Industry News

NERC Security Integration Strategy Set To Integrate Cyber And Physical Security Into Grid Planning, Design, Operation

14 December 2022

The North American Electric Reliability Corporation (NERC) announced its Security Integration Strategy that is focused on risk identification and validation, prioritization, and development of possible mitigations. It further outlines electric reliability organization (ERO) priorities to enhance security integration through working collaboratively with electricity sector stakeholders.

Released Tuesday, the strategy seeks to ensure reliability by integrating cyber and physical security into grid planning, design, and operation. It will also enable prioritization and development of possible mitigations and outlines ERO priorities to enhance security integration through working collaboratively with electricity sector stakeholders. 

The tenets of the NERC Security Integration Strategy can be mapped to the NERC Risk Framework that guides the ERO in prioritization of risks and provides guidance on the application of ERO policies, procedures, and programs to inform resource allocation and project prioritization in the mitigation of those risks. Additionally, the NERC Risk Framework includes measuring residual risk after mitigations are deployed to enable the ERO to evaluate the success of its efforts in mitigating risks and providing necessary feedback for future prioritization, mitigation efforts, and program improvements.

“The successful reduction of risk is a collaborative process between the ERO Enterprise, industry, and the technical committees, including the Reliability and Security Technical Committee (RSTC) and Reliability Issues Steering Committee (RISC),” the NERC Security Integration Strategy identified. “The NERC Risk Framework provides a transparent process, with industry experts in parallel with ERO Enterprise experts, which includes risk identification, deployment of mitigation strategies, and monitoring the success of these mitigations,” it added.

Six specific steps have been identified that are consistent with risk management frameworks that are used by other organizations and industries. These include risk identification and validation, risk prioritization, remediation and mitigation identification/evaluation, deployment of mitigation, measuring success, and monitoring residual risk. Each of these steps will require a host of measures, including process development, stakeholder engagement, validation/triage approaches, residual risk monitoring, and considerations of the ERO Enterprise’s level of purview over a risk.

The ERO Enterprise is dedicated to proactively identifying and addressing security challenges and continues to work with industry stakeholders to drive risk mitigation activities. Addressing these challenges requires a multi-faceted strategy to identify, prioritize, and mitigate risks that face the electricity sector OT (operational technology) environments.

The strategy drives the security integration concept in four key areas. The core tenets of the NERC Security Integration Strategy incorporate near-term and long-term work items to ensure the reliable and secure operation of the bulk power system (BPS). Components of the strategy with immediate priority are cyber-informed transmission planning, assessments of aggregate risks, cloud technology in the OT space, distributed energy resource (DER), and DER aggregator cybersecurity.

The NERC Security Integration Strategy is primarily focused on risk identification and validation, prioritization, and development of possible mitigations. Future work by the ERO will explore deploying those mitigations and monitoring success collaboratively with the industry.

By using anonymized data and lessons learned, NERC can explore a technical basis for incorporating cyber-informed transmission planning and additional operational controls into industry practices and possible future NERC standards enhancements. Additionally, this strategy addresses near-and long-term reliability risk issues by addressing the integration of technological advancements and emerging technologies applicable to the changing grid and addressing paradigm shifts, including cloud services adoption.

NERC will collaborate with industry partners to develop security guidance for aggregate ‘low’ impacts, including the development of cyber security risk scenarios in the OT space.

Furthermore, NERC is working with industry stakeholders to conduct assessments of possible risk areas and to develop guidance to support improved security practices in this area of the BPS. The initiative includes coordinating with industry partners, such as the U.S. Department of Energy, Idaho National Laboratory (INL), the Electric Power Research Institute (EPRI), and others to drive the adoption of security best practices, identify and address gaps in standards and requirements and foster security culture through focused collaboration between engineers, security professionals, and industry leadership.

NERC and its Electricity-Information Sharing and Analysis Center continue to work collaboratively with various stakeholders to support these efforts. Additionally, it is relying on engagement and support from industry members through its Reliability and Security Technical Committee, particularly with the Security Integration and Technology Enablement Subcommittee (SITES), the Security Working Group, and others.

The groups can support the development and execution of components of this strategy with specific work items. The effort includes industry guidance materials, whitepapers, technical assessments and reports, and possibly future standard authorization requests (if needed) to move the needle towards more wholly integrated cyber and physical security within the BPS.

In July, NERC released its 2022 State of Reliability report, highlighting the interconnected system’s health and the effectiveness of reliability risk mitigation activities. Among the various findings, the NERC report said that the cybersecurity threat landscape presented serious obstacles to the electricity industry in 2021, primarily led by geopolitical events, new vulnerabilities, technological changes, and increasingly bold cyber criminals and hacktivists.