Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Three Key Ways to Ensure NERC Compliance: The $10 Million Wake Up Call

In January 2019, the North American Reliability Corporation (NERC) fined Duke Energy $10 million for 127 Critical Infrastructure Protection (CIP) and other security violations occurring between 2015-2018.

Most of us expect our energy resources to be as reliable as the sun coming up tomorrow. 

To have that reliability, the energy delivered to our homes, offices and other places needs an electrical utility that operates flawlessly and without failure. 

But many people don’t realize that utilities and other mission-critical operations are ground zero for potential attacks by nation states, rogue factions and, in some cases, even employees with privileged access to those facilities.

Attacker Motives

Attackers have a variety of motives for taking an electrical grid offline. These can vary from accidental actions to revenge or terrorism. 

No matter the motive, attackers need minimal resources to launch an attack, and taking the grid offline can cause havoc. 

In 2003, the northeastern United States plunged into a blackout. When overhanging foliage disrupted electrical transmissions, a software glitch failed to trip safeguards to redistribute the load. The failure’s cascading actions caused an outage for 508 facilities that generate power and 265 facilities that distribute power.

Since that incident, safeguards and minimum thresholds are in place to ensure standards. For example, the North American Reliability Corporation (NERC) has a goal to “assure the effective and efficient reduction of risks to the reliability and security of the grid.” NERC created guidelines to help ensure the reliability of electrical distribution across the vast areas it serves. 

The introduction of these guidelines in 2016 did not come too soon. An attack on a Ukrainian electric utility, which involved the Industroyer malware (aka CrashOverride) and an incident at a Middle Eastern oil and gas refinery in which attackers used TRISIS malware to exploit a Triconex Safety Instrumented System underscore the increasing threat of cyberattacks on critical infrastructure.

While there have not been many penalties for failure to comply with the NERC guidelines, in January 2019 the Wall Street Journal reported that NERC fined Duke Energy $10 million for 127 Critical Infrastructure Protection (CIP) and other security violations that occurred between 2015-2018. This is more than triple the last fine NERC levied against an organization. 

Many news agencies covering this story cited interconnectivity and interdependence of grid providers, which created clear and present danger and needed to be strongly addressed. Specifically, when one agency does not fully comply with published guidelines, it becomes a weak link in the chain for all other providers. 

So what should utilities and energy providers do to make sure they meet minimum NERC standards? While this is not an exhaustive list, below are three key areas to help comply with NERC standards:

  1. Ensure you can identify and classify the Bulk Electrical Systems (BES) assets in your OT environment. A cardinal principle of cybersecurity states: “You can’t secure what you don’t know exists.” To secure your control systems, as well as to comply with NERC CIP, you should identify what you have. For example, deploy ICS security technology that automatically discovers and maps all of your ICS devices (even dormant ones) and keeps an up-to-date inventory of these assets. This includes operator and engineering workstations, controllers (PLCs, RTUs and DCS controllers) and other devices.
  2. Deploy consistent and sustainable security controls that protect your BES and safeguard against misoperation. Alerts enforce security management policies on unauthorized ICS access and activity. This comprehensive audit trail helps generation owners and operators establish responsibility and accountability, as well as preventing malicious or erroneous activities that could lead to plant misoperation or instability.
  3. Manage system security by specifying select technical, operational and procedural requirements that support the protection of BES cyber systems against compromise that could lead to BES misoperation or instability. This can be accomplished by deploying an ICS security system that detects both rule violations and anomalous behavior. This system should be able to detect malicious code activities on your network and devices, including malware propagation, abnormal communications, network attacks on controllers and direct attacks via connected compromised laptops. Furthermore, alerts enable your security staff to mitigate threats before they lead to misoperation or instability. 

NERC’s enforcement of security guidelines should be viewed as a minimum-level security blueprint to help raise the tide and lift the security posture of all electrical and utility providers. 

Learn more

Download this white paper to learn more about the NERC-CIP dashboards and reports available in SecurityCenter Continuous View.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.