure secure application connectivity across the entire network
  • Maintain application-driven network security change automation based on risk assessment
  • Reduce the attack surface and mitigate threats of Transient Assets through effective management of network segmentation
  • Provide audit-ready evidence on-demand with an automatic audit trail 
  • Enforce your security policy inclusive of NERC CIP and other regulatory requirements

 

  • Design, manage and monitor network segmentation through a single pane of glass, across the your hybrid internal network, and the cloud.
  • Control and ensure secure application connectivity.
  • Maintain application-driven network security change automation based on risk assessment.
  • Reduce the attack surface and mitigate threats of transient cyber assets through effective management of network segmentation.
  • Provide audit-ready evidence on demand with an automatic audit trail, documenting every firewall and security group configuration change.
  • Enforce your security policy inclusive of NERC CIP standards and other regulatory requirements.
  • Ensure that any external routable connectivity is secure, documented, and has a valid business justification.

Securing high and medium impact BES cyber systems is a tremendous challenge for today’s Bulk Electric System providers. Here are some alarming data points about cyber security threats and vulnerabilities:

  • A report in Time covered an investigation by USA Today that analyzed public records, national energy data and records from 50 electric utilities. The analysis revealed that the U.S. national power grid faces physical or online attacks approximately once every four days.
  • Admiral Michael Rogers, head of NSA & U.S. Cyber Command, noted in Forbes,
    China and other unnamed nations have “the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure.”
  • The Internet of Things (IoT) has reached the energy sector. It’s the concept of a creating a smarter world where systems with local computing power are connected in order to share data and information – anywhere, anytime. So, for example, customers with solar energy systems in states like California and New Jersey, besides accessing their billing information online have additional connectivity via their own devices to their utility provider’s network to monitor the output, usage and also cost savings of their home solar energy systems. With so many more devices connected to a network, there are now more potential intrusion points for cyber threats – in other words: increased attack surface and cyber vulnerabilities.
  • Data breaches are very costly: Security Week reported a simulation by the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School and Lloyd’s of cyber attack on northeast power grid that would cause between $243 billion to more than $1 trillion in economic damage.

The Challenge: Transitioning to NERC CIP v6 Compliance

A single cyberattack on the North American electrical power grid has the potential to cause hundreds of billions of dollars in economic damage. Following the Great Northeast Blackout of 2003, the North American Electric Reliability Corporation (NERC) took the initiative to draft Critical Infrastructure Protection (CIP) standards to prevent such an attack from happening again. The NERC CIP standards have gone through several iterations since then and currently standard at version number six.

The challenge for BES networks transitioning to and complying with NERC CIP v6 is multifaceted, requiring:

  • More stringent regulations than previous standards regarding policies, Asset Coverage, new Grouping of Cyber Assets (BES Cyber Systems), and Impact Ratings
  • Extensive change management processes and sensitive risk analysis
  • More auditable evidence for demonstrating compliance based on violation severity levels
  • Enforcement of security policies across networks supporting today’s BES power grid comprised of multi-vendor, multi-technology heterogeneous IT environments that span physical and hybrid networks, and the cloud
  • Assurance that reliability standards will be met or exceeded
  • Application connectivity management for Smart Grid; Dynamic Load Control (DLC) systems; Supervisory Control and Data Acquisition (SCADA) / other Industrial Control Systems (ICS); advanced metering software; load modeling; electric grid monitoring; transmission assessment; risk analysis; and other critical applications for running the utility business
  • Identification of high-impact BES cyber systems as defined in requirement R1
  • Develop and implement methods to deter, detect, or prevent malicious code via transient assets, and provide proof of those methods.
  • Continuous authentication limitations since stolen credentials is a top attack vector; need to balance IAM initiatives with network security policy automation initiatives
  • Response planning, due to fragmentation of processes and visibility. For example, incident response teams getting network connectivity intelligence for incident triage.
  • Meeting deadlines that significantly vary across NERC CIP versions

Continuous Compliance Automation

Tufin provides the responsible entity with the essential toolbox for today’s cyber security challenges and compliance with NERC CIP standards. It helps you maintain continuous compliance for NERC CIP V6 across complex network environments by centralizing your visibility and control. By automating policy-based change management and policy optimization you are able to maintain a single audit trail and ensure policy adherence.

Facilitating CIP-002-5 Compliance with Centralized Network Segmentation Policy Automation

Tufin includes powerful network segmentation tools that help utilities reduce cyber risk and mitigate damage in the event of a cyberattack, protect BES cyber assets, and reduce risk exposure associated with transient assets. Tufin’s NERC segmentation template can be used for whitelisting and blacklisting to protect your BES network.

Tufin’s unified security policy management matrix allows uses your enforcement point configuration data to document a global security policy within an at-a-glance view. Within this dashboard you can refine your segmentation policies and build out new, more advanced segmentation policies. Then you can push those configuration changes out to firewalls and security groups.

Control Bulk Electric System (BES) security from a single console.

Tufin centralizes firewall management across on-premises and cloud, enabling utilities to control and secure application connectivity across their network including dynamic load control systems, industrial control systems, advanced metering software, load modeling, electric grid monitoring, transmission assessment, risk analysis, and other critical applications.

Gain security visibility across all networks.

Modern BES cyber systems are comprised of multi-vendor, multi-technology firewalls and other security products that are complex to manage and often provide a fragmented view of security. Tufin solutions provide deep network visibility across heterogeneous networks that includes on-premises, cloud, and hybrid network configurations, facilitating cyber risk management.

Ensure continuous compliance with NERC CIP standards.

NERC CIP standards are constantly evolving to meet the shifting threat landscape posed by new forms of cyberattacks and new technologies such as IoT-connected devices. Tufin helps utilities continuously update and consistently enforce security policies to meet the latest NERC CIP standards. With Tufin, utilities can quickly develop and implement new security rules to deter, detect, and prevent malicious code and other cyber attacks including those transmitted through transient assets.

Create audit reports on demand.

NERC CIP compliance standards now require that utilities report on any attempts to compromise their infrastructure. Tufin technology automatically generates audit trails to demonstrate NERC CIP compliance on demand, helping you meet tight deadlines and avoid high penalties.

Related Resources

FAQs

What type of NERC CIP standards compliance reporting does Tufin provide?

Tufin’s compliance reporting is more accurate than other vendors can provide, because the solutions topology modeling is highly accurate and updates daily as your network evolves. This allows Tufin to see more of your network and associated controls to minimize false positives, for example.

With Tufin’s Reporting Essentials, each report is generated from a predefined report template that you can configure according to your preferred settings. These report settings can then be saved for future use. You can define which information is displayed, how frequently the report output is generated, and the date and time in which it is distributed to recipients. These automation capabilities eliminate the need to manually create reports (although this feature is also supported), and allow you to align the timing of the report output distribution to when it is required. This will allow you to automatically distribute reports before reoccurring meetings, and enable participants to come better prepared.

Report recipients can view the generated reports in their browser, and/or you can distribute the reports as PDF or CSV files.

What types of reports available in Tufin help ensure NERC CIP standards compliance?

Tufin’s reports address a number of use cases, such as the following:

  • Detect unauthorized policy changes or device configurations that violate the corporate security policy
  • Detect connectivity interruptions
  • Detect which rules are impacting traffic
  • Summarize changes to rules and objects between revisions
  • Summarize current policies and compare them to global standards, such as PCI and ISO
  • Assess severity of violations against Unified Security Policies (USP)
  • Discover redundant rules
  • Determine the compliancy of a device's configuration
Which NERC CIP standards does Tufin address?

Today, there are no less than a dozen cyber security standards outlined in NERC CIP V6 that are specifically aimed at protecting critical infrastructure. Tufin is facilitates meeting any standards related network access controls that prevent unauthorized access to networks, network change management, recovery and response planning and more. The NERC CIP standards include:

  • Establishing incident reporting and response planning in the event of cyber attacks (CIP-008-6)
  • Creating a recovery plan with documented processes for BES cyber systems (CIP-009-6)
  • Implementing configuration change management and vulnerability assessments for BES cyber systems protection (CIP-010-3)
  • Preventing unauthorized access to BES cyber systems (CIP-011-2)
  • Addressing supply chain vulnerabilities through supply chain risk management (CIP-013-1)
  • Creating categorization processes for BES cyber systems security requirements according to violation risk factors (CIP-002-5-1a)
  • Establishing security management controls that protect BES cyber systems against attacks (CIP-003-8)
  • Establishing an electronic security perimeter (ESP) with electronic access control or monitoring systems (EACMS) to protect BES cyber systems (CIP-005-6)
  • Identifying the technical, operational, and procedural requirements for system security management of BES cyber systems (CIP-007-6)
  • Training of personnel to understand the proper access and operation of BES cyber systems (CIP-004-6)
  • Creating a physical security plan with physical access security controls (PACS) for BES cyber systems (CIP-006-6)
  • Protecting transmission stations, substations, and primary control centers to ensure the physical security of BES cyber systems (CIP-014-2)

ゼロタッチで自動化を始める

Tufinは、一元化されたプラットフォームによりインフラとトラフィックの正確な可視化、セキュリティポリシーの設計および自動化します。これにより、IT・クラウドセキュリティチームがコンプライアンス要件を満たし、かつ企業全体のセキュリティに対する積極的な方針を支援します。

Get the visibility and control you need to secure your enterprise

Only Tufin provides automation and a unified security policy, from on-prem to cloud, across NetSec and DevOps.

デモをリクエスト