Page 15 - Cyber Warnings
P. 15
FERC’s Delaying of NERC CIP V5 Implementation Reinforces
Need for Strong Cybersecurity Culture
By Doug Wylie, CISSP
Last week, the Federal Energy Regulatory Commission (FERC) granted a motion to postpone
implementation of the North American Electric Reliability Corporation (NERC) Critical
Infrastructure Protection (CIP) V5 Standards from April until July 1, 2016. Ted Gutierrez, the
industrial control systems (ICS) & NERC CIP Product Manager at the SANS Institute conceded
that the announcement was indeed, “a head scratching move from FERC,” as the
implementation of V5 is now delayed to coincide with the unveiling of V6 standards. As such,
facility owners and operators may choose to disregard V5 implementation, despite financial
penalty, and opt instead to prepare for the V6 standards.
In November 2013, FERC approved Version 5 of NERC CIP and the requirements for which
owners and operators were to conform was supposed to become enforceable beginning in April
of 2016. Version 5 represents the most material change in requirements in more than 10 years,
which is demonstrative of both the expanding threat landscape, and the progress achieved in
mitigating cyber risks to the electric grid. Most notably, penalties for noncompliance can include
a fine of up to $1 million per day per violation.
The NERC CIP V5 standards incorporate a significantly larger scope of the systems protected,
and all facilities that meet the definition of bulk electric system (BES) will now be subject to the
regulations. This part of the mandate, in particular, represents a major step forward in securing
the integrity of American power and utilities, and is especially important following confirmation
that a malware attack crippled the Ukrainian power grid and reports that Japan’s critical
infrastructure is under repeated attack.
The current CIP standards, Version 3, only comprise power facilities determined to be critical
assets by their owner or operators. Because of this optionality and difficulty in determination,
many facilities chose not to position themselves as critical, in order to avoid the compliance
obligations. With Version 5, however, every BES facility will be subject to at least some
requirements.
One of the primary additions to NERC CIP V5 is the demand of BES facilities to continuously
monitor their network communications, which is something that our Sophia product can help
with. NERC CIP V5 also mandates systems to have one or more methods for detecting
malicious communications, such as an intrusion detection system or application layer firewall.
Methods of threat detection to deter, detect and prevent systems penetration from malware,
attack scripts, and exploit framework, are required by NERC CIP V5, as well. In addition to more
proactive detection and mitigation of threats, facility owners and operators will also be required
to log cybersecurity incidents from the initial identification, to remediation and all the way
through the post-event investigation.
15 Cyber Warnings E-Magazine – March 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
