NERC introduced its critical infrastructure protection standards in 2008. These standards apply to owners and operators of the bulk electric system, including generators and transmission system operators. The standards cover protection from physical and cyberattack.
NERC CIP is notoriously difficult and costly to comply with, yet is mandatory for power generators in the United States and Canada. Penalties for non-compliance can be as much as $1 million per day per violation, and standards are under continual revision.
As a global leader in power and automation technologies, ABB has helped many utilities develop and sustain cyber security programs that support compliance with NERC CIP. This includes helping to develop audit reporting for critical assets, identifying vulnerabilities and potential threats, and developing plans to monitor and protect the assets.
While ABB’s expertise in cyber security is not confined to North American standards, after 10 years of enforced regulations we want to illuminate the lessons power generators have learned over the past 10 years. What conclusions can we draw?
Collaboration between IT and OT is critical
The need to bring information technology (IT) and operational technology (OT) departments closer together has been voiced for some time, with little effect. But as cyberattacks increase and digitalization expands, close collaboration between IT and OT is essential.
Their roles and responsibilities are different. IT is part of the corporate organization, responsible for cyber security at the business level. OT operates at plant level and is focused on reliability, availability and safety, and on ensuring that the plant is
cyber-secure.
Often, IT and OT do not see eye to eye. IT considers the plant a business asset, whereas OT focuses on the nuances of daily operations and production. IT systems are usually renewed after four or five years, whereas OT systems have longer lives, being upgraded after 10, 15 or even 20 years. IT may wish to introduce new measures to improve security, which OT sees as an imposition that might impact reliability and availability.
ABB understands both departments and their respective roles and responsibilities. We help them come together, communicate with each other and understand one another. We can explain to OT why the new measures are needed, but we can also explain why OT is concerned about the disruptions those measures may cause. We help them solve the dilemma and arrive at the best possible solution, for the company and the plant.
Start with a strategy
‘Start with a strategy’ may seem obvious, but in our experience the journey to cyber security is rarely straightforward or well mapped.
Initially, many companies seek a quick fix by buying a solution off the shelf that will help them comply with some CIP regulations.
Others go to a consultancy that helps them make security assessments and close the gaps they find. Having secured the gaps, the consultants and the customer move on, usually without a long-term sustainable security program in place.
Some companies are more diligent. They perform a security assessment, realize their risks and vulnerabilities, and then invest in implementing a project team to manage cyber security. Having trained the staff, they forget about continuous training programs and keeping their staff motivated. In a market where skilled cyber security people are in short supply, staff are hard to retain and replace.
A sound cyber security strategy avoids these traps. It is a long-term commitment that focuses on processes, people and technology, and invests optimally in all three.
There is no silver bullet
There is no single technology, method or solution that can provide 100-percent protection, all of the time. What is possible is a multi-layered, defense-in-depth approach to ensure assets are protected and secure.
To protect something, you have to know what it is you have to protect. Many companies struggle to do this. Assessments can be time-consuming and costly, but they provide essential information on the software inventory and cyber risks for an operation. A large power plant can have hundreds or thousands of assets that require physical or digital protection.
People too are a critical part of the defense-in-depth approach. Because cyber security is a non-stop, fast-moving industry, the people responsible for it at the plant should be afforded the tools, training and resources needed to manage cyber threats. Unfortunately, they are often oversubscribed with other responsibilities to effectively manage the cyber risks.
Test your resilience frequently
Once your strategy, compliance program, protection and people are in place, it is easy to be drawn into a false sense of security. This is where you are at your most vulnerable. Responding to an Incident after an attack is a poor time to learn how to manage that incident.
Resilience is like fitness. You have to train regularly and exercise your muscles. Try to be ahead of the opponent by breaking through the plant’s protection to ensure it is secure. Test your incident response plan to foresee challenges and pressure points. Practice frequently to be aware of what could happen if an attack succeeds and the plant shuts down. Draw up response plans for each department - legal, communications, human resources, etc. - and for local stakeholders like the municipality and service providers. Everyone should know how to respond in a stressful situation that is evolving by the second. Ideally, incident response scenarios should be sufficiently challenging to expose gaps; gaps found are an opportunity to act before your attacker does.
Choose your partners wisely
There are many potential partners out there; hundreds of millions of dollars have flowed into funding industrial control system cyber security start-ups over the past 10 years. Some do many things well, others do one thing expertly. Few have the know-how that crosses all the relevant domains - power generation, transmission, distribution and automation systems, cyber security, digitalization and the cloud. Do not fall into the 'new shiny technology' marketing hype some of these start-ups claim. Look for those who understand your business, your challenges and you can trust.