The electric utility industry continues to enhance security measures in light of potential natural disasters and cyberattacks to the grid. To this end, in the United States the federal government via NERC (North American Electric Reliability Council) provides guidelines and auditing oversight, particularly in the area of Critical Infrastructure Protection (CIP). The latest generation of requirements (NERC-CIP v5) will be coming into effect over the next several years. Under these regulations, each utility is subject to an audit of its compliance to 11 sets of NERC-CIP requirements (CIP-001 to CIP-011).
As technology evolves, NERC continuously reviews its definitions of cyber assets, physical security perimeters and electronic security perimeters. Think of cyber assets as any device with an Ethernet port running a routable protocol such as TCP/IP. NERC-CIP says that these devices must be protected in a wide variety of ways including password protection, and account for physical attacks, DoS attacks, etc.
We get a lot of questions about whether our wireless broadband solutions are NERC-CIP compliant. As it turns out it isn’t a piece of equipment that is compliant but rather an organization that is audited to be compliant. For example, an organization might state that it will require password changes with certain complexity rules as its policy. The auditor would look to see that such organizations have implemented the procedure and that their network equipment supports this capability.
As such, a more appropriate question would be, “How does a particular piece of equipment enhance the cybersecurity of my organization to assist compliance to NERC-CIP?” At Cambium Networks, we provide specific answers to this question for all of our products as compliance requirement change.
One new development in NERC-CIP v5 is a refined definition of the term “physical security perimeter.” In the past this meant a “6-wall” physical barrier to unwanted intrusion – 4 walls, a floor and a ceiling. This is clearly a problem in large outdoor facilities with generators that now have TCP/IP management ports. So the 6-wall language has been removed. In its stead is a NERC-CIP requirement for solutions that provide a combination of video surveillance, intrusion detection and identity-based access mechanisms such as key-cards and lift-gates.
Wireless broadband plays a key role in providing this remote monitoring and security. Without trenching or running wires, and without paying leased line monthly fees, a utility’s cyber-security team can dramatically reduce the cost and time to achieve compliance. As an example, Cambium Networks’ PTP 650 has many features supporting these types of deployments: roles-based security, direct power to PoE video cameras, over-the-air encryption, security transaction audits and SNMPv3/https alarm generation for intrusion detection.
Although the current NERC-CIP definition of a cyber-asset does not encompass communication networks, NERC has requested that these communications be assessed in the future. Cambium Networks products remain at the ready to support utility companies’ compliance requirements today while also addressing their future needs.