NERC this week made good on an order FERC issued more than eight years ago, seeking commission approval for a suite of changes affecting nearly every entry in the library of Critical Infrastructure Protection (CIP) standards that ERO staff have said are designed to “future-proof” the electric grid for emerging technologies (RM24-8).
The submission comprises 11 new standards, along with four new and 18 revised definitions for the NERC glossary. They represent the final product of Project 2016-02 (Modifications to CIP standards), and were adopted by NERC’s Board of Trustees at its most recent open meeting in Washington, D.C. (See Christie, Clements Praise NERC’s Honesty at Board Meeting.)
Project 2016-02 arose from FERC’s Order 822, issued Jan. 21, 2016. The order called for NERC to address several emerging issues related to the increasing use of cyber assets to control the grid, including virtualization, temporary devices connected to grid cyber equipment, and protection of communications both between control centers and between control centers and cyber assets.
In its filing, NERC explained that as the “technology supporting and enabling the industrial control systems that operate the [grid] has evolved rapidly … the risks facing the [grid] and the methods for mitigating those risks have also evolved.”
Virtualization, which the National Institute of Standards and Technology defines as “the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical hardware resources required to perform various functions” (the definition cited in NERC’s filing) is one such advance. NERC said the changes to the CIP standards and to the glossary will allow entities to make full use of the “concepts and efficiencies,” as well as security techniques, made possible by virtualization.
The standards filed by NERC this week are:
-
- CIP-002-7 (Cybersecurity — BES cyber system categorization)
- CIP-003-10 (Cybersecurity — security management controls)
- CIP-004-8 (Cybersecurity — personnel and training)
- CIP-005-8 (Cybersecurity — electronic security perimeters)
- CIP-006-7 (Cybersecurity — physical security of BES cyber systems)
- CIP-007-7 (Cybersecurity — systems security management)
- CIP-008-7 (Cybersecurity — incident reporting and response planning)
- CIP-009-7 (Cybersecurity — recovery plans for BES cyber systems)
- CIP-010-5 (Cybersecurity — configuration change management and vulnerability assessments)
- CIP-011-4 (Cybersecurity — information protection)
- CIP-013-3 (Cybersecurity — supply chain risk management)
The current versions of these standards are “designed around the concept that devices have a one-to-one relationship between software and hardware,” NERC said, an approach that prevents entities from taking advantage of some recent software advances. For example, security models such as zero-trust architecture can be improved with virtualization techniques that allow for more granular management of communication than traditional perimeter-based security models.
These new CIP standards permit the use of virtualization and also account for risks associated with its use, such as cyberattacks that use virtual systems on the same hardware to attack each other. NERC said the standards were structured around security objectives that focus on “essential elements” of reliability rather than specific technology approaches.
In addition, the developers recognized that many utilities do not use virtualization. By using security objectives, they hoped to create “a framework that could adapt to newer technologies and innovative security models” as the use of virtualization spreads through the ERO Enterprise.
2024 already has seen several changes to the CIP standards. Last month, NERC submitted CIP-015-1 (Cybersecurity — internal network security monitoring) for FERC approval; the new standard would require utilities to monitor communications within their internal networks, with the goal of preventing attacks like the SolarWinds hack of 2020. (See NERC Submits INSM Standard for FERC Approval.)
In addition, FERC approved CIP-012-2 (Cybersecurity — communications between control centers) in May. (See FERC Accepts NERC’s New Cybersecurity Standard.) The standard will require entities to mitigate the risk of lost communications between control centers, as well as the loss of real-time intra-control center assessment and monitoring data.