An Analysis of the 2021 NERC Annual Report & Planning for a Secure Future

Originally published on April 14, 2022.

The North American Electric Reliability Corporation ensures the security of assets required for operating North America’s electric system, and demonstrates a standard of excellence within the critical infrastructure sectors. In conjunction with its requirements, the Electricity Information Sharing, and Analysis Center (E-ISAC) is another sign of cybersecurity maturity – validating the importance of cybersecurity to NERC. NERC ‘s 2021 Annual Report, released in February, drew attention to supply chain vulnerabilities, ransomware, and CIP to outline the reality of an increased attack service that comes with digital transformation in the energy industry.

Reliability also matters to NERC, so much so that there is an Electric Reliability Organization (ERO) Enterprise team, comprised of NERC and its Regional Entities. And while reliability encompasses a lot of topics, such as severe weather, cybersecurity plays a major role. The 2015 cyberattack on Ukraine’s power grid is at the forefront of everyone’s mind with the ongoing conflicts with Russia.

These cybersecurity concerns are not without merit. The Biden Administration sanctioned Russia for its involvement in the SolarWinds’ supply chain hack, which enabled hackers to gain remote access and impact nine federal agencies and about 100 private-sector SolarWinds customers. NERC reports that the E-ISAC worked closely with various government agencies and formed a tiger team to coordinate an industry response to the attack. More recently, the Log4J vulnerability has reignited concerns about third-party risk.

Russia has also been viewed as a safe haven for ransomware attacks, which have reached record-breaking levels during the past two years. The Colonial Pipeline attack and its associated shutdown hit particularly close to home for the electrical sector, and NERC is urging a continued focus on improving defenses through increased information sharing through the E-ISAC.

Powering Up Security with Information Sharing, Analysis and Engagement

According to NERC, the three pillars of E-ISAC’s Long-Term Strategic Plan are information sharing, analysis, and engagement. These principles are intended for information sharing throughout the industry, but they must begin internally. Developing a security operations center (SOC) and an incident response (IR) team go a long way toward improving cybersecurity maturity, but the most advanced organizations are turning toward tools that can help automate and orchestrate as many of the manual processes involved.

NERC has also approved three new CIP requirements, collectively known as the Supply Chain Standards, which go into effect on October 1, 2022. Managing these regulations can be challenging, as Operational Technology (OT) environments add complexity to traditional IT environments because OT environments are typically isolated from IT systems. Even air-gapped networks are vulnerable to the direct physical access that IT and OT teams, engineers and contractors require to operate, maintain, update, audit, and manage these systems with portable media. While challenging, a response to these scenarios may be deploying a physical appliance, such as OPSWAT’s MetaDefender Kiosk, to scan portable devices and removable media for cybersecurity risks before entering high-security facilities.

As the government places an enhanced focus on cybersecurity and critical infrastructure protection, it seems that NERC is a step ahead of many other critical infrastructure sectors. As Zero Trust enters the national conversation about cybersecurity, it is important to begin with a foundation of visibility, analytics, automation, and orchestration.

Learn how OPSWAT OT & Industrial Cybersecurity Solutions can help safeguard your critical environments, and contact one of our cybersecurity experts for more information.