The Federal Energy Regulatory Commission (FERC) recently put forth a proposal that would require new or modified critical infrastructure standards (CIP, i.e. critical infrastructure protections) to address the growing risks posed by malicious actors seeking to compromise the reliable operation of the bulk-power system.
The proposal would direct the North American Electric Reliability Corporation (NERC) to:
- Require entities to identify their current supply chain risks to their grid-related cybersecurity systems at specified intervals.
- Assess and take steps to validate the accuracy of the information received from vendors during the procurement process.
- Document, track and respond to these risks to their systems.
- Extend the applicability of the supply chain standards to include a category of products known as protected cyber assets, or “PCAs.”
- Submit new or revised standards within 12 months of the effective date of a final rule.
FERC also proposed approving a CIP reliability standard that requires internal network security monitoring inside an entity’s electronic security perimeter, which NERC has endorsed. That rule, approved in January 2023, directed NERC to develop CIP reliability standards requiring internal network security monitoring to provide greater defense-in-depth for entities’ CIP-networked environments.
Further, the commission wants NERC to develop modifications to the internal network security monitoring standard that would extend those protections outside of the electronic security perimeter to electronic access control or monitoring systems and physical access control systems. NERC would submit a responsive revised reliability standard within 12 months of the effective date of a final rule.
John Vecchi, a security strategist for Phosphorus Security, added:
"These OT, IoT, and ICS Cyber-Physical Systems are mission-critical devices that are vital in maintaining the operation and availability of our critical infrastructure. Protecting them is less about improving the grid and more about maintaining their availability while preventing some kind of cyber-physical attack. Devices like mission-critical PLCs, HMIs, environmental sensors, robotics, and industrial gateways lack the most basic security hygiene, yet are generally unknown, unmonitored, and unmanaged in these environments. And many of these assets have already been compromised by threat actors and nation-states.
"Overall, risk management frameworks for critical infrastructure providers continues to be a challenge, with wide disparities between organizations and industries. But when it comes to protecting mission-critical Cyber-Physical Systems, most all are in a terrible state of security. This will take far more than just reassessing their current risk management frameworks, since most of those frameworks will not include even basic visibility of what OT/IoT assets they have, where they are located, and what critical vulnerabilities exist on them.
"Rather, there will need to be somewhat of a shift to view these critical yet vulnerable assets in the same way they view traditional IT assets and endpoints. This will require not only new technologies, but new policies and skill sets as well."
