Latest Critical Infrastructure Protection Plan Issued by NERC
Image courtesy of Michael Coghlan under Attribution-ShareAlike 2.0 Generic License, resized to 700 x 391 pixels.
The North American Electric Reliability Corporation (NERC) recently published its 2024 Critical Infrastructure Protection Plan (CIP). The purpose of the report is to identify critical risks to the Bulk Electric System (BES) for mitigation purposes.
Observations from the 2024 Critical Infrastructure Protection Plan
The NERC report aims to understand the security challenges facing the bulk power system, including security vulnerabilities, under-emphasized low impact programs, labor shortages, and performance drift.
The good news is that critical infrastructure on the bulk power system is much more secure than it was just 15 years ago. The bad news is that there are still major security gaps associated with “long-standing, higher risk issues that evade detection and persist within entities’ environments.” In other words, security breaks have decreased in frequency, but a relatively large number of legacy flaws remain out there i the wild.
That being said, security gaps come in multiple flavors. For example, the report shared one example of a utility failing to monitor physical access to substations due to an over-reliance on alarms and alerts – when one of the alarms failed to activate, there was no visual queue to trigger action. Another example cited in the report involved a utility that somehow lost access to 4 important shared accounts, creating a slew of downstream problems. These scenarios can negatively impact emergency preparedness as well.
To address the concerns, the report recommends:
- Reevaluating your approach to detective controls and consider whether you are dedicating sufficient resources to development, implementation, and testing.
- Conduct regular testing.
- Periodically scrutinize systems.
- Conduct internal audits.
- Address vulnerability assessments.
The bottom line is that dramatic bulk-power security improvements have been seen over the last decade or two, but unfortunately, it’s still not enough. I highly recommend that you delve into the 2024 Critical Infrastructure Protection Plan so you can get up to speed on what it truly means to be a highly secure utility. Good luck!