1 of 19

What You Need to Know About the New Requirements and How to Comply (Part 1)

NERC CIP-003-9

Keon McEwen | Ben Stirling | Michiko Sell | Joe Baxter

2 of 19

Questions

  • Enter your question(s) in the GoToWebinar “Questions” section anytime throughout the presentation.�
  • A PDF copy of this webinar’s presentation will be available in the “Handouts” section of the GoToWebinar panel.�
  • Today’s webinar is being recorded and will become available at: �www.abs-group.com/webinars
  • Please allow 1-2 business days for the webinar recording to be posted.

3 of 19

OT Cybersecurity by Numbers

3

4 of 19

Increase of Cyber Attacks in Critical Infrastructure

4

2019

2018

2017

2016

2015

2010

2011

2012

2013

2014

Shamoon3

VPNFilter

Alert (TA18-074A)

Op Ghoul

Havex

Steel Mill Attack

Shamoon

Dragonfly

Stuxnet

Aurora

EKANS

MAZE

Ryuk

2020

2021

LockerGoga

Dtrack

Lemon Duck

Wannacry

Triton

Petya

Black Energy

Industroyer

Red October

Night Dragon

Solarwinds

FL Water

Colonial

JBS

Oiltanking Deutschland GmbH & Co.

Ukraine Power

Deutsche Windtechnik

2022

4

February 2023

A U.S. Energy company reported that adversaries successfully reached the company’s OT network and reported that was infected with Royal ransomware. At this time, it’s believed that the ransomware was general and not intended for the ICS environment.

May 2021

The Colonial Pipeline was the victim of a ransomware and halted operations.

Impact to operations because of concerns over safety due to impacts to operations monitoring and visibility.

April 2022

PIPEDREAM: the seventh known ICS specific malware and specifically designed to disrupt industrial processes.

PIPEDREAM affects libraries used across vendors. Lists of effected control processor may not be comprehensive.

5 of 19

NERC Cybersecurity Requirements

NERC Compliance

    • Consider Registration Type – GO, GOP, TO, TOP?
    • How many MW will be controlled at a single interconnect
      • Classification of Generation and/or Transmission assets as being High, Medium or Low
    • Depending on classification, then NERC CIP Standard requirements must be addressed
      • Low Impact – CIP-002 and CIP-003
      • Medium/High Impact – CIP-002-CIP-014
    • Identify all “Book end” NERC Standard requirements that must be complete prior to registration date (Commercial Date)
    • Electronic and Physical Access Controls

5

6 of 19

Cyber Security Requirements – Coming Down the Road

General

FERC is pushing for Low Impact BES Cyber Systems (BCS) to be treated more like Medium Impact BCS.

Project 2020-03 Supply Chain Low Impact Revisions - CIP-003-9

Board Adopted: November 16, 2022

Adopted by FERC: March 16, 20233

Effective Date: April 1, 2026

New Section 6 in Attachment 1 Section 6

Vendor Electronic Remote Access Security Controls: For assets containing �low impact BES Cyber System(s) identified pursuant to CIP‐002, that allow �vendor electronic remote access, the Responsible Entity shall implement a �process to mitigate risks associated with vendor electronic remote access, �where such access has been established under Section 3.1.

These processes shall include:

6.1 One or more method(s) for determining vendor electronic remote access;

6.2 One or more method(s) for disabling vendor electronic remote access; and

6.3 One or more method(s) for detecting known or suspected inbound and� outbound malicious communications for vendor electronic remote access.

6

7 of 19

Don’t Rely on the Vendor

7

Vendor Remote access often bypasses the indented security controls and allows direct access to the ICS environment.

Understand the limits of risk transfer: Vendors vs Responsible entities

8 of 19

More than a Jump Host

8

  • Plant by plant solutions will struggle to comply
  • Monitoring in and outbound communications
  • Active control for vendor access
  • Continuous validation of vendor access
  • Awareness of changes to the environment

9 of 19

The Two Sides of Network Visibility

Keep the network representation current. Enhance understanding of dependencies.

Monitor and detect adverse action in a timely and actionable manner.

Network Traffic Monitoring

Network Access Modeling

Which assets can connect to which services

Which assets are connecting to which services

Asset

Service

TAP / SPAN

Asset

Service

Firewall

Cyber Resiliency Building Blocks: Visibility & Understanding

10 of 19

Five+ Process Activities

  1. Prerequisites: CIP-002 assessment, a complete understanding of all Low Impact Cyber Assets. A list is not required.
  2. Deny-by-Default: Section 3 states ”only necessary inbound and outbound electronic access” between a LIBCS and a Cyber Asset ”outside of the asset."
  3. Add Justified Routable: Section 3 then obligates the control and documentation of any necessary bidirectional communications that might cross the asset boundary.
  4. Exclude Time-Sensitive: Section 3 finally permits the entity to disregard time sensitive protocols from their electronic access control scheme.
  5. Control Vendor Access: Section 6 wraps the controls with a filter for all vendor access, in three parts - Determine, Disable, and Detect.

Prerequisites

Deny-by-Default

Justified Routable

Time-Sensitive

Vendor Access Control

11 of 19

Demonstrate Segmentation

Don’t just talk about it.

Show segmentation directly from evidence.

12 of 19

Questions

  • Enter your question(s) in the GoToWebinar “Questions” section at this time.
  • A PDF copy of this webinar’s presentation is available in the “Handouts” section of the GoToWebinar panel.
  • Today’s webinar is being recorded and will become available at: �www.abs-group.com/webinars
  • Please allow 1-2 business days for the webinar recording to be posted.

13 of 19

Additional Resources

ABS Group, NAES Corp and Network Perception are working together to proactively address the potential scope of work that will be required to achieve compliance with the new CIP-003 low impact requirements.

  • We have created a survey to create an indicative budgetary estimate of the implementation https://portal.network-perception.com/static/cip/#
  • Once you fill out the form, you will receive an email with the indicative budgetary estimate, based on the information you provided.

14 of 19

Thank You

Michiko Sell

NERC CIP Services Supervisor

Michiko.Sell@naes.com

www.naes.com

linkedin.com/company/naes-corporation

Joseph Baxter

Director -  Solutions Engineering

jb@network-perception.com

www.network-perception.com

linkedin.com/company/network-perception

Keon McEwenISOC Director, Industrial Cybersecurity kmcewen@absconsulting.com

Ben Stirling

Director - Industrial Cybersecurity

bstirling@absconsulting.com

www.abs-group.com

linkedin.com/company/absgroup

15 of 19

16 of 19

ABS Group

With over 50 years of risk management and safety experience, ABS Group provides data-driven risk and reliability solutions and technical services that help clients confirm the integrity, cybersecurity, quality and efficiency of critical assets and operations, in the marine and offshore, oil, gas and chemical, government �and power and energy sectors.

16

1000+

Employees

20+

Countries

50

Years

17 of 19

17

About NAES

18 of 19

Network Perception’s Mission:

  • 100+ customers / 50% of top 30 largest power utilities in the US
  • Solved challenges for NERC and utilities through ongoing consultations
    • Leveraged in hundreds of NERC CIP audits since 2016
    • Provide independent visibility and proactive protection
  • Founded by cybersecurity experts from the University of Illinois at Urbana-Champaign
  • Research funded by DOE, DHS, NSF

Securing the critical infrastructure that runs the world

19 of 19

Bowtie Kill Chain for OT

19