Security system

Utilities Guide for NERC CIP Considerations When Selecting a Security System

By Greg Kemper

Changing consumer preferences and changing threats and regulations have changed the utility industry. What was once an analog, scale-driven, centralized approach has now become a digital, distributed energy model.

To meet new challenges, utility companies are looking to update and strengthen critical security infrastructure and stay ahead of regulatory changes.

When selecting a security system, companies should consider how that system supports compliance with NERC CIP – the North American Electric Reliability Corporation’s Critical Infrastructure Protection Plan, which is designed to regulate, enforce, monitor and manage bulk electrical system (BES) security in North America.

Below is a brief summary of what utilities should aim to achieve for each requirement, recommendations on what to look for in a security system to help meet those requirements, and tips to help achieve conformity.

CIP-002-5.1a: Cyber ​​Security – Management Controls

What you should aim to achieve:

Categorize the different BES cyber systems according to potential impact levels (high, medium, low) to better understand how to manage vulnerabilities and protect these assets while maintaining and reviewing them regularly.

Considerations for security systems:

Look for systems that can provide you with an up-to-date breakdown of all connected devices and their statuses. This will help simplify your review process as you will have a clear view of all your device statuses in real time to know what needs immediate attention.

CIP-003-8: Cyber ​​Security – Security Management Controls

What you should aim to achieve:

Define and regularly review cybersecurity policies and clearly establish responsibility and accountability, procedures and cybersecurity incident action plan in your BES cybersecurity systems.

Considerations for security systems:

Invest in a security system that can help guide your security teams in their incident responses with digitized SOPs that comply with your organization’s specific processes and compliance requirements. This will help reduce potential human error and ensure compliance while simplifying the auditing and reporting process.

CIP-004-6: Cyber ​​Security – Personnel and Training

What you should aim to achieve:

Minimize potential vulnerabilities and errors caused by employees when accessing BES cyber systems by conducting security awareness training programs, performing regular background checks on employees with high levels of access, and ensuring ensuring that user accounts, account groups, role categories and their specific privileges are accurate and up to date.

Considerations for security systems:

Look for a system that can help you manage identity and access rights based on attributes for each employee, whether contract or staff, while being fully unified with your access control system. This will streamline your efforts in managing the various accesses of cardholders entering your protected areas.

CIP-005-6: Cybersecurity – Electronic Security Perimeter(s)

What you should aim to achieve:

Secure access to BES cyber systems by keeping your critical assets within a designated electronic security perimeter so they can be closely monitored for suspicious activity.

Considerations for security systems:

Ensure that all systems connected to your network infrastructure require secure authentication, encrypted communications using the latest security protocol, and users with role-based permissions to access critical assets. Make sure an access activity trail report is available to simplify investigations or audits.

CIP-006-6: Cyber ​​Security – Physical Security of BES Cyber ​​Systems

What you should aim to achieve:

Protect and manage physical access to BES cyber systems by defining a physical security plan to manage intrusions and unauthorized access to protected areas.

Considerations for security systems:

Look for a reliable physical access control system that can be seamlessly paired with a visitor management solution to strengthen your organization’s security and increase your ability to respond to incidents while meeting all compliance requirements. Ensure comprehensive reporting functionality is available to track log access attempts and cardholder/visitor activity for incident investigations.

CIP-007-6: Cybersecurity – Systems Security Management

What you should aim to achieve:

Strengthen the protection of BES cyber systems by defining and implementing technical, operational, and procedural requirements that include open ports and services, patch management, malicious code detection and alerting, event logs, and user access control.

Considerations for security systems:

To ensure security policies are actively enforced, look for systems that can provide system status dashboards, automatic firmware updates/patches, failed login attempt alerts with tracking activity as well as the ability to manage and synchronize user access rights that automatically update within your identity. and access management system.

Consider a unified access control and identity management system to reduce the need to work with multiple disparate systems.

CIP-008-6: Cyber ​​Security – Incident Reporting and Response Planning

What you should aim to achieve:

Establish procedures to identify, categorize and respond to cybersecurity incidents and maintain comprehensive records of the incident and management process for reporting to the Electricity Information Sharing and Analysis Center (E-ISAC) for forensic analysis.

Considerations for security systems:

Having a centralized system that maintains a complete log of network activity and access, as well as a complete history of asset configuration data will simplify the process of investigation and recovery if necessary. Look for technology partners who can provide emergency support in the event of catastrophic system failure or cyberattacks.

CIP-009-6: Cyber ​​Security – BES Cyber ​​Systems Recovery Plans

What you should aim to achieve:

Define a recovery plan for the BES cyber systems in the event of a cyber attack on the BES.

Considerations for security systems:

To better support potential disaster recovery, look for systems that offer full failover and redundancy architecture, as well as the ability to distribute them across multiple servers and geographic sites. Place a disaster recovery directory in an offsite location where it will not start until all other directory servers are down.

CIP-010-3: Cyber ​​Security – Configuration Change Management and Vulnerability Assessments

What you should aim to achieve:

Develop a baseline configuration for each critical cyber asset and monitor them for any deviations from this baseline to better assess each asset’s vulnerabilities.

Considerations for security systems:

Make sure the critical systems you invest in can provide a full audit trail report that tracks all changes made by system administrators and file configuration so they can be easily compiled for compliance auditing NERC CIP. Technology partners who regularly perform vulnerability assessments and penetration tests on their products can help you with documenting and reporting on the assessment of your system.

CIP-011-2: Cyber ​​Security – Information Protection

What you should aim to achieve:

Implement measures to protect and securely manage the storage, transit, use, and retrieval of data related to BES Cyber ​​Systems to prevent data theft or hacking.

Considerations for security systems:

Allow only those essential to the operation of the BES to have access to the system.

Ensure that information stored in databases is encrypted at rest and in transit. You may want to implement a “least rights” control mechanism for access with multi-factor authentication.

CIP-013-1: Cybersecurity – Supply Chain Risk Management

What you should aim to achieve:

Develop a supply chain cybersecurity risk management plan to identify and assess risks to BES posed by vendor products or services.

Considerations for security systems:

Ensure that all critical vendors that support the proper functioning of the BES have clear cybersecurity guidelines in place that will not put the BES at risk. Make sure that your system providers do not have access to your system by default without consent, especially in system-to-system remote access. Here are six questions you should ask your suppliers to better manage your supply chain risks.

CIP-014-2: Physical Security

What you should aim to achieve:

Identify and protect critical infrastructure within the BES and implement measures to protect against physical attacks that can lead to power outages.

Considerations for security systems:

Invest in a unified physical security platform that lets you manage CCTV, access control, and perimeter intrusion detection systems together on a single pane of glass. This will give you the ability to have complete visibility into all of your operations and allow you to view all local and remote sites on the same user interface.

Take proactive steps to identify potential intruders on your protected site with solutions that allow you to monitor beyond your fence to pre-classify potential intruder threat levels to reduce nuisance alarms.

SUMMARY

Regulatory changes and evolving security risks can strain an infrastructure owner’s need to stay one step ahead. Centralizing operations with a unified security portfolio will help your team reduce security risk, improve your security response, and improve regulatory compliance.

Greg Kemper is Regional Enterprise Manager at Genetec. He has extensive knowledge of the security industry, with over 25 years of experience in CCTV and access control.