While it’s not certain that society would become a zombie apocalypse overnight if the power grids failed, it is hard to imagine how any aspect of everyday life would continue in the event of a vast, extended electrical outage. Part of what makes electrical infrastructure resilient against these types of events are the North American Electric Reliability Corporation (NERC) regulatory standards, especially the Critical Infrastructure Protection (CIP) standards, which provide detailed guidelines for both physical and cyber security. The CIP standards evolve along with the available technology and known threats, so they are versioned to provide structured documentation and protocols for companies to move from one iteration of the standards to the next. But the jump from version 3 to version 5 involves many new requirements, so we'll look at some of the differences between the two and what they mean for businesses in the industry.
From v3 to v5
Companies trying to keep up were thrown for a bit of a loop when version 4 of the CIP standards was abandoned and NERC decided the standards would move directly to v5. This caused trouble for companies who now had to map the version 3 standards they were (hopefully) complying with to the new v5 standards, as well as understanding and implementing compliance for several new categories, many of them cybersecurity related.
NERC CIPv5 features the following major new requirements over v3, in addition to many others:
- Encryption. A far reaching addition that involves the securing of data both across connections and stored on disk. Encryption can entail an involved PKI structure, so companies without sufficient encryption practices should expect a significant amount of time and labor to bring themselves in line with the new regulations.
- Tiered compliance. Rather than having one set of standards that apply across the board to all covered facilities, NERC now has a three-level impact classification system of Low, Medium and High. What this means for companies is that unnecessary regulations no longer apply to low impact facilities, but also that multiple compliance policies are in play, increasing the complexity of documentation.
- Multifactor authentication. Two-factor authentication (2FA) greatly decreases the likelihood of a malicious actor compromising a privileged account. Requiring 2FA or above helps organizations protect against many common attacks, including phishing, brute force and some forms of social engineering.
- Serial connections. It was said that some companies, rather than subject themselves to the NERC regulations, replaced newer hardware with legacy items not under NERC’s scope. At the time of v3, serial connections were outside of the regulations and it was at least joked about that it would be cheaper to replace all the covered connections with serial than to comply with the CIPs. In v5, that all changes, with serial connections now under consideration.
- Security patches. Security patches and updates have always been part of the NERC CIPs, but in v5, all security patches on each device must be known. This requires an efficient mechanism to regularly poll and catalog all installed patches on every device, not just a simple check for specific patches.
- Change management. An effective change management strategy prevents unauthorized changes from causing interruptions in service or other unexpected consequences and ensures that the responsibility for changes and their effects has been passed up the ladder to the appropriate parties for sign-off, protecting IT professionals actually performing the changes. Version 5 of the CIPs require not only an effective change management system, but documentation of that system as well.
In addition to the many changes found in version 5 of the CIPs, the major change outlined in version 4, regarding CIP-002, the discovery and classification of critical assets, also must be enforced. Companies require a system of record that inventories all of their computer and network assets, as visibility has taken prominence in security standardization.
Compliance to the NERC CIP standards means modernizing the data center and using tools and methods with proven resilience, as well as documenting those measures and regularly testing them for compliance. If this presents a challenge to some companies in the industry, that only speaks to the increasing need for these standards to be enforced, so that our shared critical infrastructure remains secure and operable.
The transition between versions 3 and 5 of the NERC CIPs further show that a true compliance solution must be able to adapt to the changing standard. At UpGuard, we believe that the ability to regularly test all configurations, not just whatever specific pieces are required by a compliance standard, puts companies well ahead of the compliance game, and more importantly, makes them that much more resilient against the threats NERC and other regulatory organizations were created to defend against in the first place.