Helping Power Plant Control Systems Achieve NERC CIP Compliance

In June 2006, the North American Electric Reliability Council (NERC) standards for Critical Infrastructure Protection (CIP) — Cyber Security 1 were adopted. The roots of these standards can be traced back to the U.S. Energy Policy Act of 2005. In January 2008, the Federal Energy Regulatory Commission (FERC) approved these standards and directed that NERC should enhance and revise them going forward through the NERC standards-making process. Accordingly, in March 2008, NERC began the process of revising the standards in order to comply with FERC’s 706 directives. Currently, the NERC CIP standards do not apply to facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission.

The NERC standards discussed in this article are those specifically referring to cyber security, standard CIP – 005 (Cyber Security for Electronic Security Perimeters) and standard CIP – 007 (Cyber Security for Systems Security Management). The goal of this article is to offer a practical approach to meeting these requirements for facilities’ electric generating units determined to be critical assets with critical cyber assets (CCAs).

Overall, the NERC standards require that CCAs must be protected with an electronic security perimeter (ESP) and a six-walled physical security perimeter (PSP). Noncritical cyber assets within an ESP must receive the same protection under the standards as a CCA.

Standards CIP-005 and CIP-007

As previously stated, the CIP-005 standard requires establishing and documenting an ESP around CCAs, including certain other cyber assets, and the identification of communication penetrations through the perimeter. External access to the cyber assets within the ESP must be controlled, monitored, and logged 24/7 for both routable protocol and dial-up communications.

Where possible, a security-monitoring process is required to detect and alert for attempts at or actual unauthorized access. Where this is not technically feasible, access log review is required at least every 90 days. Note that communication through the ESP using a nonroutable protocol or dedicated telephone lines that are not dial-up accessible does not require monitoring under the standards.

The CIP-007-4 standard requires protection of critical cyber assets, including certain other cyber assets within the ESP (Figure 1).

1.    Lacking cyber safeguards. This diagram shows a critical asset’s control system interconnected with an outside LAN/WAN environmental prior to implementation of the NERC CIP cyber security standards requirements. Courtesy: Industrial Defender

The protection requirements include, as a minimum:

  • Limiting the Internet protocol (IP) ports and services to only those necessary for operations.

  • Malicious software detection/prevention.

  • Account management controls.

  • Security status monitoring.

  • Security patch management.

A Defense-in-Depth Approach

Hardware and software are available for access control, monitoring, and logging to comply with the CIP-005 and CIP-007 standard requirements. Ideally, a comprehensive and fully unified defense-in-depth approach would offer comprehensive security protection through the components described below.

Universal Threat Manager. The universal threat manager (UTM) is an appliance for the perimeter of the ESP. The UTM is a special type of firewall with the added features of stateful packet inspection, network antivirus protection, inline network intrusion detection (NIDS), intrusion prevention system (IPS), and built-in authentication mechanisms. Additionally, a UTM device often is used to establish a "demilitarized zone" or DMZ network, where real-time plant data can be amassed on a server that sits between the process and general networks, allowing general users to get any necessary data without having to directly access a supervisory control and data acquisition (SCADA) system itself.

Network Intrusion Detection System. The network intrusion detection system is a network sensor appliance for detecting attacks, rogue systems, and unauthorized traffic within the user’s network perimeter. The network sensor also detects the addition of new computers to the network — for example, a contractor plugging in a laptop or a new connection to a wireless access point. Because control networks tend to be quite stable, this sensor makes it easy to detect rogue devices being connected.

Host Intrusion Detection System. Host intrusion detection sensors (HIDS) are soft sensors to detect control application issues, internal or external intrusions, misuse, and performance bottlenecks on key servers and HMIs. Security sensors are available for Unix, Windows, or Linux operating systems. In addition to specific control applications, the sensors report on platform-specific information such as failed login attempts, password age, logged-in user counts, event log activity, and insertion of removable media.

Secure Line-Sharing Switch. A secure line-sharing switch (SLSS) is an appliance originally designed for the substation environment that can be adapted for monitoring dial-up telephone lines for communication to CCAs that require dial-up.

Security Event Management.The security event management (SEM) console is used for monitoring, control, alarm management, analysis, storage, and reporting of security and performance information. In addition, historical data are captured and used to generate trend graphs, reports, and other data analysis functions (Figure 2).


2.     Control system network architecture.
This example illustrates the critical asset’s plant control system after implementation of appliances to meet the NERC CIP cyber security standards requirements. Courtesy: Industrial Defender

The Layered Security Strategy

If potential attackers from the outside work their way into the ESP environment, the first component they access is the UTM device. This can be used as a traditional firewall for access control with the capability of multi-factor authentication or in "transparency mode" so that the routing and network address translation service is not active and can be inserted without making changes to the existing network infrastructure.

Moreover, the UTM creates a hardened perimeter at the edge of the ESP; attackers or viruses would first have to get through the UTM without being detected and dropped at the perimeter. The UTM first will filter the attacker session against any existing firewall rules. Next, the antivirus engine will test the payload for malicious code. Then, the intrusion detection system/IPS engine will test the contents against known network-based attack signatures and exploits, and if it still does not match up to anything, the UTM will pass the packet off to the other side of the UTM to be routed inside the SCADA environment. Anything that the UTM detects as out of the ordinary, and any denied attempts, will be logged to the SEM console.

If the packet or the attacker is allowed onto the "safe" side of the firewall, then a NIDS appliance monitoring all network segments will be monitoring the network activity in real time for known exploits and signature-based attacks, as well as for port-scanning or other activities that would be classified as someone trying to "discover" the network.

The NIDS sensor will not stop the activity, but it will log anything it thinks is abnormal to the SEM console.

If attackers make it through the UTM undetected and onto the network layer undetected, they still must make their way to a target host. The system also monitors the network switches, routers, and network infrastructure for overall bandwidth trends and, though this may not catch the attacks, it will log spikes in network traffic.

Lastly, if the malicious code or attacker makes it through the UTM, past the NIDS undetected, and manages to crawl slowly through the network undetected, then the HIDS sensor will also detect that a new connection request is being made and will send an alert to the SEM console. If the malicious code or attacker attempts to log onto the host or modify any files being watched by the HIDS sensor, this will also trigger an alert to the SEM console. Any execution of programs that are not in the white list of applications also will trigger an alert.

Additional Monitoring Requirements

As noted earlier, access to the cyber assets within the ESP must be controlled, monitored, and logged 24/7 year-round for both routable protocol such as IP and dial-up communications.

Although plants need to evaluate these requirements individually and determine the appropriate security-monitoring process or processes, third-party 24/7 monitoring services are commercially available to assist with compliance.

Looking Ahead

A great deal of work needs to be done in order to implement a successful program to comply with the NERC CIP cyber security standards. That being said, technical solutions do exist to support realistic compliance with the CIP-005 and CIP-007 standards.

It is important to remember that although each generating plant’s configuration of cyber assets is unique, available hardware and software appliances can be assembled to meet specific needs. Ultimately, they can provide a scalable, defense-in-depth approach to meet the CIP-005 and CIP-007 requirements for monitoring, logging, and access control to an electronic security perimeter and the cyber assets that must be protected under these standards.

— Jonathan Pollet is vice president of North American operations and Walter Sikora is vice president of security services at Industrial Defender. James Batug is the engineering manager at PPL Generation. For more information, go to www.industrialdefender.com.