Securing Control Center communications is more than encryption
By jason smith
Effective July 1st, 2022, North American Energy Reliability Corporation (NERC) registered entities were required to comply with the new Critical Infrastructure Protection (CIP) standard CIP-012 (version 1) to protect the confidentiality and integrity of Real-time Assessment (RTA) and Real-time monitoring (RTM) data transmitted between Control Centers. RTA/RTM data is data used for the evaluation of system conditions and addressed in the NERC standards TOP-003 and IRO-010. Entities can rely on definition as defined in their TOP-003 and IRO-010 documentation if available or develop a definition that defines this data type.
To secure RTA/RTM data and achieve compliance, the obvious and most common approach utilized is the usage of Virtual Private Network (VPN) Encryption between Control Centers owned by the entity and other entities with whom data is shared. While encryption meets the security objective of CIP-012, entities can utilize additional security controls to provide a defense in depth approach and in some cases utilize controls other than encryption.
CIP-012 consists of three (3) requirements. These requirements mandate identification and documentation security controls, how and where security controls are applied, and identification of responsibilities for applying security controls when the transmission of RTA/RTM data occurs between Control Centers owned by different entities. It is required that details regarding the above elements are documented in CIP-012 Plans.
In order to identify and implement security controls, entities must first define criteria to identify data that meets the requirement of RTA/RTM data and where that data resides. Pinpointing all locations of possible RTA/RTM data requires collaboration with business units that support generation and/or transmission functions to document data repository locations. This process alone will identify security challenges to address.
Once data criteria have been developed and all data locations confirmed, the next challenge is identifying security controls to physically and electronically protect the data. Those of us subject to CIP requirements have implemented mandatory physical and electronic security controls to comply with the CIP Standards, such as CIP-005 and CIP-006. For example, RTA/RTM data that resides in an Electronic Security Perimeter (ESP) inherits the electronic protections afforded by the ESP as well as the physical security protections afforded by CIP-006 which requires applicable Cyber Assets and their associated data that reside in an ESP and must be protected by a Physical Security Perimeter (PSP) that meets CIP-006 specifications. To bolster your CIP-012 Plan(s) consider documenting your CIP-005 and CIP-006 controls as well as security/process controls implemented to comply with other CIP standards. These additional controls help ensure the integrity of data prior to transmission at a minimum. As my grandpa used to say “if you’ve already done it, you might as well get credit for it.” A few examples of existing CIP security controls to consider documenting in your plan(s) are:
Electronic access to the ESP is limited to CIP-004 authorized personnel via a CIP-005 jump host to gain access to the systems(s) hosting RTA/RTM data
The ESP hosting systems with RTA/RTM data is protected by an Intrusion Detection System (IDS) performing inspection for potentially malicious and/or suspicious communications per CIP-005
RTA/RTM data within the PSP(s) is only physically accessible to personnel who have been authorized for unescorted access per the CIP-004 access management program
Systems subject to CIP-007 that are hosting RTA/RTM data is monitored by a Security Information and Event Management (SIEM) which triggers alerts to response personnel in the event of suspicious activity
RTA/RTM data is protected by a Physical Access Control System requiring an authorized individual to badge into the protected location of systems hosting data.
Electronic access to systems hosting RTA/RTM data requires username, password, and two-factor authentication
Alternative controls one could consider implementing is the usage of Optical Ground Wire (OPGW) for communications between Control Centers. OPGW armored fiber physically protects the fiber link and minimizes the risk of potential tampering link breakage. In addition, OPGW cable is run between the tops of high-voltage electricity pylons, thus not easily accessible. Some SCADA applications provide encryption of data for communication between SCADA servers. Server to server encryption provides another defense in depth control specifically for communications of RTA/RTM data between servers at different Control Centers.
Once you have documented “what you can do” and “where you did it” it is recommended to gather evidence that “it was done”. For example, once you configure VPN encryption, archive the router/firewall configuration in a CIP-012 project directory or a change management workorder associated with CIP-012. Follow suit for your other controls. Archive logs or configurations of the SIEM that confirms all systems hosting RTA/RTM data are being monitored. If you are leveraging a PSP as a security measure, archive PSP diagrams that include the systems hosting data, as well as log exports demonstrating PSP logging/monitoring. In short capture and archive evidence that each control has been implemented and confirms control effectiveness.
In conclusion, while encryption is the primary and key security control for securing communications between Control Centers, it is advantageous to document existing security measures and consider implementing additional security measures where feasible. Each additional layer of defense decreases the likelihood of data compromise and increases data integrity.