Utilities should ensure their cybersecurity incident preparations are “as extravagant as possible,” so they are protected in the event of an attack from malicious entities, a manager with the Texas Reliability Entity told entities.
“Whether or not you think [a cyber incident is] actually going to happen, you want to make sure that your response plan is capable of withstanding any type of scenario that occurs,” Chris Mejia, Texas RE’s CIP cyber and physical security analyst, said in the regional entity’s regular Talk with Texas RE webinar Aug. 19.
Mejia was discussing the reliability standard CIP-003-8 (Cybersecurity — security management controls), which specifies requirements for entities to include in the security plans for their low-impact cyber assets. NERC defines low-impact systems as those not considered a significant risk to grid security.
The cybersecurity plan requirements, found in Attachment 1 of the standard, include the following five mandatory sections:
-
- Cybersecurity awareness — “reinforce … cybersecurity practices” among staff, including physical security practices if applicable, at least once every 15 calendar months.
- Physical security controls — restrict access to the cyber asset itself or the location of the low-impact system within the asset, as well as any cyber assets that provide electronic access controls over the system.
- Electronic access controls — “permit only necessary inbound and outbound electronic access as determined by the responsible entity” and authenticate any dial-up connectivity that can provide access to low-impact cyber systems.
- Cybersecurity incident response — develop incident response plans that provide for identification, classification and response to cybersecurity incidents; identify roles and responsibilities for incident response; and test response plans at least once every 36 months.
- Transient cyber asset and removable media risk mitigation — address the risk of malicious code spreading from removable media and other transient cyber devices, whether managed by the entity or by a third party.
Mejia emphasized that while the standard specifies minimal targets for compliance, such as the 36-calendar-month timeline for testing cyber incident response plans, entities should be willing to go above and beyond those requirements to keep their systems safe.
For example, in the case of the cybersecurity awareness element, Mejia observed that entities have multiple options for informing their staff of best practices: direct communication between managers and employees, indirect communication such as posters in common areas and visible support for cybersecurity from management. A good plan will involve using all three while also ensuring they are used in the best way for the organization rather than just satisfying the minimum for compliance.
“Let’s say you’re putting up a poster. Are you leaving that poster up for the entirety of those 15 months, and only changing it once every 15 months?” Mejia said. “You’ve got to be careful with that, because a lot of times that poster does end up kind of blending into the wall. People have blinders on, and they don’t see it anymore. So maybe a best practice is that … you go ahead and do it a little bit more frequently than that.”
Regarding physical security controls, Mejia observed again that there are “many different ways you can do this,” with common approaches using fences or walls and gates. But just having these facilities in place may not provide the level of security that entities expect without continuous testing. Mejia also urged entities to make sure they implement a layered approach with multiple reinforcing security mechanisms.
Finally, Mejia reminded entities that CIP-003-9, the successor to CIP-003-8, will take effect April 1, 2026, after being approved by FERC in 2023. (See FERC Approves NERC Cyber Protection Expansion.) The new standard will add a new requirement for “vendor electronic remote access security controls” to entities’ cybersecurity plans for low-impact cyber systems.
