NOPR demands FERC to require Network Security Monitoring for BES Cyber Systems
By Michael Sanchez, CEO of Itegriti
Share this on:
Protecting the nation’s critical national infrastructure (CNI) is a tall task, and the electric industry – one of sixteen CNI sectors – has had its fair share of challenges. In 2020, an international conglomerate of over 42 electrical transmission operators reported a successful cyberattack on its network – a network spanning 35 countries. Somewhere between 2014 and 2015, the industry reported a 380% increase in attacks, and in 2021 it was reported that a full two-thirds of Active Groups (AGs) were targeting electric utilities within the nation’s critical infrastructure.
Problems like these brought on this past January’s NOPR (Notice of Proposed Rulemaking), which seeks to require the North American Electric Reliability Corporation (NERC) to make some updates to the rules surrounding internal network security for Bulk Electric System (BES) cyber systems. Those “rules” refer to the Critical Infrastructure Protection (CIP) Reliability Standards, which currently make no mention of network security monitoring.
When you consider the nation’s electrical grid is running off cybersecurity protocols that still “protect the perimeter,” you can see why improving visibility into threats inside the network is long overdue.
So why doesn’t one of the most highly attacked critical national infrastructure sectors just upgrade to the latest technology? This article will look at the barriers – and benefits – to implementing cutting-edge network security monitoring into one of the nation’s oldest living architectures. And why it’s necessary.
The US energy grid is a massive entity, sprawling over 600,000 miles of transmission wires and capable of over 1 million watts of generating capacity. As we move away from fossil fuels and into renewable sources of energy, those have to connect to the grid, too (think solar farms, wind turbines, hydropower plants, and your electric vehicle). The infrastructure built up over the past 70 years is being stretched to capacity, and the push to modernize to a Smart Grid system is strong (though hardly complete). With the load, it’s already being asked to bear, plus severe weather events leading to outages and downed equipment, combined with climate swings resulting in volatile water, solar and renewable power conditions, today’s grid is maintaining reliability by a tenuous thread. Now, add cyberattacks.
The power sector is on the front line of attack for nation-states seeking to undermine US critical infrastructure. As it states in the policy papers of one US Senator, “The U.S. electric grid is vulnerable to cyberattacks that could result in catastrophic, widespread, lengthy blackouts and other loss of electrical services.” That’s not good news. And “Russia, North Korea, Iran, and China currently have the capability to launch cyberattacks that could disrupt critical infrastructure.” We all know that, but the confirmation should be sobering. It’s on this basis that the recent NOPR was established. When even online retail shops have basic network monitoring capabilities (via affordable SaaS solutions), it’s concerning at best that the US grid runs on outdated models of protecting the perimeter. It’s time for an upgrade.
First Principles: Know What’s in Your Environment
This NOPR seeks to upgrade the defenses of Bulk Electrical Systems. What are those? According to Nercipedia, they consist of “all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher,” not including local distribution facilities. In other words, the Big Guys. To do this, the directives given to NERC build out the energy sector’s security methods based on first principles. The first principle of cybersecurity is knowing what’s in the environment. You cannot protect something if you don’t know it’s there. Network security starts with knowing what’s on that network.
When discussing substations, we often hear utilities comment they wish they knew what assets reside in those environments. Some utilities have already begun investigating (in some cases, implementing) passive network monitoring at Low Impact facilities with a primary goal of confirming asset inventory. This is a great place to start and good testing grounds for the work to be done within the Medium to High Impact facilities outlined in the NOPR.
The passive monitoring approach typically inherent in network monitoring solutions is a well-fitting approach for a substation environment. Active connection approaches can jeopardize the operational mission and only provide visibility on devices capable of routable communication. Passive approaches, on the other hand, can determine the presence of serial or backplane-connected assets.
Challenges to Implementing Network Security Monitoring in the Electric Sector
A few technical barriers stand in the way of the energy sector just switching wholesale from perimeter defense to boundaryless network oversight. They include:
Maturity of the entity’s cybersecurity posture
Is VLAN segmentation already in place (where applicable)?
Is there a centralized and standard network configuration?
Degree of infrastructure uniformity
Is the network layout uniform site to site?
Is the equipment across substations a varied collection of vendor devices, or more similar site to site? Uniformity makes planning and testing easier and provides higher confidence.
Different owners for multiple substations means renegotiating access and implementation plans
Dispersed geography – are locations within a city or hundreds of miles apart?
Acceptance of virtual infrastructure
Many offerings for network monitoring are virtual only. We hear from numerous entities that they have yet to adopt virtual infrastructure, as virtual infrastructure may be unacceptable for a CIP audit.
Connectivity to substations
Many utilities have a legacy architecture of maintaining substations as isolated, either due to the cost of networking or because air-gapped networks are perceived as safer. The “cost” of this approach is the manual effort put into infrequent site visits and the inconvenience of manual monitoring.
While these are significant challenges, they can be overcome by a motivated entity.
Benefits of Extending Protection beyond the Perimeter
The more you know, the more you can secure. Anything on the network, anywhere, from any source, is the new perimeter, as malware can ingress through a VPN, an identity, and API, an unauthenticated application. Internal network monitoring is necessary for a zero-trust environment, and it’s about time federal agencies caught up.
Network monitoring solutions generally include asset discovery based on deep packet inspection, an approach well validated for OT environments. When network monitoring is integrated with a solution, baseline change monitoring and configuration assessment (already in place for CIP requirements) are easily within reach. The system works well for incrementally extending cybersecurity processes already in place for CIP audit and cybersecurity.
As NERC follows the guidelines of this NOPR to make internal network security monitoring a part of Bulk Electric Systems, a lot of boxes will be checked in the way of modernizing the US power grid to the capabilities of the 21st century. Malware isn’t getting any less sophisticated, and it’s not staying in place, so neither should US cyber defenses. What’s the next frontier? Critical Infrastructure Protection requirements for distribution infrastructure of essential services like hospitals, fire stations, and police headquarters. While this NOPR is encouraging, we hope there are many more to come.