Enhancing power grid security: Meeting NERC CIP requirements with Bitwarden

The North American Electric Reliability Corporation (NERC) is a non-profit international regulatory body dedicated to setting compliance standards that help reduce risks to the electricity grid and power systems serving hundreds of millions of people in the United States, Canada and part of Mexico.

The NERC Critical Infrastructure Protection (CIP) requirements outline why a cyber security framework designed to protect and secure critical assets is vital for the reliable and effective delivery of electricity across North America’s bulk electric system (BES). These standards are enforced as regulations, making them a legal requirement.

The Federal Energy Regulatory Commission (FERC) plays a crucial role in enforcing these NERC CIP standards to enhance the security and reliability of the electricity grid, particularly after major historical blackouts.

NERC cited an uptick in cyber threats against North American power grids, stating in a webcast that the “grids' virtual and physical weak spots, or points in software or hardware that are susceptible to cyber criminals, grew to a range of 23,000 to 24,000.”

This article elaborates on the nature of rising threats to the power grid. It also explores how enterprise-grade password management enhances security resilience for the energy sector, strengthens password security, and ensures access controls that limit internal and external threats in compliance with NERC CIP standards.

The power grid is a critical component of economic growth, affecting both infrastructure and national security. Simply put, without a functioning bulk power system, society would grind to a halt. This also makes it an exceptionally attractive target for cyber criminals. 

A recent finding by the Government Accountability Office (GAO) reveals the mounting challenges of securing operational technology in the energy industry, noting: 

“There are several points of vulnerability in the US system of electricity grids. For example, grid distribution systems — which carry electricity from transmission systems to consumers — have become more vulnerable, in part because their operational technology increasingly allows remote access and connections to business networks. This could allow threat actors to access those systems and potentially disrupt operations.

Nations and criminal groups pose the most significant cyber threats to US critical infrastructure, according to the Director of National Intelligence’s 2022 Annual Threat Assessment. These threat actors are increasingly capable of attacking the grid.”

Recent attacks against the power grid exploit physical and cyber security vulnerabilities. NERC referred to cyber threats as “more difficult to directly quantify.” As noted above, security weaknesses in the power system have increased, leading to an average of 60 additional cyber attacks per day.

There are 13 NERC CIP requirements relevant to power grid companies:

• BES cyber system categorisation: Requires organisations to identify assets that could compromise the larger BES in the event of a cyber attack and to categorise and secure those assets accordingly. This includes identifying and securing 'BES cyber assets' and 'critical cyber assets' to ensure the reliable operation of the BES.

• Security management controls: Organisations must implement security management controls, such as training personnel and reporting security incidents, that protect BES cyber systems against compromise.

• Personnel and training: Individuals accessing BES cyber systems must undergo a risk assessment and receive security awareness training. 

• Electronic security perimeters: Organisations must define and then protect electronic security perimeters (ESPs) that protect BES assets.

• Physical security of BES cyber systems: Teams must have a physical security plan to protect BES cyber systems from compromise.

• System security management: This standard specifies the technical, operational and procedural requirements necessary for protecting BES cyber infrastructure, such as monitoring for and removing malicious code and changing known default passwords.

• Incident reporting and response planning: Describes incident response requirements, such as how often incidents should be documented and how long evidence should be retained.

• Recovery plans for BES cyber systems: Addresses recovery plan requirements to support the continued stability of the BES in the event of an incident.

• Configuration change management and vulnerability: To prevent and detect unauthorised changes to BES cyber systems, organisations must follow the specifications for when and how to configure settings.

• Information Protection: Companies must protect information critical to the operation of the BES during storage, use, and transit.

• Communications Between Control Centres: Data transmitted between control centres must be protected at all times.

• Supply Chain Risk Management: Organisations must implement security controls to mitigate supply chain risk. 

• Physical Security: Organisations must put in place a plan to protect their physical locations and substations from physical attacks.

The NERC CIP compliance checklist is quite extensive. Focusing here on password security recommendations, the guidelines recommend that organisations:

• Revoke access to shared accounts in order to prevent a situation where passwords on substation and generation devices are constantly changed due to staff turnover.

• Use a password manager to ensure strong and unique passwords for accounts to help mitigate the risk of successful password spraying or credential stuffing attacks, as well as to minimise insecure or accidental password sharing with unauthorised individuals.

• Implement multi-factor authentication to further bolster security.

• Prevent online password attacks by limiting the number of guesses an attacker can make.

A successful cyberattack against an electricity grid system could grind operations and critical power supply to a halt. Fortunately, NERC CIP compliance software, such as Bitwarden, is the first line of defence against cybercriminals. By enabling energy suppliers to generate and manage strong and unique passwords, Bitwarden reduces their vulnerability to password-related breaches. Other key benefits include:

• Role-based access controls that allow administrators to customise and issue granular permissions, as well as control who has access to certain functions. By limiting user access based on necessity, power grid organisations maintain control over sensitive systems.

• An end-to-end encrypted vault that protects not just passwords but company cards and other personally identifiable information (PII).

• Multi-factor authentication capabilities empower organisations with a second authentication layer to deter brute-force attacks or insider threats.

• Password-sharing capabilities enable teams and departments to safely generate, manage, and share complex passwords and other sensitive data from any location or device.

• Seamless and flexible integration options include Single Sign-On (SSO) with identity providers and directory services (including SCIM).

• Easy onboarding with a centralised admin console where enterprise policies can be enabled and users are automatically provisioned.

• Cross-platform access with an unlimited number of devices.

• Vulnerability reports that reveal weak or reused passwords and detailed event logs to monitor user and group access to sensitive data with audit trails.

• Regular third-party security audits, cryptographic analysis, and penetration testing of Bitwarden to ensure the password manager upholds the highest security standards.

Because the bulk electric system powers the economy, impacts national security, and propels everyday life, it is vitally important that credentials used by energy providers remain highly protected with strong and unique passwords. Implementing an enterprise-wide password manager will also greatly benefit organisations that need to meet stringent and legally binding NERC CIP requirements.

To explore Bitwarden business features and capabilities, get started with a free trial today.