Energy utilities are prime candidates for cybersecurity threats especially from nation state cyber-attacks. This has been reemphasized recently with the advisory that refers to the state-sponsored cyber adversary “Volt Typhoon.”

Most utilities within the NERC footprint are actively hunting for threats, indicators or compromise, and system log entries that might point to active targeting against their environments. There are some actions, mandated by NERC CIP, that will help these entities identify malicious activities and events perpetrated by these attackers. One such CIP standard is CIP-010 Configuration Change Management and Vulnerability Assessments.

Cyber-attacks are increasing in frequency and intensity. Utilities in the energy sector need to be prepared to defend against these threats including phishing, Denial of service (DoS), zero-day exploits, and advanced persistent threats (APTs) with advanced vulnerability prioritization and orchestration.

Utility vulnerability management programs include both CIP assets (or BES Cyber Systems) and non-CIP assets (workstations, servers, virtual desktop infrastructure, cloud, first party and third-party software). The cybersecurity of both types of assets is critical to preventing malicious cyber activity and enabling effective risk-based vulnerability management (RBVM) programs.

To prepare for and prevent these types of attacks, CIP-010 specifies requirements for BES Cyber Systems. The requirements in CIP-010 enhance utilities’ security practices around monitoring, remediating configuration issues, and establishing basic requirements for vulnerability management programs.

To effectively meet these requirements, energy utilities need a solution that will monitor, prioritize, and aid in remediating vulnerabilities and configuration issues quickly. In addition, it is crucial that this software solution has compliance workflows and reporting built in to enable automated regulatory mandate handling and audit evidence preparation activities to support NERC CIP enforcement actions.

Fortress’s vulnerability management solution is built for energy utilities and monitors OT, IT, and IoT/IIoT devices to manage all CIP-regulated BES Cyber Systems in a centralized single-pane view. CIP-010 compliance controls are built into the Fortress Platform to enable streamlined and cost-effective compliance across the entire cyber infrastructure. These capabilities can be included in Utilities Cyber Supply Chain Risk Management (C-SCRM) programs.

  

Regulations for CIP Assets

CIP-010 was created to guide utilities and mandate necessary operations to keep BES Cyber Systems safe from threats. Non-compliance with these mandates can have steep penalties that cost significantly more than implementing appropriate controls and programs, as well as put the bulk electric system at greater risk to cyber-attacks.

Fortress AVM is a comprehensive solution that meets all four (4) CIP-010-4 requirements and tracks non-CIP assets:

  • R1 and R2 address baseline configurations management and the ability to detect baseline configuration deviations. Fortress’s vulnerability management identifies these baseline deviations through integrations with configuration management databases, scanners, and sensors and enables efficient vulnerability remediation and mitigation.
  • R3 addresses vulnerability assessments for medium and high critical CIP assets. Fortress enables vulnerability assessments and management of remediation of the CIP assets.
  • R4 addresses tracking transient cyber assets and removeable media. Fortress enables tracking these assets and media.

As a side note, the requirements in CIP-010-4 build upon the 2 asset inventory requirements in CIP-002-5.1a (R1 and R2) to inventory assets and rank them in terms of high, medium, and low impact BES Cyber Systems. Solid foundational vulnerability and configuration management programs will inform the CIP-002 asset inventory and produce evidence of detection and matriculation of those discovered assets. It can also identify recently retired assets that are missing from the programs.

 

Fortress Managed Services

Fortress deploys collaborative and comprehensive managed services to handle the day-to-day vulnerability management operations including:

  • Discover assets, vulnerabilities, and configuration issues
  • Enrich findings with context, threat, network, and exploitability data
  • Prioritize efforts using risk-based, policy-aligned metrics and compliance-mandated timelines
  • Assess applicability of mitigations and remediations tailored to asset context
  • Act to facilitate collaboration with approvers, stewards, and points of escalation
  • Verify that actions (remediation or mitigation) effectively addressed the findings

Fortress Managed Services improve client outcomes and create a much more efficient vulnerability management process. Additionally, it frees up valuable resources from day-to-day vulnerability operations to allow them to focus on other tasks and lower overall labor costs.

 

Realized Outcomes

  • Automation throughout the vulnerability and configuration management process
  • Baseline deviation detection and remediation
  • CIP and non-CIP asset vulnerability assessments leading to remediation
  • Lower overall risk to the utility through enhanced visibility, prioritization, and tracking remediation activities
  • Streamlined audit preparation for NERC CIP audits and centralized evidence collection
  • Compliance to NERC CIP requirements

Fortress’s vulnerability management solution and associated managed services is the only conclusive vulnerability management solution on the market that guarantees service-level results. Additionally, the program can be funded through capital investments to free up operations and maintenance (O&M) funds while reducing total cost of ownership.

 

Vulnerability Management or Software Supply Chain Security solution-2