A Guide to Preventative and Detective Controls for NERC CIP-013 Compliance

November 5, 2020

The NERC CIP-013 standard, approved by FERC in the fall of 2018 and enforceable as of October 2020, addresses cyber threats to the Bulk Electric System (BES) that come from the supply chain. The requirement states that utilities must “mitigate cyber security risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.” There’s been a lot said about the NERC CIP-013 standard. What it is; what it isn’t. There is no shortage of consulting firms willing and able to help on the program, policy and procedures. In fact, you should already be well past all of that since even the extended compliance date has come and gone.

What has received less attention is how to protect your company using technology-based monitoring controls that provide technical backstops in your program, some of which you may already have with solutions like Industrial Defender. These controls are critical to keeping you on the right side of the NERC CIP-013 standard, and ensuring you keep the Violation Severity Factor to a minimum, since that’s based on implementation failures of the sub requirements of R 1.2. As we’ve seen with previous NERC CIP standards, the need to show “continuous compliance” over the full audit period has often been the challenge, and is best handled with automation.

The chart below walks through each of the more technically inclined sub requirements of R1.2 for the NERC CIP-013 standard and how you can achieve some level of controls automation for a fundamentally sound compliance program. As they say, an ounce of prevention is worth a pound of cure, so we’ve also identified which controls are preventative and which are detective. Keep in mind that the controls and technology referenced in this chart don’t just help with compliance. They’ll also build the cybersecurity foundation for all your OT systems. Many of these controls are referenced in the 20 CIS Controls and the NIST Cybersecurity Framework. If you are deciding on next year’s budget, focus on building your preventative controls first. However, choosing solutions that offer both preventative and detective measures will give you the highest return on investment.

P = Preventative
D = Detective

R No. NERC CIP-013 Language Technology Our Advice
1.2.3 Notification by vendors when remote or onsite access should no longer be granted to vendor representatives Configuration Monitoring (P)  Configuration management (CM) is all about managing your surface to prevent control failures and gaps. Your accounts, ports and services, permissions, firewall rules (host and network), and time outs. Find a solution that collects and baselines all these parameters, and you’re on your way to building a robust controls solution.
Secure Remote Access Solution (P)  SRA is about focusing on the secure part of remote access. You should be able to inspect the incoming point for basic security controls like patches and AV definitions. Another good feature is to monitor or even record the activity, with advanced solutions even limiting the commands to be used. Ultimately, you should be able to make it as strict as needed and place basic timeouts requiring re-authorization for a third party to continue.
Timers for Power Relays to Remote Access Equipment (P) Timers are the original control in this area. For a long time, a simple setup of placing a timer on the power supply to the remote gateway device was how to ensure sessions were authorized and had a finite period of acceptance, as well as kill switch for an emergency. This is still very effective today for large SCADA environments.
Network Anomaly Detection (D) Network anomaly detection is a purely detective control for when things have already gone wrong. They don’t authorize and can’t (and shouldn’t) act on their own. But they can be very effective at finding old sessions that aren’t being used and haven’t timed out, or for identifying potential abuse of the connection. Again, you should invest in one or more of the preventative controls first, but this offers a nice, layered defense.
1.2.4 Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity Vulnerability Monitoring Service Tied into a Configuration Management Solution (D)  This requirement is really meant to be a contract vehicle to get vendors to disclose vulnerabilities. It’s also meant to close the gap left open by CIP-007-6 R2, which focuses on patches and not vulnerabilities. This is a monumental manual undertaking, which is highly prone to errors, and if you haven’t already started looking at automating, you should. You’ll also need something that supports legacy equipment and OSes that may not be supported by the vendor. Ideally, the solution would be additive to your CIP-007 and CIP-010 solution if you’ve already invested there.
1.2.5 Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System Software Bill of Materials with 3rd Party Verification (P)(D)  Ideally your CM solution can get down to the underlying libraries and custom software because this is what is needed. You could manually check hashes from websites, but that is more time consuming than you think. Also, if a website can be compromised to serve up fake packages, the hash would likely be compromised, as well. This is where being able to get down the .dll and package dependency level is so critical to make this a meaningful control. Having solutions that integrate to check this before you deploy and check what is already running on your systems is the ultimate goal to act as both a preventative and detective solution.
1.2.6 Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s) Secure Remote Access Solution (P) As stated above implementing SRA is about technically enforcing controls agreed to in the contract or statement of work.
Network Anomaly Detection (D) Again, this about detecting deviations from agreed-upon behavior in your contract. You need the mix of preventative and detective controls to have a defense-in-depth posture.

To learn more about how we can help you automate your NERC CIP-013 compliance, reach out to one of our OT security architects to discuss your unique needs.