NERC Compliance, When I Don’t Have to?

A few years ago, while I was working for a distribution electric cooperative, I was in Washington D.C. at a cyber security training event hosted by the Department of Energy (DOE) and the National Rural Electric Cooperative Association (NRECA). During the event, I invited the host from the DOE to join me for lunch. We had discussed several security topics, but then regulations entered into the discussion. I quickly reminded the the DOE official that, as a distribution cooperative under 100kV, I didn’t have to worry about such things. He quickly added one word to my sentence… “Yet.” The DOE official told me that if electric distribution cooperatives, as a whole, didn’t soon get their security up to certain standards, the government would be forced to bring regulation to the smaller distribution cooperatives. 

If you’re a distribution cooperative, you may think you don’t have to worry about terms like NERC, FERC, CIP, and self reporting to government agencies. In most cases, you may be right; however, not having to worry about something isn’t a reason to ignore it altogether. NERC CIP outlines some easy to follow security guidelines that can improve your cooperatives security. NERC does have some limitations in its security recommendations. For example, NERC suggests the use of a firewall for every entry/exit of a substation. However, a simple firewall is hardly good enough to protect anything! Firewalls from a few years ago are lacking the abilities that a Next Generation Firewall (NGFW) offers, such as intrusion prevention systems and deep packet inspection. However, I would take it even further to suggest that most firewalls claiming to be NGFW aren’t even feature rich enough to give enough protection. In conjunction with NGFW firewalls, Cooperatives should have Security Information and Event Management (SIEM) correlation along with sandboxing and AI that can protect against zero-day attacks that are likely to occur from a state sponsored hacker. 

Okay, I can already see the eyerolls… “State sponsored hacker?” Yes, state sponsored hackers are a real and even likely scenario for even the smallest of electric cooperatives! Recently, during the 2019 GridEx V, I had the opportunity to do several tabletop exercises with a group of Texas electric cooperatives. To our dismay, we realized that the majority of distribution cooperatives weren’t participating. During the tabletop discussion there was a question about the flow of oil and gas, and that’s when we realized one of the more critical roles smaller distribution cooperatives play. The flow of oil and gas, the backbone of our economy, is controlled by electric cooperatives that may not even have a basic NGFW!

Understandably, most electric cooperatives aren’t monitoring the security infrastructure they have in place. Of the ones that do have monitoring, they’ve outsourced it to a third part that monitors them the same way they would monitor a manufacturing company or a department store. The focus on critical infrastructure and the preparedness and vigilance for state sponsored attacks just simply isn’t there. Any security recommendations are going to be what is good for “most people” and not the very unique security challenge that is an electric cooperative. Further, many electric cooperatives are relying on “signature” based security. This is a reactive type of security that is found in most firewalls and traditional anti-viruses. Instead, we need to have a complete security profile that looks into behavior using artificial intelligence, not just checking against a database to see if this existing software is known to be bad.

When I began working at Skyhelm, the team had already discovered the need for a more robust offering of security solutions tailored for electric cooperatives. We discussed this further and it was from this discussion that gave way to the creation of an industry specific electric cooperative security platform called the Ai-One. SkyHelm married several security programs together, that are relevant for the time being, and included them as part of our SOC that monitors cooperatives. The device is also created to be changed as the security challenges evolve. Through this device, we are able to meet the demands of the changing security landscape and ensure that we are delivering relevant cyber security made for the demands of an electric cooperative.

Regulatory standards alone aren’t going to keep us safe. With Security, there is an ever changing landscape. Security solutions that worked yesterday may not work today as attackers are constantly becoming more advanced. 

If you’d like to ensure your security is beyond NERC CIP requirements, but are ready to meet standards if/when they come, contact SkyHelm for a security consulting engagement. We will ensure that your cooperative is prepared and can guide you to a cyber security strategy that ensures you are a ‘cut above’ even the G&T’s who are required to meet minimum standards through regulation.

More than simply staving off regulation, or even being prepared for it when it comes, enhancing your cooperatives security to meet and beat NERC standards is in everyone’s interest.