NERC’s CIP-008 standard aims to mitigate reliability risks resulting from a Cyber Security Incident by specifying incident response requirements. Newly proposed revisions would augment mandatory reporting to include incidents that compromise, or attempt to compromise, a utility’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).
CIP-008-6 raises the security and compliance bar significantly by requiring utilities to develop and implement new and more detailed Cyber Security Incident response plans. These new plans will provide a course of action for utilities to detect incidents that affect cyber systems, minimize loss and destruction, mitigate exploited weaknesses and help restore capabilities. CIP-008-6 will require:
- Reporting of Cyber Security Incidents that compromise or attempt to compromise a utility’s ESP or associated EACMS.
- New processes and procedures to report:
- The functional impact, where possible, that the Cyber Security Incident attempted or achieved;
- The attack vector that was used to attempt or achieve the Cyber Security Incident; and
- The level of intrusion that was attempted or achieved as a result of the Cyber Security Incident.
- Certain minimum and specific reporting information to improve quality and allow for ease of comparison.
- Implementation, testing and maintenance of incident response plans.
- Mandatory reporting to NERC and government organizations including the Electronic Information Sharing and Analysis Center (E-ISAC) and the National Cybersecurity and Communications Integration Center (NCCIC) to facilitate data exchange and better detect and respond to multiple attacks on utilities.
The modifications proposed in CIP-008-6 address FERC concerns that current reporting requirement under CIP 008-5 may understate the true scope of cyber-related threats facing the Bulk Electric System because reporting is required only for incidents that have actually compromised or disrupted one or more reliability tasks.
NERC guidance provides an example of how a utility could define an “attempt to compromise” as an act with malicious intent to gain access or to cause harm to normal operation of a Cyber Asset. Some criteria could be:
- Actions that are not an attempt to compromise an applicable Cyber Asset/System electronically are:
- A utility’s own equipment scanning a Cyber Asset for vulnerabilities or to verify its existence, that is performed on demand or on an approved periodic schedule.
- Broadcast traffic as part of normal network traffic. A firewall may block and log this traffic, but it does not have malicious intent.
- Attempts to access a Cyber Asset by an authorized user that have been determined to fail due to human error.
- Actions that are an attempt to compromise an applicable Cyber Asset/System electronically are:
- Scanning a Cyber Asset for vulnerabilities or to verify its existence that is not approved by the utility’s management nor processes. This could be from a utility’s own equipment due to an upstream compromise or malware.
- Attempts to access a Cyber Asset by a user that fails due to not being authorized and intending to gain access where no approval has been given.
- Attempts to escalate privileges on a Cyber Asset by an authorized user that has been determined to fail due to not being authorized for that privilege level.
Next Steps
The proposed CIP-008-6 standard has been developed in conjunction with extensive implementation guidance and presents a substantial challenge for utilities to implement.
Once CIP-008-6 is approved, utilities will have to quickly evaluate attacks and determine what is reportable. They will also have to define what constitutes “an attempt to compromise” and change internal processes to document the criteria they plan to use. Additionally, there will be time constraints on reporting which may be challenging to meet.
Utilities should not wait to address these proposed changes. Cyber security standards are only the minimum required to stay ahead of threats. It is important to be well informed of the NERC regulatory framework to ensure compliance.
TRC can provide an independent review of your company’s plans to establish compliant internal processes and controls to meet the proposed NERC Standard and related guidance.
Resources
- NERC CIP-008-6 Project Page
- NERC CIP-008-6 Standard-redline to CIP-008-5
- NERC CIP-008-6 Implementation Guidance
- NERC Petition to FERC for Approval of CIP-008-6
- TRC Regulatory Compliance Solutions
This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that impact your company’s electric system security risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.
TRC Contacts: