Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

NERC 2022 Annual Report highlights cybersecurity remains at forefront of addressing reliability risks

February 22, 2023
NERC 2022 Annual Report highlights cybersecurity remains at forefront of addressing reliability risks

The NERC (North American Electric Reliability Corporation) presented on Tuesday its 2022 Annual Report underscoring that the electricity ecosystem is going to have to come to grips with cost-effectively protecting lower-impact assets from physical and cyber threats. The alert comes as cybersecurity remains at the forefront of addressing reliability risks.

The report covers the agency’s accomplishments in the year gone by and sets the stage for 2023’s strategic focus areas. The document is structured to include expanding risk-based focus on standards, compliance monitoring, and enforcement while assessing and catalyzing steps to mitigate known and emerging risks to reliability and security. It also works on building a strong E-ISAC-based security capability, strengthening engagement across the reliability and security ecosystem in North America, and capturing effectiveness, efficiency, and continuous improvement opportunities. 

NERC further focused on the criticality of the Electric Reliability Organization (ERO) Enterprise’s collective mission and vision of assuring the reliability, resilience, and security of the North American bulk power system (BPS) during a time of extraordinary transformation. 

“The annual report provides us with the opportunity to look back at what we accomplished in 2022, celebrate our successes, and get ready for the challenges of 2023,” Jim Robb, president and CEO at NERC, wrote in the Annual Report. “Looking ahead, it is abundantly clear that the electricity ecosystem is going to have to come to grips with cost-effectively protecting lower impact assets from physical and cyber threats—such as coordinated attacks or supply chain compromises, getting inverter-based resources to support the reliability requirements of the grid as they continue to gain market share, effectively shifting the focus of resource adequacy from capacity on peak toward energy sufficiency 24×7 and provision of essential reliability services, and preparing the grid to operate reliably during periods of extreme weather.”

Robb added that the Electricity Information Sharing and Analysis Center (E-ISAC) continues to be a critical resource to the security ecosystem—expanding system monitoring services with programs like the Cybersecurity Risk Information Sharing Program (CRISP) and new operational technology (OT)-focused programs and playing a key role in piloting the Department of Energy’s Energy Threat Analysis Center. 

In 2022, the E-ISAC developed more analytical products for its members, provided original analysis and threat hunting, and continued to analyze activities in the OT environment and ransomware groups. The E-ISAC published more than 230 analytical products and provided more than 90 intelligence briefings. The delivery of new intelligence to members through channels, such as the E-ISAC member portal, increased in 2022 with 10 new intelligence products per month on average, many of which included technical details and mitigation recommendations.

The E-ISAC’s CRISP expanded its membership by 14 percent and continued to grow its capabilities to provide cyber threat intelligence and government-informed reporting to assist North American asset owners and operators with threat detection. The E-ISAC also increased the identification of malicious physical security activity and patterns that were then shared with industry and law enforcement organizations. These efforts provide better visibility and information sharing of the threat landscape for stakeholders.

The NERC report addressed that cyber security remains at the forefront of addressing reliability risks. “In 2022, NERC initiated and continued several Reliability Standard development projects that address virtualization and protect cyber assets and communications. NERC also examined its set of cyber standards to ensure that necessary controls are implemented into critical systems to maintain the reliability of the BPS,” it added.

The North American grid is facing dynamic risks, making it critical that the ERO Enterprise and industry continue to take a risk-based approach to compliance and grid transformation. One of the Reliability and Security Technical Committee’s (RSTC) primary objectives is to develop solutions that support technology and security integration into BPS planning and operations. 

To that end, the RSTC Security Integration and Technology Enablement Subcommittee (SITES) works with the E-ISAC and stakeholder groups to provide recommended practices for the incorporation of cyber and physical security aspects into conventional planning, operations, design, and restoration activities across North America. SITES identifies potential barriers and supports the removal of these barriers to enable the industry to adopt emerging technologies and develop cyber-informed engineering practices.

NERC is also addressing these risks by working with industry experts to develop a cyber-informed transmission planning framework that can be used to integrate cyber security into steady-state and dynamic simulations of BPS reliability. In February, NERC’s Board of Trustees (Board) approved a modification to CIP-014-3 – Physical Security, removing a unique compliance monitoring provision that is no longer needed following the adoption of the ERO Enterprise SEL and other tools for secure review of sensitive evidence. NERC submitted these modifications to FERC in February and received approval in June.

The NERC report also covered the criticality of supply chain risk mitigation, which has been a priority for the agency since 2016. It has been highlighted even further over the past three years by a marked increase in supply chain compromises perpetrated by nation-state actors. Without trusted suppliers continually working with asset owners and operators, the industry will struggle to increase or maintain reliability while directly addressing the ever-increasing security threats to the grid. 

The ERO Enterprise is particularly focused on addressing risks associated with grid transformation, extreme weather, and security threats. “In October, the Supply Chain Standards (CIP-005-7 – Cyber Security – Electronic Security Perimeter(s), CIP-010-4 – Cyber Security – Configuration Change Management and Vulnerability Assessments, and CIP-013-2 – Cyber Security – Supply Chain Risk Management) became effective. NERC is also pursuing new and improved CIP standards that are necessary to mitigate the dynamic nature of cyber security threats,” the NERC report said. 

In 2020, based on a NERC staff study of supply chain risks to low-impact Bulk Electric System (BES) cyber systems, the Board directed revisions to CIP-003-8 to address vendor remote electronic access connectivity. To address the Board directive, a standard drafting team developed CIP-003-9, which achieved industry approval and was adopted by the Board in November.

NERC in its ‘2022 State of Reliability’ report released last July said that the cybersecurity threat landscape presented serious obstacles to the electricity industry in 2021, primarily led by geopolitical events, new vulnerabilities, technological changes, and increasingly bold cyber criminals and hacktivists. 

Recognizing the complex and evolving nature of supply chain risks and implementing the recommendations from the FERC, NERC, and Regional Entity Joint Staff Inquiry into the February 2021 Cold Weather Grid Operations, the ERO Enterprise established a Natural Gas–Electric Reliability Forum; and developed and published NERC’s Security Integration Strategy and the IEEE-NERC technical report addressing cyber security risk scenarios for BPS planning, engineering, and operations. It also collected and reviewed data to make initial recommendations for improvements to bright-line criteria or identify enhanced approaches; among many others. 

In May, the Supply Chain Working Group presented an update to the Board on the November 2021 supply chain risk management (SCRM) standards effectiveness survey, which found that entities are expanding their SCRM principles to include cyber assets outside of compliance requirements; however, there are still questions regarding audits and vendors. Respondents also reported that SCRM takes significant resources and impacts other areas, including CIP resources. Most respondents felt that the solution to the supply chain issue would require engagement with other critical industries, not just the electric industry.

Also, in November, the Board accepted the recommendations outlined in the Low-Impact Criteria Review Team white paper, which identified risks and management strategies to better protect low-impact BES cyber systems.

The NERC report said that geopolitical tensions in 2022 resulted in a ‘Shields Up’ posture, reinforcing the need for increased industry collaboration, communication, and coordination. Throughout North America, as the year drew to a close, the need for continued vigilance was thrown into sharp focus with attacks on substations in North Carolina and the Pacific Northwest.

“Throughout 2022, the E-ISAC team worked to stay ahead of these challenges by developing new and innovative products, platforms, and services as well as increasing efforts around existing information sharing and initiatives that provide collective defense in depth,” the report added.

The E-ISAC also partnered with the U.S. Department of Energy to create its new Energy Threat Analysis Center (ETAC), which is focused on collaborating with electricity industry partners and government agencies through the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborative (JCDC).

Throughout the year, NERC held information exchanges with partners beyond North America, including an on-site visit to the European Union in Brussels. NERC staff also completed a NARUC engagement with the West Africa Partnership, providing technical assistance to the Economic Community of West African States’ Regional Electricity Regulatory Authority and assisting with the development of a reliability and market functional model. 

NERC and the E-ISAC participated in the Cyber Resiliency Challenge 2022, which was organized by the United States Energy Association with United States Agency for International Development funding and included participation from Eastern European countries. Engagements were also conducted with industry and policy stakeholders from Chile and Colombia. Executives from the Chilean System Operator, NERC, and the E-ISAC met in Washington, D.C., to exchange ideas regarding the implementation of a cyber security framework.

Last month, the Federal Energy Regulatory Commission (FERC) called upon the NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments. The move would affect high-impact BES cyber systems with and without external routable connectivity and medium-impact BES cyber systems with external routable connectivity.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation