The Data on Your Field Devices – How to Secure It and Comply with NERC CIP Requirements
At the core of cyber security is information security, i.e., protecting sensitive information. Why is this important in the electric grid context?
Sophisticated attacks such as the Ukraine attack have a long information-gathering phase: the attackers perform reconnaissance and try to understand the system in order to identify and target the highest impact assets. In recognition of this, the NERC CIP-011-2 standard has requirements pertaining to information protection, which directs electric utilities to identify Bulk Electric System (BES) Cyber System information and protect them during storage, transit, and use.
Utilities have become highly competent in protecting the data in control centers and corporate domains. This has been achieved by the development of strong data governance and control practices and the deployment of innovative Data Loss Prevention (DLP) technologies. However, a weak link remains: the data in the field.
The laptops and tablets used for field activities such as testing and maintenance of assets have been under close scrutiny of late, due to the NERC CIP Transient Cyber Asset (TCA) requirement that went into effect April 1, 2017. The TCA requirement (NERC CIP-010-2 Requirement R4) was developed in response to FERC’s concern that transient field devices move between electronic security perimeters and could spread malware across BES Cyber Systems. The NERC CIP TCA requirement is focused on malware propagation.
An overlooked and equally important concern is the security of the information on and accessible by these transient devices. For instance, the transient cyber devices you use to work with protective relays can contain relay settings, network connectivity information, and login credentials.
Sophisticated attackers often develop custom malware or repackage existing malware so that the malware signature isn’t known to anti-virus programs. If such a malware infects a field device, it can potentially obtain and transmit sensitive data about the BES Cyber Assets (BCAs). This information is extremely useful to the attacker in the development and execution of an attack against the BCAs.
The security measures that would satisfy these requirements in a corporate setting are mature and well understood. While some of these same measures are helpful, such as encrypting the data, most aren’t readily applicable to field devices.
So how do we protect information on the field devices?
- Implement strong encryption scheme, such as full-disk encryption with pre-boot authorization, in order to ensure that information from the device cannot be extracted even if the attacker has physical access to the device.
- Restrict communication capability so that they can only communicate with the private databases and servers needed to manage the data and the devices. This prevents any information from these devices from being sent to an attacker. A key implication of this is that the field devices cannot be used as general-purpose computers.
- Regularly purge sensitive information from the field devices so that the intelligence obtained from it is minimal and incomplete.
- Put in place a field device management program that is able to track all the field devices and help identify unusual activity such as not reporting in for an extended period of time.
Doble is helping utilities implement NERC CIP compliant testing programs that protect their transient cyber assets and the data on them. Our approach includes strong multi-layered information security measures on top of device security measures.
A common impediment with information security measures is that they generally make it more difficult for legitimate users to access the information as well. Doble’s extensive testing experience and keen understanding of industry workflows have helped ensure that the information security measures are designed to aid the work, not obstruct it. For instance, delivering test plans and test settings automatically to the field device improves work efficiency. It also improves security by eliminating the need to use USB flash drives or access websites in order to obtain this information.
Additional Resources:
- NERC Glossary of Terms
- NERC Standards and Effective Dates
- Analysis of the Cyber Attack on the Ukrainian Power Grid
- NERC CIP-010-2 Requirement R4 for Transient Cyber Assets and Removable Media
- NERC CIP-011-2 Information Protection
- Blog Post: Cyber Security Regulations are Changing – Is Your Testing Program Ready?
- Blog Post: The Deadline is Here: Are Your Laptops and Tablets Ready for New Cybersecurity Regulations?