On June 20, 2019, the Federal Energy Regulatory Commission (FERC) approved the electric grid cybersecurity reliability standard CIP-008-6, Cyber Security—Incident Reporting and Response Planning. The purpose of the standard is to “to mitigate the risk to the reliable operation of the BES [Bulk Electric Systems] as the result of a cybersecurity incident by specifying incident response requirements.”
CIP-008-6 at a glance
The CIP-008-6 standard, which replaces the existing CIP-008-5 standard, came as a response to the FERC Order No. 848 of 2018 which called for modifications to augment the mandatory reporting of cybersecurity incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES. FERC directed the North American Electric Reliability Corporation (NERC) to develop and submit modifications to the Reliability Standards to broaden the mandatory reporting of cybersecurity incidents to include compromises, or attempts to compromise, a registered entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).
The new reporting requirements mark a significant change from CIP-008-5, which only requires reporting of incidents that have actually compromised or disrupted one or more reliability tasks. Based on the modified reliability standard, the Responsible Entities need to develop incident response plans to detect incidents that affect BES Cyber Systems, minimize loss and destruction, mitigate weaknesses that were exploited, and help to restore capabilities.
The requirements in CIP-008-6 specify processes and procedures to be included in Cyber Security Incident response plans, implementation and testing of these plans, maintenance of these plans, and mandatory reporting on certain Cyber Security Incidents to facilitate information sharing on threats among relevant entities.
Consistent with the Commission’s directive, the standard also:
- Requires certain minimum information be included in the incident reports
- Includes deadlines for submitting the incident reports
- Requires the incident reports to be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), in addition to the Electricity Information Sharing and Analysis Center (E-ISAC).
What is to be reported?
For the Responsible Entities to understand when the reporting process is activated, it is important to have a thorough understanding of what a cybersecurity incident is and what constitutes a reportable cybersecurity incident. NERC has developed an implementation guide for CIP-008-6 where it is defined that:
A Cyber Security Incident is a malicious act or suspicious event that:
- For high or medium Impact BES Cyber Systems, compromises, or attempts to compromise (1) an Electronic Security Perimeter, (2) a Physical Security Perimeter, (3) an Electronic Access Control or Monitoring System; or
- Disrupts, or was an attempt to disrupt, the operation of a BES Cyber System.
A Reportable Cyber Security Incident is a cybersecurity incident that compromised or disrupted:
- A BES Cyber System that performs one or more reliability tasks of a functional entity
- An Electronic Security Perimeter of a high or medium impact BES Cyber System or
- An Electronic Access Control or Monitoring System of a high or medium impact BES Cyber System.
Cyber Security Incidents are not reportable until the Responsible Entity determines that an incident can be classified as a Reportable Cyber Security Incident or meets the Responsible Entity’s established criteria for attempts to compromise according to Requirement R1 Part 1.2.1 and 1.2.2. When these thresholds are reached, reporting to both E-ISAC and NCCIC is required. The table below, extracted from the NERC CIP-008-6 Implementation Guide summarizes the reporting requirements.
IP-008-6 Table R1 — Cyber Security Incident Response Plan Specifications | ||
Part | Applicable Systems | Requirements |
1.2 | High Impact BE5 Cyber Systems and their associated:
Medium Impact BE5 Cyber Systems and their associated:
|
One or more processes:
1.2.1 That include criteria to evaluate and define attempts to compromise; 1.2.2 To determine if an identified Cyber Security Incident is:
1.2.3 To provide notification per Requirment R4. |
The determination of reportability for compromises or for attempts to compromise becomes a function of applying criteria that builds upon the definition of Cyber Security Incident.
What is the reporting process?
According to the Reliability Standard and the complementary Implementation Guide, there is a progression from identification through assessment and response before a detected event or condition elevates to a reportable level.
The first step is for the Registered Entity to determine whether a situation meets the criteria to be classified as a Cyber Security Incident. Once the assessment has led to a Registered Entity’s decision that the event meets the definition of Cyber Security Incident, additional evaluation occurs to determine if established criteria or thresholds have been met for the Registered Entity to classify the Cyber Security Incident as one of the two reportable conditions:
- Reportable Cyber Security Incident.
- An attempt to compromise one or more systems identified in the “Applicable Systems” column for Requirement R4 Part 4.2.
Cyber Security Incidents
The investigation may reach the following classifications:
- Regular cyber events that represent a normal level of events where no further investigation is required such as random port-scans.
- Low-risk incidents may be cyber events that become cyber incidents because they are beyond the normal level of events and require some type of investigation. Cyber incidents that are blocked at a firewall and found not to be malicious or suspicious could fall into this category.
- Medium-risk incidents may be those cyber incidents that the entity has determined were malicious or suspicious and required mitigation activities. While these cyber incidents were malicious or suspicious, they might not meet the definition of a Cyber Security Incident because the entity investigated and determined that the target was not a BCS (BES Cyber System), ESP, PSP (Physical Security Perimeter) or EACMS.
- High-risk incidents may be those cyber incidents that the entity has determined were malicious or suspicious and did meet the definition of Cyber Security Incidents. For example, malicious malware on a corporate asset that repeatedly attempts to log into a SCADA Interactive Remote Access Intermediate System but is unsuccessful. This would be a Cyber Security Incident and should also fall into the entity’s definition of a Cyber Security Incident that attempted to compromise a system identified in the “Applicable Systems” column for the part with the target being an EACMS.
- Severe-risk incidents may be those Cyber Security Incidents that involve successful compromise of an ESP or EACMS and hence meet the criteria for Reportable Cyber Security Incident. These may also escalate into Cyber Security Incidents that attempted to compromise a system identified in the “Applicable Systems”.
- Emergency-risk incidents may be those Cyber Security Incidents that compromise or disrupt a BCS that performs one or more reliability tasks of a functional entity. These incidents may represent an immediate threat to BES reliability and may require emergency actions such as external assistance.
These incident categories can be mapped into a standard incident classification and reporting schema like the NCCIC Cyber Incident Scoring System, which is used by the US Federal Cybersecurity Centers for describing the severity of cyber incidents.
Attempts of compromise
Apart from determining if an event is a Cyber Security Incident, Responsible Entities must decide whether an event is an attempt to compromise. Therefore, they should evaluate and determine what is normal within their environment to help define what constitutes “an attempt to compromise” in the context of CIP-008 and should document established criteria within the entity’s processes. This can help Subject Matter Experts (SMEs) identify deviations from normal and assist a Registered Entity in timely and effective incident identification, response, and vital information sharing.
An entity could define an “attempt to compromise” as an act with malicious intent to gain access or to cause harm to the normal operation of a Cyber Asset in the “Applicable Systems” column. Examples of attempts to compromise could be:
- Scanning a Cyber Asset for vulnerabilities or to verify its existence that is not approved by the entity’s management nor process(es). This could be from an entity’s own equipment due to an upstream compromise or malware.
- Attempts to access a Cyber Asset by a user that fails due to not being authorized and intending to gain access where no approval has been given.
- Attempts to escalate privileges on a Cyber Asset by an authorized user that has been determined to fail due to not being authorized for that privilege level.
Registered Entities should leverage system architectures that limit exposure for ‘attempts to compromise’. Techniques like the implementation of security zones and network segmentation can minimize the level of traffic that can get to applicable Cyber Assets and minimize the attack surface.
Notification process
If the investigation’s findings indicate that the Cyber Security Incident has targeted or impacted the BES Cyber System performing reliability tasks and/or cybersecurity functions of the Applicable Systems, associated Cyber Assets, and/or perimeters, the notification and reporting timeframes and obligations begin.
The initial notification should be submitted within the required timeframes, defined in requirement R4.2, even if the required attributes are not known. These attributes include, at a minimum, the following:
- The functional impact
- The attack vector used
- The level of intrusion that was achieved or attempted.
If all attributes were not known by the time of the initial notification, all known information will be reported in the updates. A Registered Entity’s reporting obligations are met once known information for the three required attributes is reported to E-ISAC and NCCIC, either during the initial notification or subsequently through one or more updates made commensurate with the reporting timeframes.
The CIP-008-6 Implementation Guide provides flow diagrams that facilitate the reporting process.
A risk-based approach is required
Entities should use risk-based methods for the classification of cyber incidents into Cyber Security Incidents, Reportable Cyber Security Incidents or, Cyber Security Incidents that attempted to compromise a system identified in the “Applicable Systems” column. The risk-based approach allows entities the flexibility to customize the appropriate response actions without being administratively burdened by a one size fits all solution.
A risk-based approach considers the number of cyber security related event occurrences, the probability that the events will have an impact on their facilities, and severity of the impact of the event. This allows the entity to decide when cyber events should be investigated as cyber incidents, the classification of cyber incidents and the determination of when a cyber incident should be reported.
Registered Entities should keep in mind that appropriate reporting of cyber incidents helps other entities in similar situations. The reporting of the details of an incident serves to alert other entities so they may increase their vigilance and take timely preventive or mitigating actions. All entities stand to benefit from such shared information in the long run.
At ITEGRITI we believe that cybersecurity is risk management. Cybersecurity programs should be based on strategy established through risk assessments. To discover steps to be successful in your NERC CIP audit read this blog and contact us to see how we can help you meet the NERC CIP requirements. To learn how, visit our website.