Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Utilities: Energy & Power, Water, Waste

NERC 2021 Annual Report highlights need to maintain continued focus on improving cyber defenses

February 17, 2022
NERC 2021 Annual Report highlights need to maintain continued focus on improving cyber defenses

The NERC (North American Electric Reliability Corporation) presented on Wednesday its 2021 Annual Report of the electric sector primarily highlighting the need to continue concentrating on improving cyber defenses. In addition, the industry must adapt to a threat landscape where adversaries adopt new tactics, new vulnerabilities are exploited, and the magnitude of potential impacts are changing, as the grid evolves and cross-sector interdependencies increase.

Moving into 2022, the ERO Enterprise will focus on addressing the four risk elements of improving bulk electric system (BES) resilience for widespread, long-term, and extreme temperature events, intensifying planning and operating focus beyond capacity adequacy toward energy sufficiency, enhancing the structure of the CIP standards including review and improvement of the bright-line risk criteria, and expand the impact of the E-ISAC through information sharing, communications, and monitoring of critical security threats.

The NERC report highlighted that the cybersecurity landscape continues to evolve, guided by geopolitical events, new vulnerabilities, changes in technologies, and increasingly bold cybercriminals and hacktivists. Over the past several years, NERC has observed a large increase in the frequency and sophistication of malicious cyber activity. 

“Our work with the Department of Energy (DOE) on the 100-day sprint to deploy OT monitoring tools, coupled with the Cybersecurity Risk Information Sharing Program (CRISP), has the potential to be a real game-changer in our ability to detect malware and remove it before harm is done to the BPS,” Jim Robb, president and CEO at NERC wrote in the ‘2021 Annual Report.’ 

NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) observed in 2021 supply chain compromises and ransomware attacks, malware, and phishing activity, the report said. The COVID-19 pandemic has also required an increased remote cyber security attack surface due to increased telework, requiring greater sharing and collaboration by the E-ISAC with all levels of the electricity industry, U.S. and Canadian governments, and partners than ever before. 

“The E-ISAC has been deeply engaged in addressing cyber security compromises and their implications to industry through alerts and other communication efforts, Kenneth DeFontes, Jr., NERC Board Chair, wrote in the report. “It is this combination of information sharing and analysis, along with CIP standards, that provide a vital defense of the BPS across North America. Robust designs and new study tools that incorporate the requisite cyber security are needed to support grid transformation and help ensure reliability and resilience,” he added. 

The 2021 Annual Report also highlighted the work carried out by the E-ISAC and its response to a steady drumbeat of cyber and physical security threats. Following the SolarWinds compromise in December 2020, vulnerabilities were identified with the Microsoft Exchange on-premise version, the Pulse Connect Secure VPN platform, Kayesa products, the Blackberry/QNX operating system, and the Apache ubiquitous Log4j tool.

“These compromises also underscore the value of NERC’s Critical Infrastructure Protection (CIP) Electronic Security Perimeter Reliability Standard requirements, which would have effectively mitigated the activation of most—if not all—compromises if they traversed into the operating systems,” according to Robb.

Given the changing industry landscape, the ERO Enterprise Long-Term Strategy concentrates on five focus areas around which NERC aligned its performance management. These include expanding risk-based focus in standards, compliance monitoring, and enforcement, assessing and catalyzing steps to mitigate known and emerging risks to reliability and security, building a strong E-ISAC-based security capability, strengthening engagement across the reliability and security ecosystem in North America, and capturing effectiveness, efficiency, and continuous improvement opportunities. 

Within these focus areas were several key objectives that set the table for the work performed last year, the 2021 Annual Report said. The 2021 ERO Enterprise Work Plan Priorities addressed a transforming industry in which NERC needed to remain agile to take on any emerging risks that presented themselves. The ERO Enterprise works closely with industry, forums, government, and other organizations to perform ongoing analyses of significant known reliability risks to the BPS. 

At its November meeting, the Board approved the 2022 ERO Enterprise Work Plan Priorities, identifying key priorities for the coming year. In August, NERC’s 2021 ERO Reliability Risk Priorities Report provided a holistic view of the risk landscape that faces the BPS now and in the future and serves as a road map for the identification of key emerging risks and potential mitigating activities to address those risks. 

The NERC 2021 Annual Report also focused on the criticality of supply chain risk mitigation, which has been a NERC priority since 2016. Though, this has been highlighted even further over the past two years by a marked increase in supply chain compromises perpetrated by nation-state actors. Without trusted suppliers working with asset owners and operators, the industry will struggle to increase or maintain reliability while directly addressing the ever-increasing security threats to the grid, it added. 

In March, FERC approved CIP-005-7–Cyber Security –Electronic Security Perimeter(s), CIP-010-4–Cyber Security– Configuration Change Management and Vulnerability Assessments, and CIP-013-2–Cyber Security–Supply Chain Risk Management, which will go into effect on Oct. 1, 2022. The Federal Energy Regulatory Commission (FERC) has also directed NERC to conduct a study to assess the implementation of CIP-003-8–Electronic Access Controls and determine whether the controls provide adequate security, the report said.

NERC’s 2021 Annual Report comes at a time when the Cybersecurity and Infrastructure Security Agency (CISA) has issued a ‘Shields Up’ alert notifying every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. The alert came in the wake of increasing geopolitical tensions brought about by Russia’s potential invasion of Ukraine.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved