Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

NERC CIP-008-6: How Power Grid Operators Can Improve Their Incident Reporting

NERC CIP-008-6: How Power Grid Operators Can Improve Their Incident Reporting

The new NERC CIP-008-6 regulation challenges power grid operators to differentiate attempts to compromise their environment from other non-malicious cyber incidents. Here’s how Tenable can help.

For more than a decade, regulatory agencies and computer security incident response teams (CSIRTs) encouraged organizations to responsibly share information on cybersecurity incidents and raise the community’s overall preparedness to manage cyberthreats. The latest example includes new requirements by the Federal Energy Regulatory Commission (FERC) that require bulk power system (BPS) utilities to report attempts to compromise their infrastructure and operations. The exact requirements, which became mandatory on Jan. 1, 2021, are defined in NERC CIP 008-6.

While the intention behind these new regulations is to raise the cyber resilience of the power grid and facilitate effective response to major security events, they also introduce two main challenges for responsible entities:

  1. Technically, how to correctly differentiate attempts to compromise the environment from human errors and routine events?
  2. Procedurally, how to achieve the above with minimal bureaucratic burden on already stretched-thin cybersecurity professionals?

Tenable’s approach to the new NERC CIP requirements mirrors our handling of other regulatory requirements. Security solutions purpose-built for operational technology (OT) environments should make it as easy and automated as possible for users to identify, triage and report incidents to authorities as required. Here are three aspects of Tenable’s OT security solution that can help streamline compliance for the power grid industry.

Policy-based detection streamlines compliance efforts

Tenable.ot’s policy-based detection is a deterministic, flexible and transparent engine in which customers express their network security rules as policies with a custom level of granularity. As a result, security teams can be alerted to every deviation from these policy rules. This is the ideal method to meet the requirements by NERC CIP to “have a process that includes criteria to evaluate and define attempts to compromise and to determine if an identified Cyber Security Incident is a reportable cyber incident or an attempt to compromise...” (extracted from CIP-008-6, Table R1, part 1.2).

When using policies in Tenable.ot, users can quickly establish communication alerts ranging from specific OT configuration commands to reads and writes of tags or anomalous traffic in any IT protocol. Furthermore, these alerts can be categorized by asset groups, network segments, specific time windows and other specifications. For example, if a certain group of substation controllers has a specific time window when changes are allowed, and those changes are only permitted through proprietary configuration protocols and by a closed list of engineering stations or subnets, these rules can be configured in less than a minute in Tenable.ot.

Setting user-specific policies acts like a safety net for our customers, defining the baseline for healthy operations and ensuring that no anomaly goes unnoticed. This set of policies can be exported and shared with any third-party stakeholder, providing a clear and immediate understanding of the measures taken to adhere to the regulatory requirements.

Figure 1: The policies tab in the Tenable.ot interfaceScreenshot of policies tab in Tenable.ot

Threat landscape intelligence distinguishes malicious attacks from user anomalies

In some cases, policies can be set to alert on incidents that clearly indicate the existence of malicious intent. But in many other cases, analysts face uncertainty about the origin or cause of the alert and must look for additional information that can suggest malicious intentions.

When considering the network assets that are involved in a suspected incident, Tenable.ot users have at their hand the most recent threat intelligence as reflected in the Vulnerability Priority Rating (VPR), which incorporates parameters such as threat source, intensity and recency. Taking these parameters into consideration may provide the otherwise missing link in differentiating between operational anomalies and malicious attempts to compromise, a distinction that is the essence of the new additions to NERC CIP-008-6.

Figure 2: Attack vector simulation in the Tenable.ot interfaceScreenshot of attack vectors in Tenable.ot

Unified IT-OT attack simulation protects critical network segments

Among the many cybersecurity tools available for identifying suspicious incidents, those with a unified view of both IT and OT environments have an advantage when it comes to correctly identifying attempts to compromise. Understanding possible attack vectors that stem from weaknesses in the IT environment is key for correctly assessing incidents, as previous attacks and proofs of concept teach us. Without such a broad view, OT engineers might miss essential pieces of the puzzle regarding the origin of their alerts. Similarly, IT security analysts might be blind to the consequences on the OT side of indications they witness and dismiss as non-events.

Addressing this gap is at the heart of Tenable’s efforts over the last year. Several new layers of integration are now available: Reflecting OT findings in enterprise-level applications (Tenable.io and Tenable.sc), unifying IT and OT vulnerability detection technology, and leveraging Nessus as part of Tenable.ot to best identify vulnerabilities in IT assets in the OT environment.

Figure 3: Unified IT-OT dashboard in Tenable.sc
Screenshot of unified IT-OT dashboard in Tenable.sc

Summary

OT security professionals face increasing regulatory requirements for reporting cyber incidents, with the energy sector leading the way. Reporting attempts to compromise the grid requires highly skilled cybersecurity analysis, ready access to the data you need and clear reporting procedures. Tenable.ot, as part of the Tenable suite of security products, has exactly what it takes to identify cyber incidents and help categorize them as actual attacks, attempts to compromise, human errors or routine events.

For more information on how Tenable can help strengthen grid security, download our Guide to Compliance with NERC CIP Standards.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.