New Reliability Standards Mandate Comprehensive Logging of OT Network Traffic for Power Grid Operators
Recent updates to reliability standards in the U.S. and Canada require major electricity providers to comprehensively monitor and log traffic on their operational technology (OT) and industrial control systems networks. The regulatory framework aims to empower operators to detect, prevent, and respond to unauthorized intrusions targeting the North American power grid, ensuring a robust defense against potential supply disruptions.
Experts in OT security assert that these new requirements arise in response to significant cyberattacks, such as the Russian hacking incidents targeting Ukraine’s power infrastructure and the identification of Chinese actors infiltrating U.S. energy networks. While the directive appears straightforward, the extensive nature of the regulations coupled with the complexity of existing systems presents formidable challenges for utility companies. “The mandate encompasses not only external traffic but also internal communications, which complicates monitoring efforts considerably,” noted Carlos Buenano, Chief Technology Officer at Armis, a cybersecurity firm focusing on OT and IoT security.
The scope of the standard includes monitoring traffic not just from external sources but also between various elements within the OT ecosystem. This necessitates the installation of new hardware in various facilities, which can lead to significant deployment challenges. Buenano articulated that the requirement to scrutinize every piece of traffic passing from operator stations to field devices raises operational complexities. Kristine Martz, from Dragos, emphasized that previous cybersecurity directives primarily addressed perimeter security, making the new guidelines—the NERC-CIP-15-1 standard—particularly noteworthy.
This standard adopts a zero-trust model, positing that modern attackers are likely to breach perimeter defenses. Dan Hewitt, a product manager at Tenable, stated that the new requirements demand a pivotal shift from mere prevention to a comprehensive detect-and-respond framework. Alongside monitoring and logging, the standard emphasizes anomaly detection to formulate appropriate responses to security incidents.
Establishing a baseline for normal network activity is crucial for detecting deviations indicative of potential threats. “Understanding what constitutes normal traffic allows for continuous monitoring and quicker identification of irregular patterns,” Martz explained. Similar to Security Information and Event Management (SIEM) systems used in IT networks, specialized tools for OT environments generate alerts that necessitate human analysis by security operations teams. However, understanding and triaging these alerts requires specialized skills.
Martz suggested that a successful model involves integrating teams focusing on both OT and IT under a unified security operations center (SOC). This approach fosters collaboration and enhances situational awareness regarding incidents that may impact both environments. The new regulation illustrates how cybersecurity enhancements may be achieved through regulatory measures, fostering a risk-based approach while avoiding prescribing specific technologies, which could quickly become obsolete, according to Martz.
Nevertheless, the flexibility of the standard also means that companies must navigate the complexities of determining which network data to retain for compliance. As Buenano mentioned, “The mandate aims to protect critical assets without specifying exactly how deep companies need to go in monitoring.” Detecting certain anomalous traffic types may be achievable through high-level monitoring, but in-depth scrutiny of communication content poses a more significant challenge.
The regulations apply exclusively to high-impact and medium-impact systems, which can complicate compliance for companies operating multiple locations, as some facilities may incorporate legacy systems that do not meet new standards. Addressing compliance may require individualized solutions tailored to each site and potentially each switch, complicating uniform implementation across the organization. The rule stipulates an implementation window of three years for high-impact sites and five years for medium-impact locations, marking October 1, 2028, as the deadline for critical networks.
While the timeline may seem generous, for companies starting from a less prepared state, it presents significant time constraints, particularly if vendor selection processes are necessary. “Implementing changes to critical infrastructure requires thorough planning and effective management to ensure functionality without disruption,” Buenano concluded. The new standard necessitates substantial investment, potentially amounting to millions of dollars, emphasizing the urgency and importance of cybersecurity vigilance among electricity providers today.
