NERC CIP Standards for Bulk Electric System SCADA Networks

balaji
By balaji

June 17, 2011

We discussed the security in a SCADA network in previous articles. In this article, we are going to look at some of the compliance requirements for SCADA networks, specifically focusing on NERC CIP standards. This is one of the concerning factors for all utility companies running SCADA systems as they would have to potentially comply with multiple regulatory requirements, industry standards, guidelines, and best practices. But there is no clarity on exactly what standard needs to be followed.

nerc-cip-standards.jpg

We discussed the security in a SCADA network in previous articles. In this article, we are going to look at some of the compliance requirements for SCADA networks, specifically focusing on NERC CIP standards. This is one of the concerning factors for all utility companies running SCADA systems as they would have to potentially comply with multiple regulatory requirements, industry standards, guidelines, and best practices. But there is no clarity on exactly what standard needs to be followed.

Current State of Standards

There are industry-specific standards being developed for electricity, water, oil and natural gas. There have also been other efforts put in by various entities such as the ISA-99/TR99 standards developed by the ISA-SP99 Manufacturing and Control Systems Security Committee, Process Control Security Requirements Forum (PCSRF) maintained by National Institute of Standards and Technology (NIST), Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, Protection (HSPD-7) and Chemical Facility Anti-Terrorism Standards released by the Department of Homeland Security, Code of Federal Regulations enforced by United States Nuclear Regulatory Commission (U.S.NRC) and IEC-61804 standards developed by IEC-65C Process Measurement and Control: Digital Communications Committee.

Although these many standards and guidelines are being developed, they provide little information on practical implementation and achieving compliance. Hence, SCADA operators are likely to make their own interpretation of these standards, which might lead to audit failure or legal liabilities.

NERC CIP Standards

The North-American Electric Reliability Corporation (NERC) has developed a set of standards called the Critical Infrastructure Protection (CIP) Standards. These standards serve as regulatory requirements for all electric utility companies in the United States and Canada. These standards were first established in 2006 and have gone through 3 revisions till date. We will delve into the different segments of these CIP standards in the rest of this article.

The NERC CIP standards are split into 9 parts, CIP-001 – CIP-009. The version of these standards that are currently enforced by regulatory jurisdiction is available at the NERC website.

The CIP-001-1a standard defines the requirements for reporting any disturbances or untoward incidents caused by sabotage. This standard has a list of 4 requirements that includes procedures for the detection of sabotage, communication to appropriate parties, response to sabotage and reporting to law enforcement.

The CIP-002-3 standard deals with Critical Cyber Asset Identification wherein all the Critical Cyber Assets associated with Critical Assets that support the operations of the Bulk Electric System are to be identified and documented. This identification of Critical Assets is required to be performed using a risk-based assessment.

The CIP-003-3 standard requires that the entities should have established a minimum set of security management controls to protect the Critical Cyber Assets. The requirements specified under this standard include:

  • Development and implementation of a cyber security policy that addresses the requirements of the rest of the CIP standards and is distributed to all the relevant personnel with access to the Critical Cyber Assets.
  • Assigning the responsibility of managing implementation and compliance of the standards to a senior manager, documentation and approval of exceptions to the cyber security policy.
  • Developing a program to protect and manage the access to information associated with Critical Cyber Assets.
  • Establishing a change control and configuration management process for Critical Cyber Assets.

The CIP-004-3 standard requires personnel with cyber or physical access to Critical Cyber Assets to have undergone risk assessment and training, and possess security awareness. These specific requirements define the need for:

  • A security awareness program that includes reinforcement on a quarterly basis.
  • A cyber security training program that provides insights into the policies, procedures and access controls established for the use and handling of Critical Cyber Assets.
  • A personnel risk assessment program that includes identity verification and a 7 year criminal check carried out in accordance with the Federal, State and Local laws.
  • Maintaining a list of personnel and their access rights to Critical Cyber Assets, which is reviewed and updated quarterly, and also after a change in personnel.

The CIP-005-3 standard mandates the identification and protection of the Electronic Security Perimeter, which defines the boundary for all Critical Cyber Assets. The requirements in this standard include:

  • Defining Electronic Security Perimeter(s) within which all Critical Cyber Assets reside, and identify and document all access points to the Electronic Security Perimeter(s).
  • Establish processes and technical controls for access at the access points to the Electronic Security Perimeter(s).
  • Implement a process to monitor and log all access at the access points to the Electronic Security Perimeter(s) and detect any unauthorized access.
  • Perform a cyber vulnerability assessment of the access points to the Electronic Security Perimeter(s) in an annual basis.
  • Maintain the required documentation and logs.

The CIP-006-3 standard defines the implementation requirements for a Physical Security Program for the protection of Critical Cyber Assets. The specific requirements in this standard include the following steps:

  • Document and implement a Physical Security Plan.
  • Provide physical access controls to the Cyber Assets that authorize and log access to the Physical Security Perimeter.
  • Define the Electronic Security Perimeter within the Physical Security Perimeter.
  • Establish operational, procedural and technical access controls to manage, monitor and log physical access at all access points to the Physical Security Perimeter.

The CIP-007-3 standard requires the defining of processes for securing the critical and non-critical cyber assets within the Electronic Security Perimeter(s).The individual requirements are to:

  • Create and maintain test procedures for any significant change in the Cyber Assets within the Electronic Security Perimeter(s).
  • Ensure that only ports and services required for normal and emergency operations are enabled.
  • Develop a security patch management program separately or as a part of the Configuration Management Process to identify, test and install the necessary patches for all Cyber Assets within the Electronic Security Perimeter(s).
  • Use an antivirus software and other malicious software prevention tools to address the threat of malware on all Cyber Assets within the Electronic Security Perimeter(s).
  • Establish and implement technical and procedural controls to enforce authentication and accountability for all user activity.
  • Implement tools/controls on all Cyber Assets to monitor system events related to cyber security.
  • Establish and implement processes for disposal and redeployment of Cyber Assets within the Electronic Security Perimeter(s).
  • Perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter(s) on an annual basis.
  • Maintain the required documentation for all changes and controls.

The CIP-008-3 standard requires the identifying, classifying, responding and reporting of Cyber Security Incidents related to Critical Cyber Assets. The requirements include the development of a detailed Cyber Security Incident Response Plan and maintain the required documentation on Cyber Security Incidents. The response plan should address incident categorization, roles and responsibilities, and handling procedures.

The CIP-009-3 standard requires the development of business continuity and a disaster recovery plan for all Critical Cyber Assets. This recovery plan should address aspects such as testing, change control, backup and restore.

Question of Assurance

Even though cyber security gets the most attention due to some of the recently publicized incidents, there should be a significant concern for physical and operational security as well. Focusing heavily on shoring up cyber security alone and leaving the doors open for physical and operational security will provide an opportunity to attack the SCADA systems and networks. Even in the electric power industry, where it is more regulated with the establishment of these CIP standards, the requirements are not detailed and specific, and do not provide any assurance of security to the SCADA operators. Thus, the standards being developed must equally emphasize physical and operational security as much as cyber security. SCADA operators implementing security across all three aspects would be better equipped to handle all the threats to their SCADA systems and networks.


Tags: Best Practices

About

balaji