NERC CIP Version 5 – The Uncertainty is Over

Late last month, the Federal Energy Regulatory Commission (FERC) approved Version 5 of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards. With the approval of Version 5, FERC effectively eliminates Version 4 of the standard, clearing up the uncertainty that froze progress on most CIP programs by approving a move from Version 3 directly to Version 5. This is great news for utilities, which can now move forward with strengthening security programs after eight months of minimizing change while waiting for the new standards.

A new approach to cybersecurity

NERC CIP Version 5 is an improvement over Versions 3 and 4 in several ways. First, the standards embody a new approach that encourages the development of a culture of security and due diligence by responsible entities, in addition to the culture of compliance encouraged in CIP versions 1 through 4. To accomplish this, the V5 standards focus on what security objectives must be accomplished, and when they must be accomplished, but leave discretion as to how to achieve those objectives. For example, the much-maligned anti-virus requirement in CIP-007-3 has been replaced with a set of malicious code prevention requirements, which do not mandate specific anti-virus technologies, but allow BES entities to apply one or more technologies from a set that now includes sophisticated application control  or white-listing, and removable device control technologies.

Other technology-focused improvements include mandating the use of network intrusion detection capabilities for the highest-impact cybersystems. With this measure, the V5 standards echo the FERC assertion that a single layer of firewall is not sufficient perimeter protection for high impact BES cybersystems. Often, just one small mistake in a firewall configuration is all that it takes to bypass security rules and effectively turn the firewall into no more than a router. The V5 standard also includes three new requirements governing interactive remote access, including a requirement for multifactor authentication.

Unidirectional security gateways get their due recognition

In addition, the NERC CIP Version 5 standards are among the first in the world to begin to address modern cyberattack patterns by encouraging the use of unidirectional security gateway technology. Unlike firewalls, which can easily be breached and whose vulnerabilities are well-known to adversaries, unidirectional security gateways are one-way communications hardware devices that replicate servers in real time to send information out of control system networks without any risk of a cyberattack getting back in.  

The security threats facing our critical infrastructure are very real. While no system is ever completely secure, there is still much work to be done to ensure our defenses are more than a match for the capabilities of our adversaries. NERC CIP Version 5 gives utilities a platform on which to improve their defenses and options to secure the reliability of those defenses via technology such as unidirectional security gateways. Now that the uncertainty is over, we can make serious progress toward securing our critical infrastructure.

To stay up to speed on NERC CIP updates, follow @WaterfallSecure. For more information about how Unidirectional Security Gateways can strengthen your security program, email sales@waterfall-security.com.