Protect

Protection Overview

Protection Summary Protection is a cyber security focus area that addresses technology, methods, and best practices for protecting generation OT networks and digital equipment against cyber-attacks (e.g., hardening, encryption, identity and access management, etc.). The objective of protection is to prevent an attacker from gaining access or minimize the chance that it occurs. This includes identity and access management, data security, platform security, and the resiliency of the architecture and assets. Protective measures like hardening may also be implemented with existing tools.

Key protection topics include:

• Security Architectures and Segmentation
• Vulnerability Management
• Hardening
• Secure Remote Access
• Transient Cyber Assets and Removable Media
• Identity and Access Management

Segmentation and Security Architectures

• Defensible Network Architectures: Criteria for Secure OT Deployment in Power Systems
• Connected Component Reference Architectures: Securing Connected Components in Power Generation—Interactive Remote Access, Vendor Use Case
• Hydro Power DCS Upgrade Cyber Security Assessment: Cyber Security Technical Assessment Methodology (TAM) Case Study
• Operational Technology (OT) Network Segmentation and Micro-Segmentation Strategies: An Evaluation of Segmentation Strategies in Generation Environments
• Remote Access Jump Host Hardening Field Guide
• Remote Centralization of Operations for Generation in Regard to Control, Instrumentation, and Protection Systems
• SEL 487E Protective Relay Reference Cyber Security Data Sheet (CSDS): Cyber Security Technical Assessment Methodology Use Case Study
• Zero Trust Considerations for Utility OT Cyber Security Strategies

Vulnerability and Patch Management

Vulnerability Management is an ongoing process of identifying, assessing and addressing security vulnerabilities. It involves the systematic discovery, assessment and remediation of vulnerabilities to reduce the risk of cyber attacks and data breaches.

Challenges with vulnerability and patch management in power generation facilities include:

• Many companies utilize a manual process of identifying, prioritizing, and remediating vulnerabilities in OT systems. This process is time-consuming and error-prone.
• Companies implement automated vulnerability scanning tools and threat intelligence feeds – prioritizing vulnerabilities based on their potential impact on operations. These tools typically require manual effort to review and disposition OT impact.
• Dependencies on third parties can introduce delays in the process of vulnerability remediation. Vendors validating the patches before the release can leave systems exposed for longer durations. To overcome this, a streamlined process should be established for validating and deploying the patches promptly.
• Vulnerability advisories are not entirely accurate. In 2022 approximately 34% of vulnerabilities were found to be inaccurate. (Source: Dragos)
• Adversaries interested in attacking old and unpatched vulnerabilities – The most exploited vulnerability of 2022 (Product - FortiOS and FortiProxy) was discovered in 2018

Current vulnerability and patch management key practices include continuous monitoring, automated patch deployment, and vendor patch support and outsourcing:

• Continuous Monitoring. Deploying automated tools to assess and monitor. Proper configuration and management of data should be done to avoid a significant backlog of data and alerts.
• Automated Patch Deployment. Cautiously deploy automated tools using test environments, change management, and rollback plans to avoid accidentally disrupting operations.
• Vendor Support. Collaborate with vendors/suppliers to test and deploy patches promptly.

Relevant EPRI Resources

• Risk-Informed Vulnerability and Patch Management Guide: Generation Cyber Security
• Advanced Vulnerability Grading Tool (AVGT) v 1.1
• Distributed Control Systems, Automation Technologies, and Embedded Security: Generation Cybersecurity
• Control System Protocols and Security Scanning: Guideline on Cyber Security Scanning for Generation Plant Control Systems
• Cyber Security Technical Assessment Methodology: Risk Informed Exploit Sequence Identification and Mitigation, Revision 1
• Patch Management Guideline CBT Transfer Module, version 1.0
• Patch Management Guidelines

Hardening

Hardening is the process of securing systems and devices by reducing their attack surface and minimizing vulnerabilities. It involves configuring OT components with security best practices like limiting unnecessary access, disabling the ports and services not in use, and implementing strong authentication controls and encryption.

Challenges with hardening in power generation facilities include:

• Diverse & Legacy Systems makes it difficult to apply uniform hardening measures
  • Comprehensive asset inventory, prioritizing critical assets and gradually replacing legacy devices
• Customized devices are not designed to handle traditional security configurations and can be too resource-intensive
• Lightweight and critical controls should be implemented first.

Current hardening key practices include vendor hardening, company-specific baselines, and asset configuration management:

• Hardening is often performed during installation. Vendors typically have security hardening standards and images that are followed.
• Address regulatory requirements, industry standards, and company-specific baselines.
• Documentation asset configurations in conjunction with hardening.

Hardening Implplementation

Relevant EPRI Resources

• Generation Plant Equipment Cyber Security Hardening Field Guide: National Instruments cRIO Controller
• Generation Plant Equipment Cyber Security Hardening Field Guide: Siemens S7 Controller
• Generation Plant Equipment Cyber Security Hardening Field Guidebook
• Generation Plant Equipment Cyber Security Hardening Guide: CompactLogix™ 5370-1769-L24ER-QB1B Programmable Automation Controller
• Generation Plant Equipment Cyber Security Hardening, Field Guide: Allen Bradley Stratix 5700
• Guideline on Digital I&C Configuration Management and Hardening for Generation Facilities
• Guideline on Digital I&C Configuration Management and Hardening for Generation Facilities Computer Based Technology Transfer Module, version 1.0
• Remote Access Jump Host Hardening Field Guide
• Transient Cyber Assets (TCAs) and Removable Media Process Guidance: Generation Cyber Security

Secure Remote Access

Transient Cyber Assets and Removeable Media

Identity and Access Management

Identity and access management (IAM or IdAM) cyber security controls for authentication, authorization, and auditing only allow access when and where required to perform required operations. This includes verifying that the user is who they say they are. Identity and access management restricts unnecessary access and provides proper authentication and authorization methods for operation and maintenance.

IAM Capabilities, per EPRI Identity and Access Managment Guideline

IAM Current Practices and Challenges in energy power generation:

• Control systems utilize traditional methods such as Active Directory and local passwords. Multifactor authentication is implemented in some cases through IT/OT use cases, such as remote access through IT infrastructure.
• Regulatory requirements for remote access users rely on coordinating notifications when roles change.
• Password may eventually obsolete as passkeys and other forms of authentication seem to provide more security in verifying a human and/or device identity in a system.
• The incorporation of cloud computing and digitalized assets, such as IoT devices and mobile devices, increases the need for more protection around understanding who a person is or what a device is and whether should it have access to perform a task. There has been an increase in phishing attacks leading to a greater need for protection beyond passwords.

Relevant EPRI and Industry Resources

• Security Management Controls, NERC CIP-003 standard, Version 9
• Personnel & Training, NERC CIP-004 standard, Version 7
• Electronic Security Perimeter(s), NERC CIP-005 standard, Version 7
• Physical Security of BES Cyber Systems, NERC CIP-006 standard, Version 6
• System Security Management, NERC CIP-007 standard, Version 6
• NIST Special Publication 1800-2, Identity and Access Management for Electric Utilities
• NIST Special Publication 800-162, Guide to Attribute-Based Access Control (ABAC) Definition and Considerations

Relevant EPRI and Industry Resources

• Access Control and Permission Management: Generation Cyber Security - Computer Based Technology Transfer
• Identity and Access Management Guideline: Generation Cyber Security
• Security Management Controls, NERC CIP-003 standard, Version 9
• Personnel & Training, NERC CIP-004 standard, Version 7
• Electronic Security Perimeter(s), NERC CIP-005 standard, Version 7
• Physical Security of BES Cyber Systems, NERC CIP-006 standard, Version 6
• System Security Management, NERC CIP-007 standard, Version 6
• NIST Special Publication 1800-2, Identity and Access Management for Electric Utilities
• NIST Special Publication 800-162, Guide to Attribute-Based Access Control (ABAC) Definition and Considerations