NERC CIP Compliance Version 6 for Network Security.

Cyber security is a tremendous challenge for today’s power grid critical infrastructure. Here are some alarming data points about cyber security threats and vulnerabilities:

• A report in Time covered an investigation by USA Today that analyzed public records, national energy data and records from 50 electric utilities. The analysis revealed that the U.S. national power grid faces physical or online attacks approximately once every four days.
• Admiral Michael Rogers, head of NSA & U.S. Cyber Command, noted in Forbes,
  China and other unnamed nations have “the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure.”
• The Internet of Things (IoT) has reached the energy sector.  It’s the concept of a creating a smarter world where systems with local computing power are connected in order to share data and information – anywhere, anytime. So, for example, customers with solar energy systems in states like California and New Jersey, besides accessing their billing information online have additional connectivity via their own devices to their utility provider’s network to monitor the output, usage and also cost savings of their home solar energy systems. With so many more devices connected to a network, there are now more potential intrusion points for cyber threats – in other words: increased attack surface and cyber vulnerabilities.
• Data breaches are very costly: Security Week reported a simulation by the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School and Lloyd’s of cyber attack on northeast power grid that would cause between $243 billion to more than $1 trillion in economic damage.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards evolved after the Great Northeast Blackout of 2003 that affected over 50 million people. Now there is an urgent and evolving need for more stringent standards to protect the Bulk Electric System (BES) of the North American power grid. NERC CIP v6 is the most recent version of policy guidelines by which critical cyber assets must be protected.

The Challenge: Transitioning to NERC CIP Compliance V6

The challenge for BES networks transitioning to and complying with NERC CIP V6 is multifaceted, requiring:

• More stringent regulations than previous standards regarding policies, Asset Coverage, new Grouping of Cyber Assets (BES Cyber Systems), and Impact Ratings
• Extensive change management processes and sensitive risk analysis
• More auditable evidence for demonstrating compliance
• Violations of compliance costing up to $1 million penalty per day
• Enforcement of security policies across networks supporting today’s BES power grid comprised of multi-vendor, multi-technology heterogeneous IT environments that span physical and hybrid networks, and the cloud
• Application connectivity management for Smart Grid; Dynamic Load Control (DLC) systems; Supervisory Control and Data Acquisition (SCADA) / other Industrial Control Systems (ICS); advanced metering software; load modeling; electric grid monitoring; transmission assessment; risk analysis; and other critical applications for running the utility business
• Develop and implement methods to deter, detect, or prevent malicious code via transient assets, and provide proof of those methods.
• Meet deadlines that significantly vary across NERC CIP versions

Maintaining continuous compliance and network security is extremely challenging in view of  the global cyber threats, approaching deadlines for NERC CIP V6 and the complex, IT environment for today’s power grid that also spans hybrid cloud. The Tufin Orchestration Suite solution provides the essential toolbox for today’s network security challenges and compliance with NERC CIP V6:

• Manage and visualize network Cyber Assets and Cyber Systems through a single pane of glass across the physical and hybrid network, and the cloud
• Control and ensure secure application connectivity across the entire network
• Maintain application-driven network security change automation based on risk assessment
• Reduce the attack surface and mitigate threats of Transient Assets through effective management of network segmentation
• Provide audit-ready evidence on-demand with an automatic audit trail 
• Enforce your security policy inclusive of NERC CIP and other regulatory requirements

• Design, manage and monitor network segmentation through a single pane of glass, across the your hybrid internal network, and the cloud.
• Control and ensure secure application connectivity.
• Maintain application-driven network security change automation based on risk assessment.
• Reduce the attack surface and mitigate threats of transient cyber assets through effective management of network segmentation.
• Provide audit-ready evidence on demand with an automatic audit trail, documenting every firewall and security group configuration change.
• Enforce your security policy inclusive of NERC CIP standards and other regulatory requirements.
• Ensure that any external routable connectivity is secure, documented, and has a valid business justification.

Securing high and medium impact BES cyber systems is a tremendous challenge for today’s Bulk Electric System providers. Here are some alarming data points about cyber security threats and vulnerabilities:

• A report in Time covered an investigation by USA Today that analyzed public records, national energy data and records from 50 electric utilities. The analysis revealed that the U.S. national power grid faces physical or online attacks approximately once every four days.
• Admiral Michael Rogers, head of NSA & U.S. Cyber Command, noted in Forbes,
  China and other unnamed nations have “the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure.”
• The Internet of Things (IoT) has reached the energy sector. It’s the concept of a creating a smarter world where systems with local computing power are connected in order to share data and information – anywhere, anytime. So, for example, customers with solar energy systems in states like California and New Jersey, besides accessing their billing information online have additional connectivity via their own devices to their utility provider’s network to monitor the output, usage and also cost savings of their home solar energy systems. With so many more devices connected to a network, there are now more potential intrusion points for cyber threats – in other words: increased attack surface and cyber vulnerabilities.
• Data breaches are very costly: Security Week reported a simulation by the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School and Lloyd’s of cyber attack on northeast power grid that would cause between $243 billion to more than $1 trillion in economic damage.

The Challenge: Transitioning to NERC CIP v6 Compliance

A single cyberattack on the North American electrical power grid has the potential to cause hundreds of billions of dollars in economic damage. Following the Great Northeast Blackout of 2003, the North American Electric Reliability Corporation (NERC) took the initiative to draft Critical Infrastructure Protection (CIP) standards to prevent such an attack from happening again. The NERC CIP standards have gone through several iterations since then and currently standard at version number six.

The challenge for BES networks transitioning to and complying with NERC CIP v6 is multifaceted, requiring:

• More stringent regulations than previous standards regarding policies, Asset Coverage, new Grouping of Cyber Assets (BES Cyber Systems), and Impact Ratings
• Extensive change management processes and sensitive risk analysis
• More auditable evidence for demonstrating compliance based on violation severity levels
• Enforcement of security policies across networks supporting today’s BES power grid comprised of multi-vendor, multi-technology heterogeneous IT environments that span physical and hybrid networks, and the cloud
• Assurance that reliability standards will be met or exceeded
• Application connectivity management for Smart Grid; Dynamic Load Control (DLC) systems; Supervisory Control and Data Acquisition (SCADA) / other Industrial Control Systems (ICS); advanced metering software; load modeling; electric grid monitoring; transmission assessment; risk analysis; and other critical applications for running the utility business
• Identification of high-impact BES cyber systems as defined in requirement R1
• Develop and implement methods to deter, detect, or prevent malicious code via transient assets, and provide proof of those methods.
• Continuous authentication limitations since stolen credentials is a top attack vector; need to balance IAM initiatives with network security policy automation initiatives
• Response planning, due to fragmentation of processes and visibility. For example, incident response teams getting network connectivity intelligence for incident triage.
• Meeting deadlines that significantly vary across NERC CIP versions

Continuous Compliance Automation

Tufin provides the responsible entity with the essential toolbox for today’s cyber security challenges and compliance with NERC CIP standards. It helps you maintain continuous compliance for NERC CIP V6 across complex network environments by centralizing your visibility and control. By automating policy-based change management and policy optimization you are able to maintain a single audit trail and ensure policy adherence.

Facilitating CIP-002-5 Compliance with Centralized Network Segmentation Policy Automation

Tufin includes powerful network segmentation tools that help utilities reduce cyber risk and mitigate damage in the event of a cyberattack, protect BES cyber assets, and reduce risk exposure associated with transient assets. Tufin’s NERC segmentation template can be used for whitelisting and blacklisting to protect your BES network.

Tufin’s unified security policy management matrix allows uses your enforcement point configuration data to document a global security policy within an at-a-glance view. Within this dashboard you can refine your segmentation policies and build out new, more advanced segmentation policies. Then you can push those configuration changes out to firewalls and security groups.

Control Bulk Electric System (BES) security from a single console.

Tufin centralizes firewall management across on-premises and cloud, enabling utilities to control and secure application connectivity across their network including dynamic load control systems, industrial control systems, advanced metering software, load modeling, electric grid monitoring, transmission assessment, risk analysis, and other critical applications.

Gain security visibility across all networks.

Modern BES cyber systems are comprised of multi-vendor, multi-technology firewalls and other security products that are complex to manage and often provide a fragmented view of security. Tufin solutions provide deep network visibility across heterogeneous networks that includes on-premises, cloud, and hybrid network configurations, facilitating cyber risk management.

Ensure continuous compliance with NERC CIP standards.

NERC CIP standards are constantly evolving to meet the shifting threat landscape posed by new forms of cyberattacks and new technologies such as IoT-connected devices. Tufin helps utilities continuously update and consistently enforce security policies to meet the latest NERC CIP standards. With Tufin, utilities can quickly develop and implement new security rules to deter, detect, and prevent malicious code and other cyber attacks including those transmitted through transient assets.

Create audit reports on demand.

NERC CIP compliance standards now require that utilities report on any attempts to compromise their infrastructure. Tufin technology automatically generates audit trails to demonstrate NERC CIP compliance on demand, helping you meet tight deadlines and avoid high penalties.