By Nick Milam, Director of Operational Technology
Posted September 29, 2021
Energy companies and utilities are integral to the security of the United States’ power infrastructure. When their systems fail, the damage can be massive and substantially more impactful than a typical power outage during extreme weather.
Additionally, in today’s Internet of Things (IoT) age, the electrical grid is exposed to remote entities for monitoring and control. As a result, our national infrastructure is more vulnerable to domestic and foreign entities than most truly understand.
Enter North American Electric Reliability Corporation (NERC) – specifically NERC CIP (Critical Infrastructure Protection). NERC CIP serves as a critical set of standards to ensure electronic and physical security of the bulk power system, more commonly known as the grid.
NERC has been around since the early 1960s and is in charge of maintaining the operations and functions of our electric grid. The CIP compliance framework was developed in 2008 to mitigate cybersecurity attacks on the grid. NERC’s standards for governing critical infrastructure apply to entities that “materially impact” the reliability of the bulk power system. These entities include owners, operators and users of any portion of the system. Penalties for non-compliance with NERC CIP can include fines, sanctions or other actions.
Under NERC CIP, power systems are required to identify critical assets and to perform a risk analysis of these assets on a regular basis. Strict policies for monitoring, modifying, and accessing assets must be defined and enforced. NERC CIP also requires the use of firewalls and cyber-attack monitoring tools. Generators and asset owners must continually assess their resources and understand how many threats they received, how the threats were mitigated, and what types of threats they have seen. In addition, they are required to have comprehensive contingency plans for cyber-attacks, natural disasters and other events that can impact the grid.
According to NERC: “Standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System (BES).”
Comprehensive documentation detailing all the assets you need to protect is critical to mitigating risk. If you don’t know what you have in the field, you can’t be sure that you’re protecting it all.
CIP-003-7 requires generators and asset owners to “specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems…” Under this standard, asset owners must develop a comprehensive security control plan.
CIP-007-6 calls on operators “to manage system security by specifying select technical, operations, and procedural requirements in support of protecting BES Cyber Systems against compromise…”
In other words, understanding what you have, putting plans in place to protect the assets, and assessing vulnerability regularly is critical to NERC compliance and running a secure renewables power plant.
Risk Management and Access Control
Risk and access control are also critical components for secure renewables power plant operations. Once you’ve catalogued and assessed all applicable assets, you must now ensure that access to them is secure. This includes risk-mitigation strategies at the personnel, physical and electronic levels.
Ensure you have a personnel risk assessment program that is documented in accordance with all relevant employment laws. Assessment should be done prior to allowing access to any critical cyber systems and should be repeated every seven years. The assessment must include both identity verification and a criminal background check.
Similarly, you will want a clear process for authorizing access and managing who has it. This program should encompass both electronic and physical access. Documentation of authorization materials should be checked and updated quarterly; in the case of electronic access, all groups and categories should be confirmed and updated every 15 months.
You should also have a comprehensive plan in place for revocation of access privileges. There are a host of reasons for removing access: termination, reassignment, transfer, redundancy, retirement, death. In the case of a termination, you must ensure that access is removed as soon as possible – within 24 hours.
The Merit Approach to Secure Renewables Power Plant Operations
As inverter manufacturers work to strengthen security directly within the inverter’s communication board, Merit Controls provides added protection through the power plant controller (PPC) to create further safeguards. These features include intrusion alarms, access control, and separate IP addresses for individual devices.
Our NERC compliance and cybersecurity specialists can help you assess and improve your renewables power plant operations to conform with – and exceed – NERC standards. Contact us today to discuss how we can help.