Just as plant owner/operators should “be prepared for an ever-changing cybersecurity attack surface, they should also plan to control their own destinies with respect to regulatory compliance,” noted a panel of experts during a webinar hosted by NAES Corporation titled “NERC CIP-003-9: What you need to know about the new requirements and how to comply.”
If you are one of the 72% of organizations who don’t have full visibility into their control-system supply chains, the 47% of organizations who don’t have the internal resources to manage operational technology (OT)/industrial cybersecurity (ICS) incidents, or the 75% of ICS networks successfully attacked by malicious external actors, don’t fret. NAES NERC/CIPS Services, and its partners, Network Perception and ABS Group, also scheduled two follow-on webinars which deep-crawl through the weeds of this latest compliance challenge.
For those of you whose plants are categorized as “low-impact” BES (bulk electricity system) assets and don’t think this latest standard affects you, think again. “NERC is coming for you,” these experts stressed.
One of the major implications of CIP-003-9 is that “plants should no longer rely on their control system OEMs for compliance or security [two different things].” “There are limits to risk transfer,” they say. Owner/operators, and other “responsible entities” (as referred to in NERC language), must now seek full supply-chain visibility.
Why? For one, a malicious actor can attack all users of a specific plant software (that is, many BES assets) by infiltrating the third-party vendor supplying or servicing that software. This looms large when you consider that the vast majority of combined-cycle control systems in America are sourced from only a few gas-turbine vendors and one or two control-system OEMs (along with the skids and subsystems with PLCs and other devices from a variety of vendors networked into the control system).
“You’d be surprised how frequently control system vendors traffic through their remote access points, and how unaware plant staff are,” observed one expert. Section 6.3 of the new standard, approved by FERC in March, requires one or more methods for detecting known or suspected in/outbound malicious communications through vendor electronic remote access points.
This means plants need comprehensive remote access solutions, and perhaps a full network model. “If two hosts haven’t communicated,” you can’t know whether they could have communicated or not.” A model helps you understand what could happen, not what did happen, these experts stressed.
