Spam, scams, and ransomware; malicious software, viruses, and malware; bad actors, Black Hat hackers, and cyber terrorists… these words are terms for cyber attacks, and they are everywhere in today’s parlance, not just in the technology milieu. So prevalent is this awareness that it now appears in novels, movies, and prime time. The more advances we make to improve our lives with sophisticated technologies, the more equal our efforts need to be to keep us safe. The threats to our critical infrastructures, like the electrical grid, that keep us living and working healthily and happily are real and ones that are a global concern. To allay our fears and address these threats, we turn to the work of the regulatory bodies that make cyber security their top concern.
NERC CIP standards
In North America, we have NERC CIP standards to protect our Bulk Electric System or BES. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) covers all of the United States and Canada, as well as some parts of Mexico. There are approximately 1700 NERC entities that adhere to the NERC CIP authority. Its mandate is to reduce risks to the electrical grid while maintaining reliability and security. NERC works closely with utility stakeholders to develop these standards and then as a regulatory entity, validates these standards against a utility’s compliance annually. These standards are enforced by law and are part of the governance of each utility’s commitment to protecting the grid. Not without weight, NERC has the authority to impose fines for non-compliance.
The NERC CIP standards are a number of comprehensive requirements that deal with all aspects of security. These include physical access to buildings, substations, and other sensitive areas. It includes the vetting of personnel with both physical and/or virtual access and requires annual training for those with various levels of privileged access. Incident reporting is mandatory and serves as a model for correction and possible updates to standards. The latest sophisticated software tools monitor the grid and the BES assets. Any vendor wishing to do business with a utility must adhere to these standards. Vulnerability exercises are run routinely to uncover any gaps in the protection of the grid. Audits are performed to ensure compliance and provide confidence in the security measures.
All these checks and balances are part of everyday governance at each utility. Further, CIP Itself is subject to oversight by NERC, whose jurisdiction includes users, owners, and operators of the bulk power system serving nearly 400 million people.
This January, Europe saw the legislation of NIS2, a much beefier and stricter policy than the pre-existing NIS1. All EU member countries must adopt these standards by October 2024. The mission for NIS2 is similar to that of NERC CIP in North America—to ensure enhanced cyber security measures are in place within and between countries. This set of standards is based on advancing both awareness of and protection against cyber security risks. Again, we see a focus on reporting incidents, employing strict access policies, and ensuring physical parameters are safe. As of autumn of 2024, these standards will turn over to national laws, with compliance being mandatory and non-compliance subject to stiff penalties. The EPCIP, the European Programme Critical Infrastructure Protection, creates the overall framework for critical activities as well as oversees NIS2.
Since 2006, other nations have begun their work on developing a strong regulatory response to cyber threats. Countries such as China, Japan, India, South Korea, parts of Africa, APAC, and ASEAN have all got their requirements in place.
In the CIP-06 standard, the focus is very much on educating all staff in working to maintain secure access, data protection, and a safe network. It extends to consultants and vendors doing business with the entities. NIS2 will likely have requirements with a similar focus. Educating ourselves, learning to be vigilant, adhering to the cautions provided to us by training, and using best practices at all times is how we will win this fight. Cyber security is a global concern, and our response must be and is on its way to being a global one.
For information on the grid’s physical security see our two-part blog series between PSC and Barco.