NERC CIP Standards Increase the Requirements for Threat Visibility and Detection for Critical Infrastructure
NERC CIP standards include regulatory elements that make collecting and archiving network traffic more important than ever.
In the US, President Biden signed the $1.5T omnibus spending bill on March 15, 2022 that requires Critical Infrastructure providers and federal agencies to promptly report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA). Not knowing you’ve been hacked, is no longer a free pass to avoid reporting that you’ve been hacked. It’s more likely the ticket to large fines and bad press — both undesirable side effects that can be avoided through the visibility that TAPs provide.
Grid modernization has created an explosion of network-connected equipment, exposing utilities to a wide range of potential threats from nation states, criminals, disgruntled employees, and accidental misconfiguration (which happens far more often than you may think). These new network connections from supervisory control and data acquisition (SCADA) equipment and others exposes previously air gapped industrial control systems to the internet … and hackers.
The energy sector is particularly vulnerable to cyberattack because core cybersecurity strategies like the use of switched port analyzer (SPAN) ports that send a mirrored copy of network traffic to security analysis systems, and physical air gaping to separate an Operational Technologies (OT) network from the rest of an enterprise network (IT) have grown outdated.
Critical Infrastructure Standards Emerge
Critical infrastructure operators will be expected to deploy threat visibility and detection technologies to support their incident response and recovery capabilities, as well as provide greater information sharing potential. It’s one of several recent motions from the United States federal government to address: 1) threat detection and monitoring; 2) incident response and recovery; 3) information sharing; and 4) supply chain security. The Energy Sector is already subject to multiple North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, so this isn’t unexpected.
The NERC is a regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC’s jurisdiction includes users, owners, and operators of the Bulk Electric System, which serves nearly 400 million people.
NERC CIP standards include regulatory elements that make collecting and archiving network traffic more important than ever. These standards require utilities to monitor network traffic data at the control center, the plant, and the substation. Utilities are subject to regular NERC compliance audits and must also regularly conduct vulnerability assessments.
Network TAPs vs SPANs
Threat detection and monitoring begins with the addition of network test access points (TAPs) in power plants and substations at multiple levels of a SCADA network. TAPs give OT personnel and IT network managers secure and ready access to data from critical infrastructure systems without adding to the compliance footprint or requiring network changes. TAPs provide a vital, non-invasive, network-friendly means to monitor and examine large quantities of network traffic. Unlike SPAN ports, TAPs present no load on the network, ensure that no packets are dropped, no changes occur to the timing of frame interactions, and valuable resources are not wasted examining duplicate packets.
Once TAPs are installed, network packet brokers can capture, filter, aggregate, regenerate and efficiently route network traffic to security tools for inspection and incident response, creating a tightly integrated compliant security solution for utilities. Systems that capture all network packets, (not just representative sample data) create a complete historical archive of required data to meet strict NERC audit requirements.
Quick Guide to NERC CIP Standards
The NERC Critical Infrastructure Protection (CIP) standards include regulatory elements that make collecting and archiving network traffic more important than ever before.
NERC CIP-007-6 R1.1 requires constant monitoring of network. Entities are required to provide listings of allowed ports and services for each device on the network and to show that they know what is permitted and what is in use.
What it means: Network TAPS send copies of network packets for inspection as a best practice. SPAN ports are not reliable under attack when malware is flooding switch SPAN ports while TAPs are not hindered by the excessive traffic. The use of TAPs to route all network traffic to anti-malware assets for rapid examination is a highly effective way to show full compliance with CIP-007-6. TAPs also aid in detecting east/west malicious code, especially in situations where malware protection software cannot be installed on purpose-built industrial control devices.
NERC CIP-007-6 R4.1 requires entities to demonstrate that they have viable and meaningful event logging measures. Event log data is typically sent over the network to a syslog server (or similar) where the data is evaluated and stored.
What it means: TAPs help ensure full compliance with CIP-007-6 R4.1 since all network traffic is captured under all conditions and no event log data is lost due to network flooding, switch problems, or malicious activity. In addition, TAP data can be readily used by the SIEM to determine failed network access attempts, and/or identify unauthorized devices that might connect and disconnect from the network.
NERC CIP-007-6 R4.2 requires entities to show that alerts are generated for at least detected malicious code and failure of event logging.
What it means: TAPs pull the switch out of the detection mix (no SPAN port needed) which ensures that no alerts are missed. A TAP also removes the possibility that the switch configuration was modified by an attacker – which they might do to cover their tracks—or misconfigured during legitimate testing or configuration changes.
NERC CIP-009-6 R1.5 requires that network data must be available and always processed regardless of the operational status of switches and requires utilities to preserve data from cyber security incidents.
What it means: TAPs ensure that utilities capture all the data, all of the time, no matter the processing load on the switch where SPAN ports can drop data when under attack.
NERC CIP-010-3 R1.3 requires utilities to update their baseline configuration data within 30 calendar days of implementing a change. New devices that remain activated for more than 30 calendar days may result in violations.
What it means: TAPS ensure the consistent flow of network data to analysis equipment and don’t need to go through configuration change control processes with the activation of new devices. In contrast, SPAN ports require reprogramming with device changes.
The new connected environment between the critical infrastructure OT networks and IT networks make TAPs and network packet brokers essential solutions for maintaining visibility into these networks to ensure security. New government regulations require Critical Infrastructure providers and federal agencies to promptly report cyber attacks.
Possible Call out:
TAPS (like telephone tapping, except for your network), are hardware devices built with a single purpose: to securely direct bulk network data to security analysis systems while preserving network uptime. You’ll want TAPS that are air gapped to prevent hackers from using TAPS to hack into the network. TAPS are what you need to ensure that you meet NERC CIP compliance at all times, especially while your network is under attack.
Switched Port Analyzer (‘SPAN’) or Mirror ports, are simply dedicated ports on a network switch for analyzing and forwarding traffic for analysis. They are not single purpose devices, and are not the primary purpose of a network switch. SPAN ports cannot be air gapped. SPAN ports on overloaded switches are not a fail safe method to ensure you meet NERC CIP compliance.