A US energy company, identified by some media sources as Duke Energy, recently received a $10 million fine from the North American Electric Reliability Corp. for repeated violations of critical infrastructure protection (CIP) reliability standards.
The record-breaking fine was announced by NERC last week, but the notice of penalty has been heavily redacted since then to not disclose the name of the targeted company. The Wall Street Journal and E&E News have reported that it was the North Carolina-based Duke Energy, one of the nation’s largest, with 7.6 million customers in six states. The previous record for NERC security violations was $2.7 million issued to San Francisco-based utility Pacific Gas & Electric Co. last year.
NERC’s 250-page filling cites 127 violations between 2015 and 2018. The majority of these violations have been classified by NERC as “moderate” or “medium”, but 13 have been classified as “serious”. NERC claims many of the violations involved long durations, reoccurring instances of non-compliance, and repeated failures to properly implement physical and cybersecurity protections.
NERC stated, “As an example, the companies’ failure to accurately document and track changes that deviate from existing baseline configurations increased the risk that the companies would not identify unauthorized changes, which could adversely impact BES [bulk electric system] cyber systems.”
NNT Change Tracker Gen7 R2 has an intelligent change control system to recognize changes that deviate from your initial baseline by alerting you through the dashboard or email. Once a change has been reviewed, at the most basic level, it can be simply acknowledged with details of the reason for the change appended.
There is an advanced option to create an Intelligent Planned Change for changes that only need to be reviewed once for just one representative device. An Intelligent Planned Change is Change Tracker’s unique way of learning about regular or repeated changes, like Windows Updates, that you want to be automatically approved when detected for other devices/on future occasions. In other words, the baseline is automatically updated and monitored for all devices in real-time, cutting out the overwhelming “change noise” to promote focus on genuinely suspicious activity events.
The list of violations classified as serious includes:
- Failure to protect critical cyber asset (CCA) information
- Failure to follow its change control and configuration management process. In three instances, software upgrades were deployed on a single CCA in the production environment without first being tested as required by the change control process
- Failure to maintain annual cybersecurity training for some employees with electronic or physical access to CCAs
- Failure to revoke former employees’ and contractors’ electronic access rights in a timely manner
- Failure to implement physical access controls to limit unescorted access to the physical security perimeter (PSP) and failing to document all required information in visitor logbooks
- Failure to change passwords on annual schedule and failing to change factory default passwords for remotely accessible BES cyber assets
- Failure to monitor electronic security perimeter (ESP) inbound and outbound communications and to restrict inbound electronic access to ESPs
- Allowing individuals improper electronic access to CIP-protected information
- Improperly configured routers that prevented monitor server logs from being sent to the security incident and event management (SIEM) device
- Firewalls were configured to allow external remote access to sensitive systems without first going through an intermediate system, using encryption or requiring multi-factor authentication
- Repeated failures to adhere to cybersecurity testing procedures, including deficient testing on software upgrades and failures to implement security patch programs
NERC cited a “lack of managerial oversight, lack of internal controls, deficient processes and inadequate training” as the causes for many of these issues. Some of these violations have already been addressed, others are currently ongoing.
In addition to the hefty fine, the settlement includes mitigating ongoing violations and facilitating future compliance. The company has also agreed to boost senior leadership involvement with security, create a centralized CIP oversight department, and conduct annual compliance drills.
Learn How NNT Interacts with the NERC CIP Compliance Standard
CIP-002-3: Cyber Security — Critical Cyber Asset Identification:
NERC CIP Version 5 |
Requirement |
NNT Solution |
CIP-002-3 R1, R2, R3
|
Cyber Security — Critical Cyber Asset Identification: Purpose: NERC Standards CIP-002-3 through CIP-009-3 provide a cybersecurity framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed.
|
Automated Network Discovery is provided to identify any Cyber Assets using a routable protocol. Any devices discovered will then be more deeply interrogated to establish other identification attributes. For Change Tracker Gen 7, a full System Information and Configuration Audit can then be automated.
|
CIP-003-5: Cyber Security — Security Management Controls:
CIP-003-5 R2
|
Cyber Security — Security Management Controls: Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
|
Pre-built Hardened Build-Standard documentation, with continuous automated auditing for compliance is provided and these can be adopted then tailored by the "Responsible Entities."
|
CIP-004-3: Cyber Security — Personnel & Training:
CIP-004-3 R4
|
Cyber Security — Personnel & Training: Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Standard CIP-004-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
|
All User and System activity will be tracked to and audit trails provided to ensure access is in-line with authorized privilege. Any new accounts or increased privilege will also be reported for review and approval.
When access privilege is revoked this will also be audited and reported for review.
|
CIP-005-5: Cyber Security — Electronic Security Perimeter(s):
CIP-005-5 R1.3,R1.5, 2.1-R2.2
|
Cyber Security — Electronic Security Perimeter(s): Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
|
Use NNT Change Tracker to apply a configuration baseline – NNT are a Certified Vendor for CIS Benchmark Checklists and an Official OVAL Adopter, ensuring the most secure and effective configuration settings are used for firewalls.
Apply File Integrity Monitoring to firewall rules and other security configuration settings for tight change management, plus collect logs from firewalls to detect security incidents in advance of any breach
|
CIP-006-3c: Cyber Security — Physical Security of Critical Cyber Asset (s):
CIP-006-3c R1.5-R1.7, R2-R2.3
|
Cyber Security — Physical Security of Critical Cyber Asset (s): Standard CIP-006-3 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Standard CIP-006-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
|
Physical access controls can be audited using automated audit trails and correlation rules. Configuration assessment and change control is automated using Change Tracker
Note: Any systems used to operate physical access controls will also need configuration hardening, change control and breach detection/anti-tampering measures to be enforced for the cyber elements
|
CIP-007-3: Cyber Security — Systems Security Management:
CIP-007-3 R1-1.2, R2-R2.3, R3.1-R3.3, R4.1-R4.4, R5.1-R5.7
|
Cyber Security — Systems Security Management: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s). Standard CIP-007-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
|
Built-in reports identify all open ports and whether the use of these is approved. Any other open ports will be highlighted for mitigation. Similarly, all services and daemons can be audited and validated for compliance with the approved hardened build standard.
NNT is a Certified Vendor for CIS Benchmark hardening checklists, providing a full assessment of all configuration settings and identifying any vulnerabilities. NNT also provide real-time breach detection, vital for the detection of any Stuxnet-style APT attacks
|
CIP-008-3: Cyber Security — Incident Reporting and Response Planning:
CIP-008-3 R1.1-R1.6, R2
|
Cyber Security — Incident Reporting and Response Planning: Standard CIP-008-3 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-008-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
|
In the first instance, any incident is alerted and reviewed automatically against expected, planned changes using NNT Closed-Loop Intelligent Change Control. Any Unplanned Changes are reported as potential security incidents and an investigation and review process is provided within Change Tracker, augmented with log data from Log Tracker
By providing forensic-detailed audit trails of all system and user activity, security incident investigation is straightforward (all audit trails are retained for a 12 month period in line with NERC CIP Version 5 requirements
|
CIP-009-3: Cyber Security — Recovery Plans for Critical Cyber Assets:
CIP-009-3 R4
|
Cyber Security - Recovery Plans for Critical Cyber Assets: Standard CIP-009-3 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. Standard CIP-009-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
|
Configuration settings are recorded after every change that is made. Change Tracker built-in workflow requires all changes to be assigned to a Planned Change with documentation providing a full audit trail to be used when restoring systems to an earlier state.
Compliance Reports provide a long-form version of the Initial Configured Baseline for all system. A full backup with incremental change history is provided for any text-based config file including firewall appliances and other network devices.
|
CIP-010-3: Cyber Security — Configuration Change Management and Vulnerability Assessments:
CIP-010-3 R1.1-R1.5.2, R2.1, R3.1-R3.4, R4
|
Cyber Security - Configuration Change Management and Vulnerability Assessments: To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES). Key requirement is to develop a baseline configuration, individually or by group, which shall include the following items: 1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists; 1.1.2. Any commercially available or open-source application software (including version) intentionally installed; 1.1.3. Any custom software installed; 1.1.4. Any logical network accessible ports; and 1.1.5. Any security patches applied.
|
Change Tracker provides a comprehensive solution to address CIP-10-3. Initial vulnerability assessments are performed using Certified CIS Benchmark hardening checklists and these can be tailored to match exactly the required hardened build standard for BES Cyber Systems. Any other source of automated compliance content such as OVAL or SCAP can also be used. This encompasses CIP-005 and CIP-007 Requirements
Once systems are in a hardened compliant state, all changes are tracked and assessed automatically against Approved Planned Changes. Any changes identified as 'Known Approved' are reconciled with the Planned Change documentation.
Changes that 'deviate from the existing baseline' can be reviewed and retrospectively assigned to a Planned Change with rationale documentation. The Planned Change can then be applied to all change history for other BES Systems, effectively updating the baseline configuration automatically.
|
CIP-011-1: Cyber Security — Information Protection:
CIP-011-1 R1
|
Cyber Security - Information Protection: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
|
Secure configuration standards can be assessed and records produced using NNT Change Tracker for BES Cyber System Information, including storage, transit, and use.
|