In this special episode of the PrOTect OT podcast, Aaron sits with Patrick Miller, a renowned expert in the critical infrastructure protection and cybersecurity industries. We’re released this episode earlier than usual because we were eager to dive deeper into the changes coming to NERC-CIP and share Patrick's insightful perspective.
With over 35 years of experience, Patrick has done it all, starting out in the OT world by strapping on spiked boots and climbing up telephone poles. Today, he leads Ampere Industrial Security as CEO, offering independent security and regulatory advice for industrial control systems globally. He is an active volunteer, public speaker, and member of several critical infrastructure security working groups and has received numerous awards for his work. With deep roots in telecommunications, Patrick has held key positions in regulatory agencies, private consulting firms, and commercial organizations, and is also an instructor for the ICS456 NERC CIP course offered by the SANS Institute.
The INSM standard is meant to monitor a company's Electronic Security Perimeter (ESP) more thoroughly and detect any unusual activity that goes beyond current security measures. The purpose of the INSM is to identify threats from insiders, misuse of legitimate credentials, and other potential harm to the system's functionality.
Patrick highlights that while there are already many NERC-CIP security controls in place, the INSM aims to focus on examining the internal network's East-West traffic for anomalies. This helps to detect any instances of illegitimate use of credentials, insider threat activities, or any other actions that could negatively impact the system's performance. The INSM standard is designed to provide a more comprehensive approach to security monitoring within a company's ESP.
NERC-CIP classifies different types of control sets based on the types of assets being run. High impact assets, such as big generators and long-haul transmission, will have a higher level of control set requirements compared to low impact assets.
While INSM provides an additional layer of security for the power industry, Patrick points out that there is a lack of incident response components in the new development. He sees benefits and drawbacks to the new development, which provides utilities with the flexibility to handle incidents but also places the liability on them if they do not take appropriate action.
The deployment of the INSM will be a challenge for organizations as every organization is at a different stage and the architecture of each organization would be different. The architecture would involve getting traffic off of the east-west wire and copying all the traffic to a SPAN port, which can be monitored. However, not all organizations have the necessary technology in place to implement the development effectively.
Aaron and Patrick also discussed another federal law related to the deployment of technology in substations across the country. Some of the challenges here revolve around the need for qualified resources, the competition for those resources, and the timeline for the implementation of the law. They also discussed the budgetary considerations for companies in regards to compliance programs and the importance of finding the capital for these projects, given the various external pressures, including from state regulators and cyber insurance.
There was also an interesting discussion in this episode about the relation between cybersecurity and operational reliability. They agreed that the FERC directive was rolled out with the goal of improving operational reliability and understanding the network environment. They emphasized the significance of being aware and proactive about cybersecurity, as neglecting it could result in potential security breaches.
While the implementation of the INSM standard may present challenges, they both agreed that it is a good and important step towards improving operational reliability and cybersecurity in the power sector.
Make sure to catch the full episode on the PrOTect OT Cybersecurity Podcast.