NERC CIP Version 5 Network Security Compliance
Cyber security is a tremendous challenge for today’s power grid critical infrastructure. Here are some alarming datapoints about cyber security threats and vulnerabilities:
- A report in Time covered an investigation by USA Today that analyzed public records, national energy data and records from 50 electric utilities. The analysis revealed that the U.S. national power grid faces physical or online attacks approximately once every four days.
- Admiral Michael Rogers, head of NSA & U.S. Cyber Command, noted in Forbes,
China and other unnamed nations have “the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure.”
- The Internet of Things (IoT) has reached the energy sector. It’s the concept of a creating a smarter world where systems with local computing power are connected in order to share data and information – anywhere, anytime. So, for example, customers with solar energy systems in states like California and New Jersey, besides accessing their billing information online have additional connectivity via their own devices to their utility provider’s network to monitor the output, usage and also cost savings of their home solar energy systems. With so many more devices connected to a network, there are now more potential intrusion points for cyber threats – in other words: increased attack surface and cyber vulnerabilities.
- Data breaches are very costly: Security Week reported a simulation by the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School and Lloyd’s of cyber attack on northeast power grid that would cause between $243 billion to more than $1 trillion in economic damage.
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards evolved after the Great Northeast Blackout of 2003 that affected over 50 million people. Now there is an urgent need for more stringent standards–especially in the area of cyber security–to protect the Bulk Electric System (BES) of the North American power grid from the dramatic rise in cyber threats in recent years. This has led to the development of CIP Version 5 (CIP V5).
Complying with NERC CIP V5 – Network Security Challenges
There are specific challenges for network security and compliance with CIP V5:
- Deadlines are approaching – mandatory compliance is July 2016.
- V5 is more stringent for network security than previous standards regarding policies, Asset Coverage, Grouping of Cyber Assets (BES Cyber Systems), Impact Ratings, change management requirements and more extensive auditable evidence to demonstrate compliance.
- Violations are very costly and can include penalties of up to $1 million/day.
- Networks supporting today’s BES power grid are more complex than ever:
- Multi-vendor, multi-technology heterogeneous IT environments spanning physical/on-premise networks, virtualized and private cloud platforms and public cloud, also hybrid cloud (combination of private and public cloud)
- Management of application connectivity dependencies:
Applications can reside in the physical on-premise data center, or virtual data center or private cloud, or public cloud. These include applications for the Smart Grid, Dynamic Load Control (DLC) systems, Supervisory Control And Data Acquisition (SCADA) and other Industrial Control Systems (ICS), advanced metering software, load modeling, electric grid monitoring, transmission assessment, risk analysis, as well as apps for customers; and there are apps for running the utility business such as typical business applications for finance, billing, and customer relations. Applications have become the focus of network security for BES networks.
Maintaining continuous compliance and network security is extremely challenging in view of the global cyber threats, approaching deadlines for NERC CIP V5 and the complex, IT environment for today’s power grid that also spans hybrid cloud. The Tufin Orchestration Suite solution provides the essential toolbox for today’s network security challenges and compliance with NERC CIP V5:
- Visibility across all platforms of the entire network
- Central Management–a single pane of glass–across the entire network enforced via a Unified Security Policy that is zone-based, eg, according grouping of Cyber Assets, BES Cyber Systems, Impact Ratings
- Automation and network security change management that is application-driven
- Continuous compliance with audit-ready evidence
Tufin was quoted as an industry cyber security expert in the article 8 ways to ensure CIP V5 compliance in EnergyBiz.com’s Forum Securing Power for leaders in the global power industry.