Earlier this month, on June 4th, the North American Electric Reliability Corporation (NERC) released a new practice guide that pinpoints how organizations should integrate network monitoring solutions into industrial operational technology (OT) networks of the electric utility industry.
NERC developed the ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Centralized Collectors, and Information Sharing in response to the Department of Energy's (DOE's) 100-day plan. The Department of Energy’s initiative is to advance technologies that provide increased visibility, detection, and response capabilities for utilities' industrial control systems (ICS) and operational technology (OT) networks to better protect the nation's agencies and infrastructures.
While many government agencies and organizations have already deployed these types of technologies within their OT environments, the NERC anticipates an increase in deployments across the electric utility industry to increase threat detection and incident response abilities due to the DOE 100-day plan. NERC provides an actionable framework for auditing compliance with the CIP Reliability Standards when a registered entity deploys detection and monitoring technologies that include network monitoring sensors and centralized data collectors and may involve the sharing of data collected with third parties.
Additionally, the guide provides ERO Enterprise examples of how to comply with industry standards. This is super helpful as the NERC is aiding organizations with the right framework with compliance monitoring when it relates to the deployment of OT security technology.
We’ve put together an overview of the report and the key takeaways that relate to industrial OT security.
NERC CIP standards: Protecting Cyber Assets
As expected, the guide discusses the importance of the protection of cyber assets. According to NERC, the CIP standards require registered entities to protect Bulk Electric System (BES) Cyber Systems and certain associated Cyber Assets.
For organizations to get a better understanding in the manner in which the CIP standards apply to network monitoring deployments is to determine whether the sensor to be deployed is a Cyber Asset, BES Cyber Asset, and then a BES Cyber System or other types of Cyber Asset subject to requirements of the CIP standards, such as a Protected Cyber Asset (PCA) or Electronic Access Control or Monitoring System (EACMS).
If a sensor does not qualify as a BES cyber system, it may be categorized under CIP requirements depending on how it is used and which environment it is deployed in. Devices that are deployed in high or medium impact can be categorized as protected cyber assets if they are inter-connected with routable protocols within an electronic security perimeter or as electronic access control or monitoring systems (EACMS).
The report ended the section about protecting cyber assets by saying that organizations may not be required to secure sensors that are deployed in an environment with only low-impact BES cyber systems even if they are “performing the functions of an EACMS or other device subjects to the CIP standards.” However, auditors must still assess whether those devices are subject to the requirements of CIP-003-8 concerning electronic access control.
Data Protection with 3rd Parties Access
The report mentions when it comes to the protection of data, the CIP standards require that organizations need to control access to BES cyber system information (BCSI). According to NERC, “Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to [it].” The report provided different examples of such data including network topology of the system, security procedures, collections of network addresses, and any information that is not publicly available and could be used to allow unauthorized access or distribution of sensitive data.
NERC recommends that Compliance Monitoring and Enforcement Program (CMEP) teams are urged to identify how their organization determines whether the data collected by its sensors contains BCSI and whether the information is transmitted and accessible by third parties. If BCSI is included in the data, organizations must assess whether the utility has a process in place to authorize access to the designated storage locations for BCSI. Additionally, any potential third-party access to information needs to be also accessed.
The guide also recommends that CMEP teams fact-check a utility’s network monitoring technology deployment by implementing a deep dive review of every system to ensure that no possible vulnerabilities are missed.
Governance for OT Networks
This NERC report is a very detailed framework which industrial organizations especially in the US electric community will start to implement. We expect government agencies to use this guide as a compliance framework for all discussions on passive monitoring technology.
The SCADAfence Platform for OT security, combined with the SCADAfence Governance Portal, helps utility companies ensure that their Bulk Electric System (BES) is secure and reliable according to the North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) standards. The SCADAfence Governance Portal includes a built-in NERC CIP module which provides cross-organizational tracking and measurement of NERC CIP adherence.
To learn how your organization can achieve NERC CIP compliance by using the SCADAfence Governance Portal, download the full whitepaper here: https://www.scadafence.com/resource/nerc-cip-compliance-scadafences-unique-solution-whitepaper/
Having visibility into compliance enables IT and OT departments to centrally define and monitor their organization’s adherence to OT-related regulations and security policies. To learn more about IT & OT compliance, please join us on June 23rd for our joint webinar with Rapid7 as we will cover how to measure compliance over time for standards such as NIST, NERC-CIP, IEC-62443, among others.