Security and Compliance: How Utilities Meet NERC CIP v5 Requirements

Featured article by Sam Abadir, Director of Product Management at LockPath

As soon as the global panic incited by the events of September 11, 2001 settled into public sector anti-terrorism initiatives, experts brought to light grave concerns about the security of the nation’s energy infrastructure. Even so, 15 years later, many energy organizations find themselves scrambling to meet the security measures set forth by NERC in their Critical Infrastructure Protection standards (CIP, Version 5). The new, much more comprehensive standards went into effect July 1, 2015, but the looming compliance deadline on July 1, 2016 is the real deal—an enforcement deadline that means auditors are on their way.

The stakes felt pretty high after 9/11, but geopolitics, waves of cybercrime and espionage, climate agreements, and a rash of recent terrorist attacks have caused a spike in attention and concern around infrastructure security. The U.S. Department of Homeland Security is investigating a cyber attack that caused widespread electrical outages in Ukraine in December 2015. More than a hundred cities were completely blacked out and hundreds more were partially without power. So far, investigators have determined that an employee opened an infected document, allowing malware to install itself on monitoring equipment. Simultaneously, power company phone lines were attacked, blocking customer calls to help centers and prolonging the outages.

The potential impact of these kinds of attacks is enormous. The risks can no longer be ignored, and not just because of NERC’s deadlines and costly fines, which could amount to $1 million for each day out of compliance. Lloyd’s of London estimated in their 2015 Business Blackout report that a widespread outage (to the Northeastern US power grid, in their scenario) could cause up to a trillion dollars in damages. The danger is far from hypothetical; a 2014 report from ICS-CERT indicates that attacks on energy facilities have increased as much as 380 percent since 2010. A recent story about critical flaws in the massive Los Angeles Department of Water and Power highlights the alarming number of fixes some agencies still need to make.

In the past, energy companies have used a compartmentalized approach to compliance, risk management, and IT security. Now, a more holistic approach is required because cyber-threats, operational risks, and regulatory requirements are increasingly complex and interconnected. Likewise, traditional governance, risk management and compliance (GRC) technologies are burdensome to implement and manage, and dated solutions can’t be configured to match the new requirements. Manual tracking and reporting processes (e.g., spreadsheets) are prone to error and unlikely to support the required level of protection or compliance evidence.

For energy facilities, the universe of risk is expanding. Risks can be anything from a configuration error to a natural disaster. In order to identify substantial risks and probable threats, prioritize remediation efforts, and create incident response plans, data from multiple sources across the enterprise and supply chain must be gathered, organized, and managed in a single location accessible to all stakeholders. This is exceedingly hard to manage through multiple spreadsheets, software solutions, and processes owned by disparate departments.

A comprehensive, automated GRC solution that provides a holistic view of enterprise risk and operations is better able to track and manage assets, vendors, incident remediation, disaster recovery, and business continuity plans that constitute a secure, audit-ready energy business. Moreover, proactive, process-based management of the compliance lifecycle is more cost-effective and enables the business to stay focused on strategic objectives and growth instead of audit-induced fire drills. Enterprises that can adapt to regulatory change, prevent negative incidents, quickly detect and remediate security issues, and ensure business continuity have less to worry about when the auditors do come around.

Once data from across the company is flowing into a common framework, compliance, risk management, and business continuity activities can be linked via process and policy. Work in one area is reinforced by related activities in the others, enabling deeper insight into interdependencies and creating workflow efficiencies. A comprehensive GRC solution should include dependency mapping and a way to tie risks to key assets, so that disaster recovery plans and business impact analyses can be tested and improved based on the results.

In the event of an attack or disaster, being able to monitor and investigate from a unified, cross-functional perspective will hasten an effective incident response. CIP v5 requires reporting within an hour of incident recognition, as well as thorough reviews of planning and actual response effectiveness. An automated GRC platform can streamline incident reporting, turning it into a repeatable process that preserves critical root cause analysis and identifies links to similar incidents. Such integrated, data-driven processes simultaneously fulfill compliance requirements and help prevent future incidents.

Indeed, the two new standards in CIP v5 specifically address requirements for documenting cyber security measures and controls that prevent unauthorized access or changes. CIP-010 is called “Cyber Security–Configuration Change Management and Vulnerability Assessments” and CIP-011 is “Cyber Security–Information Protection.” In meeting these standards, a cross-enterprise level of visibility is key to proving that not only are recommended policies and procedures being created, they are also being deployed, monitored, and continuously improved.

As compliance expert Steven Parker points out in a discussion of CIP v5: “The importance of the implementation requirement cannot be ignored. Simply creating policies will not be sufficient for compliance. Policies must be implemented through the deployment of processes, procedures, and controls that meet the objectives described in the written policies. Significant flexibility is provided with respect to the design of controls, but the stated objectives must be met, and generators will be audited against what has been implemented.”

Now is the time for action. In the energy sector, July 1 is no joke, and NERC compliance isn’t something to fool around with. Time is limited, so deploying, updating, or retrofitting outdated GRC solutions, or relying on spreadsheets just isn’t going to cut it. Generating facilities are intricate systems operating in a complex, hyper-connected environment wherein they are the targets of multiple, mutating threats. Across the enterprise—including supply chain, vendors, and other third parties—people, process, and technology all have to be tightly but efficiently controlled. Key assets and risks have to be identified, correlated, and tracked. Vulnerabilities and incidents have to be remediated, reported, and reviewed. And all of it has to be documented, analyzed, and prepared for audit.

A full-featured, comprehensive platform that can automate and connect data collection, policy enforcement, tracking, and reporting activities is essential to both cyber security programs and regulatory compliance. The enterprise maturity and intelligence that will grow from systematized processes, powerful analytics, and data-driven planning will provide benefits well beyond compliance and risk management. Advanced GRC platforms can cut costs, and increase efficiency and accuracy, keeping the enterprise ready to face the future.

Sam Abadir is the Director of Product Management at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions. He has over twenty years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Early in Sam’s career he worked directly with financial institutions and manufacturing companies, helping them understand how risk management could be a competitive advantage. As a Sr. Manager at Deloitte he broadened his experience focusing on Global 2000 companies. In the past five years, Sam has worked with software companies like LockPath to build the tools that help companies harness the value of understanding and assessing risk.