The NERC CIP standards specify cybersecurity measures required in the North American Bulk Electric System (BES) for grid control centers, large power plants and high-voltage substations. The standards are also used as guidance by many other stakeholders, even in other industries, around the world. A problem with the standards, however, is that they are written in abstract language that is difficult to interpret. For example, the standards effectively forbid OT systems to use IT Active Directory forests, and strongly encourage the use of Unidirectional Gateways – but neither the words “Active Directory” nor “Unidirectional Gateway” appear anywhere in the standards.
This is unfortunate, because Unidirectional Gateways really do strengthen and simplify NERC CIP security and compliance programs. Unidirectional Gateways are used routinely at the IT/OT interface in power plants – providing OT data to IT users and applications, with no risk at all of cyber attacks “leaking” through the gateways back into protected networks. Unidirectional Gateway technology is currently deployed to protect roughly 1/3 of the power produced in the North American grid. Unidirectional Gateways are also used to protect inter-utility ICCP connections in Balancing Authorities (BA’s) and Transmission System Operators (TSO’s). And the gateways are starting to be used to protect sub-networks of protective relays in power plants and high voltage substations.
| Number | Title | Specifies |
|---|---|---|
|
CIP-002 |
BES Cyber System Categorization |
Which kinds of computer systems must use which rules |
|
CIP-003 |
Security Management Controls |
How a CIP program must be documented |
|
CIP-004 |
Personnel & Training |
Background checks, training programs, etc. |
|
CIP-005 |
Electronic Security Perimeters |
Network segmentation & remote access rules |
|
CIP-006 |
Physical Security of BES Cyber Systems |
Physical security for areas containing CIP-covered systems |
|
CIP-007 |
Systems Security Management |
Anti-virus, security updates & other host-based measures |
|
CIP-008 |
Incident Reporting and Response Panning |
Security incident response rules |
|
CIP-009 |
Recovery Plans for BES Cyber Systems |
Backups & related measures |
|
CIP-010 |
Configuration Change Management & Vulnerability Assessments |
Planning for, documenting, & testing changes + periodic assessments |
|
CIP-011 |
Information Protection |
Rules for protecting design information, erasing systems before disposal, etc. |
|
CIP-012 |
Communications Between Control Centers |
Encrypted communications between grid control centers |
|
CIP-013 |
Supply Chain Risk Management |
Supplier risk assessments & related measures |
|
CIP-014 |
Physical Security |
Physical security measures for high-voltage substations |
NERC CIP standards recognize that Unidirectional Gateways are stronger than firewalls and in fact provide engineering-grade protection to industrial operations, rather than only IT-grade protection.
The standards express this recognition by providing exemptions from 37 requirements for unidirectionally-protected BES Cyber Systems – 37 out of the roughly 125 requirements in the standards family. It is unfortunate that, while the CIP drafting team clearly understood the benefits of using Unidirectional Gateways, their abstract language makes it difficult for readers of the standard to understand these same benefits.
The resources on this page are provided in hopes of clarifying the role of Unidirectional Gateways in simplifying and reducing the cost of strong NERC CIP security and compliance programs.
NERC CIP is written in an abstract language – independent of technologies and network designs. Interpreting the standard for specific technologies and networks can be tricky. In this article, we look at one of the tricky bits in the standard: mixed-trust Active Directory servers.
Which is better – security or compliance? Suzanne Black of Network + Security Technologies brings a new perspective to this old question and covers a lot of other ground in the latest NERC CIP standards.
Download here Waterfall’s latest whitepaper: NERC CIP V5 Standards And Unidirectional Network Protection
I recently attended the NERC CIP Emerging Technologies Round Table meeting on Cloud & IoT, where a primary focus was Bulk Electric System (BES) Cyber Systems in the cloud. BES Cyber Systems are systems with an adverse effect on the BES within 15 minutes of failure or compromise. Interestingly, the most thought-provoking discussion at the end of the day had to do with the Internet, not with the cloud. Can electric utilities withstand the most sophisticated of Internet-based cyberattacks? Imagine a massive distributed denial of service (DDoS) attack that targets, not Microsoft Azure or Amazon, but one or more electric
English
Français
Español
עברית
Deutsch
日本語
한국어
中文
اَلْعَرَبِيَّةُ
