Protecting The Safety and Reliability of The Energy Sector with NERC CIP Standards

by Anastasios Arampatzis

The Energy and Utilities sector is undoubtedly vital for human activity and, at the same time, so fragile and vulnerable against cyber threats. The evolution of almost every aspect of human life is the result of energy usage. Imagine a world with no commercial power.

How would our lives be, if we were forced to live a few days without electricity?

What about the factories and the households?

The nuclear power plants, the refineries, and the biochemical industry?

No doubt, we are all heavily dependent on the energy sector, and even the thought of a malfunction for a short period of time is nightmarish.

As the energy sector becomes more and more network-based, cyber-enabled, and internet-exposed, its vulnerabilities against high skilled cyber criminals and cyber attacks are increased. The countries develop strategies and shape defenses to protect their critical energy entities. Measures are taken to enhance their cybersecurity capabilities. The EU defines them as Operators of Essential Services (OES) in the NIS Directive; on the other side of the Atlantic Ocean, USA and Canada have founded for the same reason the North American Electric Reliability Corporation (NERC) and established the Critical Infrastructure Protection (CIP) standards.

The energy sector is at risk

The world has realized that the stake to risk the cyber security of the energy operators is really high, especially after the two recent cyberattacks. The first one hit the USA. On April 29, 2021, Colonial Pipeline, the largest pipeline in the USA that carries gasoline and jet fuel to the Southeastern United States, suffered a ransomware attack initiated by a single compromised password, which took down the system managing the whole pipeline.

The second one hit Europe twice. Less than a year after the Colonial Pipeline attack, on January 29, 2022, a fuel-supply network in Europe felt the consequences of a cyberattack. The attack targeted two leading oil traders and fuel distributors in Germany, Oiltanking GmbH and Mabanaft GmbH. The breach of their IT systems affected the terminals in the European oil-trading hub. The result: oil producers, such as Shell, rerouted their oil supplies to other stations and the distributors declared force majeure on supplies. A week after another ransomware occurred. This time the cybercriminals attacked several major oil port terminals and organizations in the Netherlands, Belgium, and Germany.

The NERC CIP

The frequency of the recent cyber-attacks and their consequences and negative impact on our lives made the standardization of the energy infrastructures’ security and protection a necessity. NERC CIP standards emerged to the surface.

NERC CIP is a list of standards developed by NERC for the North American Bulk Electric System (BES), to assist the electric grid facilities to be protected against cyber threats. Until 2005, the standards issued by NERC were considered “good to have”. With the Energy Policy Act of 2005 the standards became obligatory, and NERC was nominated as the entity to take over the cybersecurity protection aspects of the electrical grid facilities and operators.

NERC CIP and the EU

Although the NERC CIP framework reflects the American cultural mindset of “doing business”, it has been accepted by the EU, as the EU Center of Energy report states:

“The United States has favored a strategy of ‘security in depth’ with strict and detailed regulations in specific sectors, which are implemented by institutions possessing coercive powers. By contrast, the E.U. has adopted a more flexible and exhaustive approach covering a wide range of issues, leaving an important margin of maneuver for member states in the implementation of norms. Nevertheless, these approaches are potentially complementary in that the strengths of the American system can serve as a model to improve certain weaknesses in the European approach, and vice versa.”

The Standards

As of today, the NERC CIP framework consists of twelve (12) enforced standards and there are six (6) more subject to future enforcement. The scope of these standards is to minimize the risks of cyber attacks for the energy and utility companies operating within the BES, as briefly described hereafter:

CIP-002-5.1a (Cyber Security – Bulk Electric System (BES) Cyber System Categorization): Proper identification and categorization of BES Cyber Systems are vital for the success of cybersecurity programs.
CIP-003-8 (Cyber Security – Security Management Controls): Create visibility into the security controls to secure the organization’s assets.

CIP-004-6 (Cyber Security – Personnel & Training): Require an appropriate level of personnel risk assessment, training, and security awareness to eliminate human error.
CIP-005-6 (Cyber Security – Electronic Security Perimeters): Establish access management mechanisms to authenticate and authorize who and what accesses the critical cyber assets.
CIP-006-6 (Cyber Security – Physical Security of BES Cyber Systems): Integrate and align physical security with cybersecurity to provide holistic protection of BES Cyber Systems.
CIP-007-6 (Cyber Security – System Security Management): Responsible entities shall document all their activities to secure BES Cyber Assets.
CIP-008-6 (Cyber Security – Incident Reporting and Response Planning): A concise and well-documented incident response plan has to be in place to revert to when a cyber incident occurs.

CIP-009-6 (Cyber Security – Recovery Plans for BES Cyber Systems): Achieve resilience against cyber-attacks and ensure that operations will function during and after a cyber incident.
CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments): Establish access controls and ensure that responsible entities have processes in place to detect and respond to any suspicious configuration change.
CIP-011-2 (Cyber Security – Information Protection): Define controls, tactics, and endpoint solutions to protect specific components and assets of BES responsible entities.
CIP-013-1 (Cyber Security – Supply Chain Risk Management): Implement security controls for supply chain risk management of BES Cyber Systems to mitigate cyber security risks.
CIP-014-2 (Physical Security): Robust physical protection is paramount to keep the electric grid online and aspiring intruders out.

The rocky path to compliance

The advanced technology proliferation in energy facilities guarantees their reliability and productivity capacity, but at the same time, it creates operational complexity. The increasing exposure of energy facilities and their respective operational technology (OT) systems to the internet has increased the cyber risks. The NERC CIP standards’ compliance focuses on the visibility of the Industrial Control Systems (ICS), the early warning and detection of possible threats, and the proper management of the vulnerabilities.

Being and remaining compliant with the standards covers various areas of BES safety and requires in-depth knowledge, accurate interpretation, and understanding of the NERC CIP framework. Each entity must adopt numerous best practices and strategies to ensure compliance and protect its vital infrastructures.

Strict and intense audits are performed by the NERC organization to ensure that the energy entities have their safety, reliability, and security processes in place and according to the standards. Failing the audits can impose fines and require extensive, time-consuming remediation work to bring the systems back into compliance.

We can help you

Do you need to strengthen your cybersecurity posture and sustain compliance with expanded regulations and standards like NERC CIP and do not know where to start?

Are you compliant but struggle to remain at a high security level?

Do you feel that you will fail the audit?

Here at ADACOM, we have a plethora of subject matter experts and we can provide a wide range of consulting services to help your organization strengthen its cybersecurity posture. You are more than welcome to contact us with any query or concern you may have.