The North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards are a comprehensive set of requirements that ensure the security and reliability of the North American power grid.
These standards address both the physical security and cybersecurity of the bulk electric system, mandating measures to protect critical assets from potential threats. The increasing sophistication of cyber threats by both private actors and nation states, combined with the essential nature of the electrical infrastructure to national security and daily life, necessitates enhanced precautions and cybersecurity compliance regulations that all organizations within the electric power industry must adhere to.
Failure to comply with these cybersecurity controls could lead to a devastating breach which would impact economic activities, government functions and public safety. Additionally, organizations that fail to maintain compliance could face fines as large as $1,000,000 per violation.
Privileged Access Management (PAM) solutions help organizations reduce the risk of a data breach and enhance their ability to meet several of NERC’s 13 critical infrastructure protection standards.
CIP-004-6 Cyber Security – Personnel and Training
This standard covers personnel risk assessment, training, security awareness and access management. A PAM solution can help with access control by restricting access to critical infrastructure systems to only those who are authorized. It can also serve as evidence for the requirement within this standard that entities must document who has electronic access to Bulk Electric System (BES) Cyber System Information.
A BES Cyber System is defined by NERC as one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. Cyber assets can include authentication servers, Active Directory servers, security event monitoring systems, badge control systems, file servers, FTP servers and more.
One requirement within CIP-004-6 is to change passwords for shared accounts that any terminated users had access to within 30 calendar days of the termination action. If there are extenuating operating circumstances, the requirement is to change the passwords within 10 calendar days. A PAM solution can automatically rotate credentials on a predetermined schedule or on demand.
Additionally, for any employees who are transferred or reassigned, entities are required to perform a review of the employee’s access privileges. Access should always be revoked for individuals who no longer require access to a BES Cyber System to perform their assigned functions. KeeperPAM™ utilizes an enterprise password manager, which allows system administrators to disable accounts and reset shared passwords within minutes.
When it comes to protecting online infrastructure for the nation’s electric grid, PAM is essential because it helps in managing and monitoring access to these assets by controlling who has privileged access, how this access is granted and for how long. PAM solutions like KeeperPAM help organizations meet CIP-004-06 standards by providing password rotation capabilities and role-based access controls which enable admins to easily decommission departing employees’ access.
CIP-005-7 Cyber Security – Electronic Security Perimeter
CIP-005-7 focuses on protecting BES Cyber Systems against external infiltration and cyber attacks. One of the requirements within this standard (R1) states that entities need to require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. A PAM solution can help meet this requirement by applying the principle of least privilege, a cyber security concept in which users are given just enough network access (or user privileges) to the information and systems they need to do their jobs, and no more.
R2 is focused on ensuring that the security of the BES is not compromised by remote access. Multi-factor Authentication (MFA) is required for all interactive remote access sessions. MFA means that users need to provide more than one form of authentication to access a service or application. This is done by providing something you have, such as tokens, digital, certificates, or smart cards, and something you know, such as a password or PIN. It can also include biometrics such as fingerprints.
The last requirement in this standard (R3) discusses vendor remote access management. There must be at least one method to determine authentication for vendor-initiated remote connections and one method to terminate authenticated vendor-initiated remote connections. It’s common to provide remote access to your most sensitive systems on an as-needed basis, but it does introduce risk. A PAM solution mitigates the risk by granting vendors remote access without having to explicitly share passwords. The session can be recorded and access can be set to expire at a certain time. Access can also be revoked manually at any time. A PAM solution offers detailed monitoring, auditing and reporting options to show exactly how a system was used in any individual session.
CIP-007-6 Cyber Security – System Security Management
This standard has requirements around system security that specify the technical, operational and procedural requirements to protect BES Cyber Systems against compromise. The fifth requirement in this standard has several procedures around password management best practices. For example, Requirement 5.4 states that default passwords must be changed for new devices or anything with a vendor-generated password. R5.5 details password complexity requirements; passwords must be at least 8 characters and have at least 3 different types of characters. And R5.7 states that systems should limit the number of unsuccessful authentication attempts and generate alerts after a threshold of unsuccessful attempts.
Password managers are part of a comprehensive PAM solution and can help meet this requirement by enforcing passwords that meet any number of complexity requirements. A password manager also securely stores passwords and MFA codes, identifies weak and reused passwords, and stores other sensitive data like important files. A PAM solution can also be configured to limit a user’s ability to log in after multiple consecutive failed login attempts and send alerts when this happens.
CIP-010-4 Cyber Security – Configuration Change Management and Vulnerability Assessments
This standard states that entities need to develop a baseline configuration for BES Cyber Systems, either individually or by group. PAM tools like KeeperPAM™ utilize Role-Based Access Control (RBAC) to restrict access levels to sensitive data and credentials, from teams and groups down to the individual user level. Roles define permissions, control which features and security settings apply to which users and manage administrative capabilities. The administrator can use nodes to organize users into distinct groups based on location, department, division or any other structure. Any number of role policies can be created and applied to one or more users.
The two requirements for CIP-011-2 focus on preventing unauthorized access to BES Cyber Systems. The first requirement (R1) is that there must be a documented method to identify BES Cyber System information and procedures in place for protecting and handling that information, including storage, transit and use. The second requirement (R2) is that entities need to take action to prevent the unauthorized retrieval of BES Cyber System Information prior to disposal of an applicable Cyber Asset.
A privileged access manager provides an encrypted vault that can only be accessed, or decrypted by using an encryption key. This can be done via a master password or by integrating with a Single Sign-On provider (SSO) for a secure, passwordless experience. All of the records and contents within the vault are encrypted, both at rest and in transit, to prevent unauthorized users from accessing sensitive data.
How Keeper Security Government Cloud Can Help With NERC CIP Compliance
Keeper Security Government Cloud (KSGC) password manager and privileged access manager is a FedRAMP Authorized cybersecurity platform that protects organizations against cyber threats by utilizing zero-trust and zero-knowledge security.
KSGC equips organizational IT administrators with complete visibility and control over password security practices across the entire organization, enabling them to enforce the use of strong, unique passwords, MFA, RBAC, event logging and reporting, along with other CIP security policies.
Keeper’s next-gen PAM solution, KeeperPAM, simplifies how organizations manage and secure access to highly sensitive systems and data. Keeper provides privileged account session management, secrets management, Single Sign-On (SSO) integration, privileged account credential management, and powerful credential vaulting and access control, all of which are critical to protecting BES Cyber Systems.
To learn more about KeeperPAM and how it can strengthen your organization’s cybersecurity and ability to meet NERC’s CIP cybersecurity standards, request a demo today.