Reflections on NERC CIP & Power Sector OT Cybersecurity

Over fifteen years ago, the Federal Energy Regulatory Commission established the North American Electricity Reliability Council (NERC) to implement reliability standards to support the ongoing supply of consistent electricity to North America. Over the past 15+ years, the requirements have evolved – some would argue too slowly, others too quickly – to cover a wide range of risks and requirements necessary to maintain the power grid.

This article is not intended as a comprehensive analysis or summary of all implications of the regulations, nor a true “best practices” set of recommendations. Instead, it is offered in the spirit of sharing learnings and observations with the community as they pursue their mission of trying to secure our continent’s most critical infrastructure. For brevity and feasibility, it focuses on the cyber security evolution and observations rather than a holistic view across all CIP requirements.

First, to get it out of the way, our belief is that while NERC CIP may have created some inefficiencies — on the whole, it has created a very strong foundation of cyber security capabilities and a mindset of recognition and consideration of these risks. Obviously, it is impossible to create the “counter-factual” of where the North American grid would be without NERC CIP. But there are impressions one can draw from other geographies where NERC CIP was not present, as well as other industries outside the power sector. As a comparative analysis, the North American grid operators, on the whole, have a deeper understanding of the critical risks to operations as well as a stronger foundation than other geographies or other industries – on average. We are not here to debate whether that maturity could have been achieved in a more efficient manner. The point is that the starting point in 2023 is much stronger than other industries which were not regulated in a similar manner.

The questions for today (instead of ‘re-litigating’ whether there was a more efficient approach) are 1) what the power sector can do going forward to efficiently and effectively protect itself, and 2) what other sectors and geographies can learn from this experience to accelerate their own security journeys.

Observations for the power sector:

Driving greater efficiency in the compliance process.

All power companies under NERC CIP regulation need to focus on continually driving cost and time out of their compliance efforts. They have built entire organizations to manage compliance, and these costs are passed on to the rate base or shareholders. The risk is that the initial compliance approaches become engrained and become status quo, where change is constantly questioned, and these processes solidify without innovation.

There is a great opportunity for power companies to drive innovation in their compliance efforts. After 15+ years, it is time for organizations to take a fresh look at the accepted beliefs and processes they use to determine whether technology, automation, and new mindsets could create greater cost-effectiveness, as well as improved outcomes. Several ideas are worth considering in this area, but these are only starting points for a more comprehensive strategic review and application of innovation principles to this somewhat staid world.

• Re-assess the technologies currently used to see if new technologies could offer significant procedural cost reduction. These technologies may include emerging hardware/software solutions that can simplify the complexities of managing External Routable Protocol, software that can automate a greater amount of the truly complex patch management processes and new Supply Bill of Materials software that can accelerate and lower the cost of supply chain risk management.

Many times risk aversion creates barriers to change: “Our process is built this way and relies on a history using certain technologies. To change would require changing processes which is hard and risky.” This will mean a continued operational cost structure with limited innovation. The cost of compliance has now reached a level that organizations need to question this assumption and test new approaches to take 20%+ out of these costs.

• Employing “lean principles” to compliance tasks. These traditional approaches to service operations can drive 20-30% out of the costs of key processes. Again, this takes willing mindsets to challenge current approaches and eliminate waste across the system. For instance, the handoffs that currently exist between the compliance and the security and operational teams. We regularly see these gaps create extra work (often through re-work or over-delivery on requirements due to a miscommunication among teams).

This article is not the place to describe the whole lean approach, but compliance processes are ripe for “leaning out” based on our experiences.

Strategically planning security beyond CIP requirements

One of the biggest focus areas right now for the power sector is what to do with the security of those assets that do not fall within the “Medium” or “High” BES standards, such as smaller generation facilities or those that are not regulated by CIP at all such as local distribution assets. The great benefit of NERC CIP is that these organizations begin with a strong foundation of personnel that have experience managing the security of assets, if that talent and knowledge can be appropriately tapped for “non-compliance security” matters.

One of the most effective organizations we have worked with has established an organization designed specifically to make this shift to a broader security perspective. This organization integrated its IT and OT security teams, specifically by adding the leaders from their OT compliance efforts to the security leadership team. This seemingly simple choice is not something we have seen replicated in many places. The benefits, however, are striking. Now in every cybersecurity discussion, there is deep representation of how the operational assets need to be considered; no more “IT silo.” Second, this has created more cooperation between controls personnel and the security team, given prior relationships and trust. Third, this organization created a central place for ICS security management with central visibility, strategies, and toolkits. This drives efficiency in cost as well as speed to outcomes across the entire fleet. This organizational change created a true strategic plan for security well beyond the compliance requirements of CIP.

The organization is only the first step, however. Setting strategic requirements is equally important. Another client of ours has driven a deep security mindset and commitment across its organization by establishing a common security standard across IT and OT for all assets, not just those under more severe compliance requirements. We often hear that the best answer is a “risk-based security posture,” and we strongly agree with the principle. However, this principle often leads to “paralysis by analysis.”

For thirty years, Verve has worked with power companies to improve the reliability and security of their operations. Begun as an automation engineering firm, Verve evolved its services as customer needs shifted. Today, Verve supports dozens of North American utilities in their reliability efforts with our software and services. This experience across utilities as well as independent power providers of various types provides a lens on the evolution of organizational approaches as well as strategic directions they have taken to improve their security and reliability.