Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
New FERC Mandate Reinforces Need for BES Network Security Monitoring
By Grant Geyer | Feb. 1, 2022
As a result of long technology depreciation periods and a historical lack of appreciation for cyber security design standards of operational technology assets, many cyber-physical systems supporting critical infrastructure are vulnerable to disruption from a cyberattack. These gaps are an all-too-attractive target for bad actors who desire to target critical infrastructure sectors like the bulk electric system (BES). Cybercriminals have begun using ransomware to extort critical sectors for millions in ransom demands—the number of attacks has risen 3900% since 2013—and as evidenced by the 2016 and 2017 attacks against Ukraine’s power, these insecure infrastructures also represent an opportunity for geopolitical power projection by nation-states.
While historically, cyberattacks’ goal was focused primarily on the exfiltration of data or funds, they now represent an existential threat to physical safety. What’s becoming all too clear is that cyber-physical systems must be secured for all connected organizations—whether it’s the water we drink, the fuel for our cars, the electricity that powers our homes, or the medical devices that keep us alive. Many of these cyber-physical systems were not designed with security in mind, and as connectivity increases, asset owners are challenged to keep up with asset visibility, protection, and threat detection.
As a result of the high-profile critical infrastructure attacks in 2021 and many years of governmental hesitancy to establish red lines for acceptable and unacceptable cyber standards on the world stage, the Western world is facing the reality that national critical infrastructures are a new Wild West. In response, cyber-sprints and mandates for digital risk mitigation are happening constantly to shore up significant cyber gaps.
FERC Updates Reliability Standards
Last week, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NPRM), ordering the North American Electric Reliability Corporation (NERC) to develop new or updated reliability standards. Those standards, according to the NPRM, would “require network security monitoring internal to a Critical Infrastructure Protection (CIP) networked environment (Internal Network Security Monitoring or INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems.”
According to the NPRM, all of this “is designed to address situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk to a high or medium impact BES Cyber System.” Currently unaddressed by the CIP Reliability Standards, “NERC has recognized the proliferation and usefulness of network monitoring technology on the BES.” This goes back to the Compliant Monitoring and Enforcement (CMEP) Practice Guide developed earlier this month in response to the Department of Energy’s 100-day sprint.
The three security objectives that are intended to be met by these new rules are outlined: (1) a baseline for network traffic must be established by each responsible entity; (2) responsible entities should monitor for and detect unauthorized activity within the CIP network environment trust zone; and (3) logs and records should be kept by responsible entities for responding to incidents.
FERC’s new requirements for network security monitoring and vulnerability monitoring for bulk electric networks reinforce the importance of understanding the electric industry’s exposure to vulnerabilities.
Visibility is Paramount
Of course, it’s all easier said than done. Potential challenges–cost, availability of resources, and compliance–must be addressed to determine whether the security objectives are enough. On top of that, a reasonable time frame to develop and implement standards for software, hardware, and staff must be determined.
With new regulations mandating network security monitoring and vulnerability detection, it’s important to evaluate and consider products that provide visibility into assets, sessions, and processes. These tools must provide trustworthy and accurate information into vulnerabilities in order for leadership to make informed decisions about their connected networks. These solutions can empower networks to reveal and protect their Extended IoT assets, detect and respond to the earliest indicators of threats, and seamlessly extend their existing enterprise security and risk infrastructure and programs to harden their industrial networks.
Monitoring the Trust-Zone
As articulated in the NPRM, the focus of this notice is around network security monitoring inside of a trust-zone. This implies that the BES cybersystems have been well-segmented from less secure zones. As a result of inadvertent architectural decisions or misconfigurations, trust-zones may inadvertently have exposure to less secure zones of the organization. In addition to the value that network security monitoring tools can provide to spot anomalies or attacks in environments, many capabilities that are operationalized effectively can spot expected communications to less secure zones or, in some cases, even to the Internet.
As digital transformation initiatives and the expansion of remote workforces continue to transform enterprises, causing once-isolated operational technology (OT) environments to become interconnected with their information technology (IT) counterparts, there is a rise of converged IT/OT industrial networks with complex and expanded attack surfaces that IT security teams are increasingly responsible for protecting.
Critical infrastructure sectors across industrial, healthcare, and enterprise need visibility, protection, and threat detection for their XIoT assets, in order to connect confidently to the Internet and seamlessly provide critical services to ensure public safety and national security.