The electric grid is the backbone of our modern society here in North America. Ensuring its reliability and security is paramount, which is where the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards come in. These standards provide a framework for securing the Bulk Electric System (BES) against cyber threats.
However, with the grid undergoing significant modernization and increased connectivity, meeting these stringent cybersecurity requirements presents a complex challenge for power utilities. More connected devices mean a larger attack surface, demanding a robust and phased approach to security.
Cisco’s Phased Approach to Industrial Threat Defense
Cisco recognizes that enhancing your security posture is a journey. We advocate for a phased approach, building foundational security elements that support subsequent steps, allowing utilities to improve security at their own pace while demonstrating value. The Cisco Industrial Threat Defense solution offers a modular and comprehensive set of capabilities designed to address the unique challenges of securing operational technology (OT) environments and achieving NERC CIP compliance.
How Cisco Solutions Help Address Key NERC CIP Requirements:
Cisco just published a solution brief describing the key NERC CIP requirements and how our portfolio can help utilities to comply. Here is a quick summary:
- Visibility and Categorization (CIP-002, CIP-015):
- Cisco Cyber Vision: Provides deep packet inspection embedded in the industrial network to automatically discover and inventory all grid assets, their communication patterns, and vulnerabilities. This visibility is fundamental for categorizing BES Cyber Systems (CIP-002) and is a core component of Internal Network Security Monitoring (INSM) (CIP-015). It helps identify risks and deviations from expected behavior.
- Splunk OT Security Add-On: Aggregates data from various sources, including Cyber Vision, to provide asset classification visibility (CIP-002) and supports monitoring for INSM (CIP-015).
- Electronic Security Perimeters (ESPs) and Access Control (CIP-005, CIP-007):
- Cisco Industrial Routers and Secure Firewalls: Serve as the backbone for defining and enforcing ESPs. They offer comprehensive Next-Generation Firewall (NGFW) features, stateful inspection, application control, and integrated intrusion prevention (IDS/IPS) to manage electronic access and block threats at the perimeter (CIP-005, CIP-007). They can enforce unified security policies across distributed sites.
- Cisco Secure Equipment Access (SEA): Provides a Zero-Trust Network Access (ZTNA) solution for secure remote access, crucial for managing vendor and remote user access to BES Cyber Systems. It enforces least privilege, just in time access and supports multi-factor authentication (MFA) as well as session monitoring/recording (CIP-005).
- Cisco Catalyst Center and Identity Services Engine (ISE): Help manage security policies centrally across switching infrastructure, control physical port usage, and enforce access controls via IP ACLs or Security Group ACLs (CIP-007).
- Splunk OT Security Add-On: Collects logs from firewalls, routers, switches, and access systems to monitor activity crossing the ESP boundary (CIP-005) and track ports, services, and system access control events (CIP-007).
- System Security Management & Vulnerability Assessment (CIP-007, CIP-010):
- Cisco Catalyst SD-WAN Manager and Catalyst Center: Enable centralized management of network device configurations, helping prevent unauthorized changes and facilitating the deployment of ‘golden’ configurations (CIP-010). They also support security event monitoring on network infrastructure (CIP-007).
- Cisco Cyber Vision: Identifies vulnerabilities in discovered assets and highlights those actively exploited by bad actors to help prioritize patching. Also monitors deviations from network communication baselines (CIP-010).
- Splunk OT Security Add-On: Aggregates logs from various sources (firewalls, endpoints, etc.) to track ports/services, security events, malware alerts, and supports baselining efforts (CIP-007, CIP-010). It also helps track compliance with log retention requirements (CIP-007).
- Incident Reporting, Response, and Recovery (CIP-008, CIP-009):
- Splunk: Acts as a central SIEM for collecting, correlating, and analyzing security events from across the network and security tools. It supports incident detection, investigation, and reporting, helping utilities meet the requirements for identifying and responding to cyber incidents (CIP-008).
- Cisco Catalyst Center and Catalyst SD-WAN Manager: Provide monitoring and recovery capabilities for network equipment, supporting the restoration of network infrastructure in case of failure or attack (CIP-009).
- Splunk OT Security Add-On: Provides dashboards to monitor notable security alerts (CIP-008) and brings in data from backup logs and Splunk environment status to support recovery plan requirements (CIP-009).
- Information Protection & Supply Chain Risk (CIP-011, CIP-013):
- Cisco Network Infrastructure & Security Policies: Enforce network segmentation and access controls to protect BES Cyber System Information (BCSI) from unauthorized access (CIP-011).
- Cisco Security and Trust Organization: Cisco’s commitment to security is embedded in its Secure Development Lifecycle (SDL), certified for IEC 62443-4-1. Trustworthy technologies like image signing and secure boot ensure product integrity. The Cisco Product Security Incident Response Team (PSIRT) handles vendor-identified incidents and provides vulnerability information, patches, and mitigation advice (CIP-013). Cisco is also an active contributor to relevant industrial security standards.
A Unified Approach for Enhanced Security
Navigating NERC CIP compliance requires a strategic, solutions-based approach. Cisco provides the building blocks and integrated solutions to help power utilities secure their critical infrastructure, enhance visibility, and meet regulatory requirements effectively. Have a look at our NERC CIP Compliance Solution Brief to better understand the requirements and see how Cisco can help.
I will be presenting a webinar on July17th together with experts from Burns & McDonnell to discuss the new Internal Network Security Monitoring (INSM) CIP-015 standard and solutions available to help Utilities comply. Save the date and register now.
