Seeking to “provide additional clarity and ensure a common approach to auditing compliance with the Critical Infrastructure Protection (CIP) reliability standards,” NERC on Friday introduced a guide to help integrate network monitoring solutions into the industrial control systems (ICS) and operational technology (OT) networks of electric utilities.

NERC developed the ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Centralized Collectors, and Information Sharing in response to the Department of Energy’s initiative, announced in April, to improve the cybersecurity of ICS at electric utilities and secure the energy sector’s supply chain within 100 days. (See Biden Reinstates Trump Supply Chain Order.)

Part of DOE’s initiative includes a “voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems,” along with milestones for their introduction over the specified time frame. The new practice guide — unlike implementation guidance, which provides registered entities with ERO Enterprise-endorsed examples of how to comply with reliability standards — is intended to assist compliance monitoring and enforcement program (CMEP) staff of the ERO Enterprise with executing CMEP activities related to the deployment of this new technology.

Asset Protection Assessed by Function, Environment

The guide identifies two primary issues for CMEP staff to consider when assessing entities’ technology solutions in relation to the CIP standards:

• Protection of the cyber asset — whether the deployment of a network monitoring sensor in an entity’s environment triggers the application of certain CIP requirements and, if so, whether the entity identified which requirements apply and how its device protection plan complies with them;
• Protection of data being transmitted to a third party — whether the type of data being transmitted triggers the need to protect that data and associate cyber assets under the CIP standards and, if so, how the entity plans to protect and securely handle the data consistent with the standards.

For the first topic, protection of the asset, the CIP standards require entities to protect bulk electric system cyber systems and “certain associated cyber assets;” CMEP staff are advised to determine first whether the sensor in question qualifies as a BES cyber asset based on CIP-002-5.1a (BES cyber system categorization). 

“Typically, based on the function it is performing, the sensor is unlikely to meet the definition of a BES cyber system,” the guide says. “However, CMEP staff should assess the registered entity’s CIP-002 categorization process to ensure that the sensor would not meet the definition of BES Cyber System.”

If the sensor does not qualify as a BES cyber system, it may still be subject to CIP requirements based on the environment in which it is deployed, the way it is used, and its functions. Devices that are used in high- or medium-impact environments may be categorized as protected cyber assets if they are connected using routable protocols within or on an electronic security perimeter, or as electronic access control or monitoring systems (EACMS) if they perform “certain electronic access and/or access monitoring activity.”

Entities may not be required to secure sensors that are deployed in an environment with only low-impact BES cyber systems even if they are “performing the functions of an EACMS or other … device subject to the CIP standards.” However, auditors must still assess whether those devices are subject to the requirements of CIP-003-8 (Cyber security — security management controls) concerning electronic access control.

Data Protection Includes Third Parties

Regarding the protection of data, the CIP standards require that entities control access to BES cyber system information (BCSI), defined as “information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to [it].” Examples of such data include security procedures, collections of network addresses, network topology of the system, or any information that is not publicly available and could be used to allow unauthorized access or distribution of sensitive data.

CMEP staff are advised to examine how the entity determines whether the data collected by its sensors contains BCSI and whether the information is transmitted to third parties. If BCSI is included in the data, auditors must assess whether the utility has a process in place to authorize access to the designated storage locations for BCSI; this must also be assessed for any third party that might come in contact with the information. 

The guide also reminds CMEP auditors to “consider the specific facts and circumstances for each aspect” of a utility’s network monitoring technology deployment, conducting a thorough review of every system to ensure that no possible vulnerabilities are missed. 

“The NERC reliability standards covered in this practice guide establish a set of controls for protecting network monitoring deployments and BCSI information,” the guide says. “CMEP staff must understand how each of the registered entity’s various CIP programs are applied such as policies, procedures, access controls, training and periodic reviews with the ultimate goal of preventing unauthorized access to these cyber assets as well as any associated BCSI.”