Cyber security is a tremendous challenge for today’s power grid critical infrastructure. Here are some alarming data points about cyber security threats and vulnerabilities:
- A report in Time covered an investigation by USA Today that analyzed public records, national energy data and records from 50 electric utilities. The analysis revealed that the U.S. national power grid faces physical or online attacks approximately once every four days.
- Admiral Michael Rogers, head of NSA & U.S. Cyber Command, noted in Forbes,
China and other unnamed nations have “the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure.”
- The Internet of Things (IoT) has reached the energy sector. It’s the concept of a creating a smarter world where systems with local computing power are connected in order to share data and information – anywhere, anytime. So, for example, customers with solar energy systems in states like California and New Jersey, besides accessing their billing information online have additional connectivity via their own devices to their utility provider’s network to monitor the output, usage and also cost savings of their home solar energy systems. With so many more devices connected to a network, there are now more potential intrusion points for cyber threats – in other words: increased attack surface and cyber vulnerabilities.
- Data breaches are very costly: Security Week reported a simulation by the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School and Lloyd’s of cyber attack on northeast power grid that would cause between $243 billion to more than $1 trillion in economic damage.
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards evolved after the Great Northeast Blackout of 2003 that affected over 50 million people. Now there is an urgent and evolving need for more stringent standards to protect the Bulk Electric System (BES) of the North American power grid. NERC CIP v6 is the most recent version of policy guidelines by which critical cyber assets must be protected.
The Challenge: Transitioning to NERC CIP Compliance V6
The challenge for BES networks transitioning to and complying with NERC CIP V6 is multifaceted, requiring:
- More stringent regulations than previous standards regarding policies, Asset Coverage, new Grouping of Cyber Assets (BES Cyber Systems), and Impact Ratings
- Extensive change management processes and sensitive risk analysis
- More auditable evidence for demonstrating compliance
- Violations of compliance costing up to $1 million penalty per day
- Enforcement of security policies across networks supporting today’s BES power grid comprised of multi-vendor, multi-technology heterogeneous IT environments that span physical and hybrid networks, and the cloud
- Application connectivity management for Smart Grid; Dynamic Load Control (DLC) systems; Supervisory Control and Data Acquisition (SCADA) / other Industrial Control Systems (ICS); advanced metering software; load modeling; electric grid monitoring; transmission assessment; risk analysis; and other critical applications for running the utility business
- Develop and implement methods to deter, detect, or prevent malicious code via transient assets, and provide proof of those methods.
- Meet deadlines that significantly vary across NERC CIP versions
Maintaining continuous compliance and network security is extremely challenging in view of the global cyber threats, approaching deadlines for NERC CIP V6 and the complex, IT environment for today's power grid that also spans hybrid cloud. The Tufin Orchestration Suite solution provides the essential toolbox for today’s network security challenges and compliance with NERC CIP V6:
- Manage and visualize network Cyber Assets and Cyber Systems through a single pane of glass across the physical and hybrid network, and the cloud
- Control and ensure secure application connectivity across the entire network
- Maintain application-driven network security change automation based on risk assessment
- Reduce the attack surface and mitigate threats of Transient Assets through effective management of network segmentation
- Provide audit-ready evidence on-demand with an automatic audit trail
- Enforce your security policy inclusive of NERC CIP and other regulatory requirements