How to conduct a NERC-CIP-based risk assessment for a sub station

A comprehensive assessment of a substation's cybersecurity posture including gaps and opportunities for improvement against the NERC Critical Infrastructure Protection (CIP) standards can help secure the facility and improve the overall security level as assessed through an IEC 62443-based risk assessment.  

What is the NERC CIP Assessment Methodology for a substation?

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are a set of requirements designed to secure the bulk electric system (BES) of North America from cyber and physical threats.

For substations, which are vital components of the BES, a robust security risk assessment against these standards is not merely a compliance checklist exercise but a critical step in ensuring grid reliability and resilience. In this piece, we share some details on a comprehensive methodology developed by Shieldworkz for conducting a NERC CIP assessment for a substation, encompassing planning, execution, analysis, and reporting phases.

Pre-assessment planning and scope definition

The success of a NERC CIP risk assessment hinges on planning at a granular level. This initial phase defines the scope, resources, and stakeholder involvement.

Key stakeholder tagging and engagement:

Key stakeholders at the substation include operations personnel, IT/OT cybersecurity teams, NERC CIP compliance officers, physical security personnel, vendors and OEM personnel and potentially legal counsel. Early engagement with clear expectations ensures buy-in, facilitates information sharing, and clarifies responsibilities. A NERC CIP assessment kick-off meeting should be held to outline the assessment's objectives, scope, timeline, and expected outcomes. Effort should also be made to impress up on all stakeholders on the necessity of the exercise and outcomes.

Identification of in-scope assets (BES Cyber Systems and BES Cyber Assets):

The cornerstone of a NERC CIP assessment is accurately identifying and documenting the in-scope assets. This involves:

· BES Cyber Systems (BCS): These are the aggregations of BES Cyber Assets (BCA) that perform a BES function. Some examples in a substation include SCADA systems, Energy Management Systems (EMS), Remedial Action Schemes (RAS), and Protection Systems.

· BES Cyber Assets (BCA): These are programmable electronic devices that are part of a BCS. This includes Intelligent Electronic Devices (IEDs) such as relays, RTUs, PLCs, communication processors, firewalls, routers, and associated servers and workstations. A detailed inventory, including device type, manufacturer, model, firmware version, end of life status and network connectivity, is essential. In most cases this step requires physically walking down the substation and tracing network connections.

Determination of Impact Ratings (CIP-002):

Each identified BCS must be assigned an impact rating (High, Medium, or Low) based on its potential to influence the reliable operation of the BES in case of a compromise. This is a crucial step as the rigor of the applicable CIP standards can vary with the impact rating. The criteria for these ratings are defined within CIP-002. For a typical substation, many systems will usually fall into the Medium or Low impact categories, though critical protection or control systems could be High. The rating should be justifiable and in case the determination is turning difficult, then a default higher rating can be assigned in some cases.

Selection of applicable NERC CIP standards:

Based on the BCS identified and assigned impact rating, the specific NERC CIP standards that apply to the substation must be determined. This typically includes:

· CIP-002: Cyber Security – BES Cyber System Categorization

· CIP-003: Cyber Security – Security Management Controls

· CIP-004: Cyber Security – Personnel and Training

· CIP-005: Cyber Security – Electronic Security Perimeters

· CIP-006: Cyber Security – Physical Security of BES Cyber Systems

· CIP-007: Cyber Security – System Security Management

· CIP-008: Cyber Security – Incident Reporting and Response Planning

· CIP-009: Cyber Security – Recovery Plans for BES Cyber Systems

· CIP-010: Cyber Security – Configuration Change Management and Vulnerability Assessments

· CIP-011: Cyber Security – Information Protection

· CIP-013: Cyber Security – Supply Chain Risk Management (relevant for new installations or major upgrades)

· CIP-014: Physical Security (specific to Transmission Stations and Substations identified as critical by the RCs)

Selecting the right NERC CIP assessment vendor

The assessment vendor should present individuals with expertise in cybersecurity, operational technology (OT), network engineering, physical security, and NERC CIP compliance at the sub-standard level. They should also possess specialised tools for network scanning, vulnerability assessment, and configuration management may be required. Vendors with teams that have conducted NERC CIP and IEC 62443 based assessments such as Shieldworkz can be preferred.

Development of a comprehensive assessment plan

A detailed plan outlining the schedule, responsibilities, data collection methods (e.g., interviews, documentation review, technical testing), and reporting format should be developed by the NERC CIP assessment vendor and agreed upon by all stakeholders.

Data collection and technical assessment execution

This phase involves gathering evidence, checking documentation and performing technical checks to validate compliance with the applicable CIP standards.

Documentation review:

A thorough review of existing documentation across operations is essential. This includes:

· Policies and procedures: Security policies, incident response plans, access control procedures, privilege levels, session management information, configuration management plans, training records, visitor logs, end-of-life and maintenance records.

· Network diagrams: Logical and physical network diagrams illustrating connections between IT and OT networks, degree of segmentation, presence of a DMZ, firewall rules, and communication pathways.

· Asset inventories: Detailed lists of hardware and software with version numbers and patch status.

· Architectural designs: System designs, including security architecture, segmentation, and encryption mechanisms.

· Previous audit reports: Any findings, observations, OFIs or recommendations from prior NERC CIP audits or internal assessments.

· Details of previous incidents

· Information on trainings accorded to key personnel

2.2 Interviews with personnel:

Conduct structured interviews with relevant personnel to understand their roles, responsibilities, and adherence to established policies and procedures. This includes:

· Operations personnel: To understand daily operations, access practices, and incident handling.

· IT/OT Security Personnel: To discuss security controls, monitoring, and incident response.

· Physical Security Personnel: To understand physical access controls and surveillance.

· Vendors with access to various parts of the sub station

· OEM personnel  

Technical verification and testing:

Electronic Security Perimeter (CIP-005):

· Firewall rule review: Examine firewall configurations and permissible policies at the electronic security perimeter (ESP) to check the level of compromise possible via infected traffic. This involves reviewing ingress/egress rules, service ports, and source/destination IP addresses.

· Network segmentation validation: Verify the effectiveness of network segmentation between the BES Cyber Systems and corporate/untrusted networks by port scanning and network traffic analysis.

· Vulnerability scanning: Conduct authenticated and unauthenticated vulnerability scans of all devices within the ESP, including routers, switches, servers, and workstations, to identify known vulnerabilities such as weak configurations and unpatched software

· Intrusion detection/prevention system (IDS/IPS) review: Verify that IDS/IPS systems are properly configured, signatures are up-to-date, and alerts are being monitored and responded to. Check for false positives and other issues that may cause a lag in response to an incident.

· Remote Access Controls: Test remote access mechanisms to ensure multi-factor authentication, strong encryption, and least privilege access are enforced.

2.3.2 Physical security (CIP-006):

· Physical access control system review: Inspect access control systems card readers, biometric scanners for proper functionality and configuration. Review access logs to ensure only authorized personnel gain entry.

· Surveillance system verification: Confirm that CCTV cameras cover critical entry points and sensitive areas, and that recordings are stored securely and for the required duration.

· Intrusion Detection Systems (IDS): Verify the functionality and coverage of physical IDS such as motion sensors, door contacts.

· Visitor escort procedures: Observe or interview personnel regarding the adherence to visitor escort policies.

· Physical barrier inspection: Assess the integrity of fences, gates, and building perimeters.

· Probable breach scenarios

System Security Management (CIP-007):

· Configuration review: Examine configurations of operating systems, applications, and network devices for adherence to security baselines (e.g., disabling unnecessary services, strong password policies, account lockout settings). This can involve automated configuration compliance tools.

· Patch management status verification: Confirm that a robust patch management process is in place and being followed for all BES Cyber Assets, including regular scanning for missing patches and timely application of security updates.

· Malware protection: Verify the deployment and currency of anti-malware solutions on all applicable systems.

· Event logging and monitoring: Review system logs (e.g., firewall, server, application, security information and event management (SIEM) system) for evidence of unauthorized activity, failed login attempts, and system errors. Assess the effectiveness of log monitoring and alert generation.

· Account management: Review user accounts for proper provisioning/deprovisioning, password complexity, and least privilege enforcement. Conduct sampling of user accounts to verify adherence to policies.

Configuration change management and vulnerability assessments (CIP-010):

· Change management process assessment: Verify that a formal change management process exists for all changes to BES Cyber Systems, including documentation, testing, and approval.

· Baseline configuration verification: Compare current configurations against established secure baselines to identify unauthorized changes. Automated tools are highly effective here.

· Vulnerability assessment and management program Review: assess the frequency, scope, and remediation effectiveness of the organization's vulnerability assessment program for BES Cyber Systems. Check specifically as to how frequently are vulnerabilities patched and the records thereof.

Information Protection (CIP-011):

· Data classification and handling: Verify that sensitive NERC CIP information (e.g., network diagrams, configurations, assessment reports) is classified and handled according to its sensitivity level.

· Removable media control: Inspect policies and technical controls related to the use and control of removable media.

· Data encryption: Assess the use of encryption for data at rest and in transit, particularly for sensitive control system data.

Gap analysis and findings formulation

Once all data is collected and technical assessments completed, the information should be analyzed by the vendor against the specific requirements of each applicable NERC CIP standard.

Mapping evidence to requirements:

Each piece of collected evidence (documentation, interview notes, test results) should be mapped against the corresponding NERC CIP requirement and its associated compliance objective (e.g., R1, R2, Part 1, Part 2, etc.).

Identifying gaps and non-conformities:

Where the evidence does not demonstrate full adherence to a requirement, a gap or non-conformity is identified. Each finding should be clearly articulated, referencing the specific CIP standard and requirement.

Prioritization

Findings should be prioritized based on their potential impact on BES reliability and security, and the likelihood of exploitation. This helps the organization focus remediation efforts on the most critical areas. Risk levels (High, Medium, Low) are typically assigned.

Reporting and remediation planning

The final phase involves communicating the assessment results and developing a plan for addressing identified gaps.

Development of a Comprehensive Assessment Report by the vendor:

The report should be a clear, concise, and technically accurate document that includes:

· Executive Summary: A high-level overview of the assessment's purpose, scope, key findings, and overall cybersecurity posture.

· Introduction: Background on NERC CIP and the substation being assessed.

· Methodology: Description of the assessment approach, standards used, and data collection methods.

· Detailed Findings: For each applicable NERC CIP standard, list specific requirements, observed evidence, identified gaps/non-conformities, and their assigned risk level. Include relevant screenshots, log entries, or configuration snippets as supporting evidence.

· Recommendations: For each finding, provide clear, actionable, and specific recommendations for remediation. Recommendations should address both technical controls and procedural improvements.

· Appendix: Include supporting documentation such as the asset inventory, interview transcripts, and raw vulnerability scan reports.

Remedial Action Plan Development:

Based on the assessment report, a detailed remediation action plan should be developed. This plan should include:

· Specific actions: Detailed steps required to address each finding.

· Responsible parties: Clear assignment of ownership for each action.

· Target dates: Realistic timelines for completion of each remediation action.

· Resource requirements: Any personnel, budget, or technology resources needed.

· Validatory assessment: If required, an assessment should be conducted to ascertain the state of infrastructure after the gaps have been addressed

Post-assessment review and follow-up

The assessment report and remediation plan should be formally presented to stakeholders. Regular follow-up meetings should be scheduled to track remediation progress and verify the effectiveness of implemented controls. A re-assessment or targeted verification of remediated areas may be necessary.

Conducting a NERC CIP assessment for a substation is a complex but essential process that demands a deep understanding of both cybersecurity principles and operational technology. By following a structured methodology encompassing meticulous planning, thorough technical execution, rigorous analysis, and clear reporting, organizations can effectively identify and mitigate cybersecurity risks, thereby enhancing the reliability and security of the bulk electric system. This continuous cycle of assessment, remediation, and verification is crucial for maintaining a strong and compliant cybersecurity posture in the face of evolving threats to critical infrastructure.