In a report released Aug. 6, NERC said registered entities’ cyber and physical security postures have room for improvement in four key areas and called on stakeholders to “continue the conversations within their organizations and with their peers” to build a safer electric grid.
The 2024 Critical Infrastructure Protection Themes and Lessons Learned report is the third in a series, with previous installments published in 2015 and 2018.
Its goal is to identify “risk themes that have made it difficult for some entities to mitigate risks associated with the NERC Critical Infrastructure Protection (CIP) reliability standards [and] to communicate these themes” to stakeholders, along with possible resolutions. NERC said the recommendations are “merely approaches that have been successful for certain entities,” rather than mandatory directives.
“While industry excels at many aspects of cyber security, the intention of this report is to outline areas for improvement with the goal of driving continued progress toward our shared mission of ensuring a reliable power system,” NERC said, adding that the document includes “high-level fact patterns from open and closed cases” while withholding information that could expose security holes in the grid.
The risks discussed fall into four main themes:
-
- latent vulnerabilities;
- insufficient commitment to low-impact programs;
- shortages of labor and skillsets;
- performance drift.
Latent vulnerabilities refer to “long-standing, higher-risk issues that evade detection and persist within entities’ environments,” which arise even at entities with robust and effective CIP compliance programs that have seen overall failures decline. The ERO noted that such violations tend to be “more isolated in nature” without significant trends but warned that entities still must address these risks to “drive continuous improvement” in grid security.
Examples of latent vulnerabilities highlighted in the report include an entity’s discovery that an outdated system configuration had granted improper access for grid cyber systems to thousands of unauthorized users for more than five years. The entity discovered the issue only when a transferred employee realized she still had access to files outside her new department.
Another case involved physical security: An entity had no monitoring system in place for physical access points to substations, despite having alarms and alerts that “created a false sense … that monitoring was occurring.” In reality, the report said, the alarms and alerts had been effectively neutralized by configuration changes during construction of the substations.
To address these issues, NERC suggested that entities try to determine whether they have dedicated enough resources to the development and execution of detective controls, test their controls regularly and scrutinize their design while “contemplating scenarios that those controls may not address.” The ERO advised that entities conduct periodic searches for latent vulnerabilities in addition to formal internal audits.
Another theme involves insufficient commitment to low-impact programs, which cover systems considered not to pose a significant risk to grid security. NERC noted that since 2017, there has been a steady rise in the number of noncompliances regarding the CIP-003 (Cybersecurity — security management controls) family of standards, which contain “the majority of low-impact cybersecurity requirements” — from two violations in 2017 to 53 last year.
The ERO said the majority of these infringements involve misunderstandings of CIP obligations and security objectives, insufficient understandings of the cyber environment, struggles “to effectively manage electronic access,” or inability to implement effective controls on removable media.
NERC called for entities to improve their attention to detail, planning and execution of low-impact security programs. It also recommended utilities evaluate whether security personnel understand their expectations and cyber environment and that entities taking over the management of existing low-impact sites undergo the same evaluation.
Labor Issues
Shortages of skilled labor also contribute to security risks, NERC said. The ERO observed that 70% of organizations in the energy, power and utilities industry report a shortage of cybersecurity staff, even as nearly 80% of the industry considers the current threat landscape as the most challenging in the past five years.
Tying this into the security risk discussion, NERC said many CIP violations it has seen resulted from “entities losing skilled labor … and failing to successfully transition the underlying job responsibilities to new or existing staff.” These transition failures can result from inadequate knowledge transfer or from difficulties finding replacement staff with the necessary skills to adapt to the cybersecurity needs of the electric industry.
NERC said tackling this issue will require “creativity and attention.” Possible solutions include proactively hiring new staff while experienced employees still are available to educate and train them, along with evaluating their approaches to hiring and compensation to ensure they can attract workers with the skills they need. In addition, the ERO recommended implementing succession plans for employees in critical positions whose departure could “lead to process or internal control failures.”
The final trend identified in the report is performance drift, relating specifically to physical security and meaning “apathy, circumvention, complacency, inattentiveness” and other human performance issues that creep into security programs “at entities of every size and type.” NERC noted that physical security often requires repetitive behavior that may last long periods of time, and workers may lose focus on or forget the importance of individual acts.
The ERO said it has “seen increased failure with these repetitive behaviors when disciplined execution becomes inconvenient or uncomfortable.” For example, multiple cases involve staff allowing individuals into secure areas who forgot their credentials or never had them at all. This can arise from a feeling of favors being owed, or employees assuming the people in question “were supposed to be there” — such as a truck assumed to be an authorized delivery vehicle or an unknown individual allowed into a secure area because he claimed to be with a vendor.
Among NERC’s suggestions to address this issue are regular testing for potential performance drift, such as physical penetration tests. Security programs must exhibit “continuous internal skepticism,” especially because remote work and high turnover have caused staff to become “increasingly unfamiliar with colleagues and other departments.” Additional improvements include implementing incentive programs to “promote process adherence and whistleblowing when processes are ignored.”