We expect electrical energy to be available to us 24X7, round-the-calendar, and illuminate our homes and offices. Although energy resources are reliable, incidences of attackers taking an electrical grid offline is not unheard of. In several cases, employees having access to the utilities and mission-critical operations attack these facilities for their selfish motives. The motive of the attackers could be anything from accidental actions, terrorism to revenge. With limited resources, they manage to attack the facilities, take the grid offline, and create chaos.
In the year 2019, in January, the North American Reliability Corporation (NERC) fined a company $10 million for 127 CIP and other security violations that occurred between 2015 and 2018.
How NERC curbs this issue?
For ten years now, NERC has mandated the electric industry to meet the NERC standards, including CIP (Critical Infrastructure Protection) standards. Although over the years, the CIP standards have changed, the basic provisions remained the same. The companies need to identify critical cyber assets and execute physical and electronic procedures to safeguard their assets.
The companies are subject to penalties if they fail to satisfy NERC compliance. In the past, six-figure penalties have been imposed on firms failing to follow the NERC Critical Infrastructure Protection (CIP).
How can the utilities and energy providers avoid the penalties?
If you are an energy provider who wants to avoid paying a hefty penalty, all you need to do is stick to the standards. If you keep a check on a few key areas, you can easily comply with NERC standards and spare yourself from paying a six-figure penalty.
Here is what utilities and energy providers should do to meet minimum NERC standards-
- Make sure that you identify as well as classify the BES or Bulk Electrical Systems assets in the OT environment. The first step is to understand what you have and then take measures to secure it. You can consider deploying ICS security technology that goes a long way in tracing your ICE devices. This technology automatically finds and maps your ICS devices (functional and dormant) and keeps track of the inventory of these assets. It includes controllers (DCS, RTUs, and PLC controllers), engineering and operator workstations, and several other devices.
- Install security devices that are sustainable and consistent with safeguarding your Bulk Electrical Systems and protecting them against maloperations. Deploy security management policy on any unapproved ICS access. This drill will also make the owners and operators more responsible and accountable. It will also go a long way in preventing unauthorized activities resulting in plant instability or maloperation.
- Dictate specific operational, procedural, and technical requirements to take care of system security that safeguards the BES cyber systems against threats resulting in BES maloperation or instability. You can do it by installing an ICS security system that can detect suspicious activities and rule violations. A robust system easily discovers malicious code activities happening on the devices and network, such as abnormal communications, malware propagations, network attacks on the controllers, direct attacks through compromised laptops connected to the system, etc. These alerts warn the security staff to take over and nullify the effects before they lead to big issues, like instability and maloperation.
The bottom line
Sticking to NERC and CIP compliance is no rocket science. The companies should prioritize compliance with NERC just the way they comply with environmental and several other government requirements. The above-listed tips can help in avoiding penalties. The companies can also reach out to NERC compliance consultants. The NERC compliance consultants iron out the issues, simplify the complexities, and cut down the cost of compliance.
Interesting Related Article: “Arc flash PPE within the electrical industry“