NERC CIP Standards for Threat Visibility & Detection for Critical Infrastructure

Vulnerability of Critical Electricity Infrastructure
Apr 18, 2022 12:00 PM ET
oil rig with windmill in the background

Keysight Blog

By Gail Ow, Sr. Industrial Solutions Manager

Grid modernization has created an explosion of network-connected equipment, exposing utilities to a wide range of potential threats from nation states, criminals, disgruntled employees, and accidental misconfiguration (which happens far more often than you might think). The problem isn’t ‘grid modernization’ per se, but the ‘explosion of network connected equipment’, including SCADA equipment, which is exposing previously air gapped industrial control systems to the internet.

The Energy sector is particularly vulnerable to cyberattack because core cybersecurity strategies, like the use of SPAN ports as a means to direct bulk network data to security analysis systems, and physical air gaps to separate the Operational Technologies (‘OT’) network from the rest of the enterprise network have grown outdated.

When a human released a cyber worm known as ‘Stuxnet’ into a physically air gapped facility in 2010, it became obvious to the world that new cybersecurity strategies were needed.

NERC CIP

Soon, Critical Infrastructure operators will be expected to deploy threat visibility and detection technologies to support their incident response and recovery capabilities, as well as provide greater information sharing potential. It is one of several recent motions from the United States federal government to address: 1) threat detection and monitoring; 2) incident response and recovery; 3) information sharing; and 4) supply chain security. The Energy Sector is already subject to multiple NERC CIP standards so this isn't unexpected.

The North American Electric Reliability Corporation (NERC) is a regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC’s jurisdiction includes users, owners, and operators of the Bulk Electric System, which serves nearly 400 million people.

The NERC Critical Infrastructure Protection (CIP) standards include regulatory elements that make collecting and archiving network traffic more important than ever before. NERC CIP Standards require utilities to monitor network traffic data at the control center, the plant, and the substation. Utilities are subject to regular NERC Compliance audits and must also regularly conduct vulnerability assessments.

Network TAPs vs SPANs

Threat detection and monitoring begins with the addition of network TAPS in power plants and substations at multiple levels of the SCADA network. TAPS give OT personnel and network managers secure and ready access to data from critical infrastructure systems without adding to the compliance footprint or requiring network changes. TAPS provide a vital, non-invasive, network-friendly means to monitor and examine large quantities of network traffic. Unlike SPAN ports, TAPS present no load on the network, ensure that no packets are dropped, no changes occur to the timing of frame interactions, and valuable resources are not wasted examining duplicate packets.

Once TAPS are installed, Network Packet Brokers can capture, filter, aggregate, regenerate and efficiently route network traffic to security tools for inspection and incident response, creating a tightly integrated compliant security solution for utilities. Because Keysight’s TAPS and NPBs capture all the network packets, (not just representative sample data) they create a complete historical archive of required data to meet strict NERC audit requirements.

The NERC Critical Infrastructure Protection (CIP) standards include regulatory elements that make collecting and archiving network traffic more important than ever before. NERC CIP Standards require utilities to monitor network traffic data at the control center, the plant, and the substation. Utilities are subject to regular NERC Compliance audits and must also regularly conduct vulnerability assessments.

Download this white paper to learn more about the use of TAPS or SPANs for Threat visibility, and how installing network TAPS can help meet NERC CIP compliance where SPANS might not.

NERC CIP Standards for Threat Visibility and Detection White Paper Download