The utility industry is faced with the challenge of complying with security standards (NERC CIP) for assets, that were developed to function and not necessarily to be secure. One of the common themes that you hear in this space is:
How do I track the difference between ports and services running on a device, when a significant change occurs to that device?
How do I stay up-to-date with the latest security patches and/or firmware upgrades which are available for all of my Critical Cyber Asset types?
How do I track of which of my Critical Cyber Assets require anti-virus software and which ones need technical feasibility exceptions (TFEs)?
How can I monitor all of the users who have access to my Critical Cyber Assets and ensure that the list is up to date?
How do I know which of my Critical Cyber Assets are logging and which ones are not?
And most importantly, How do I accomplish all of these objectives in an environment where I have a multitude of devices that run on different platforms managed by multiple groups?
The bullets above represent some of the industry challenges as it relates to NERC CIP, more specifically when it comes to managing CIP 007 compliance. The problem with NERC CIP is that you have to manage the compliance of each asset, vs. the compliance with the standard. For example, if a requirement states that you have to have an incident response plan for your organization, you are able to simply put one together and demonstrate to an auditor that you have one. In this case you are managing compliance with the requirement that states that you have a plan. While this is a part of NERC CIP and requirements like this exist, you also have to manage each item in your cyber asset inventory against a majority of the standards. For example you need to not only have a plan manage security patches, but you must also know what the current status of security patches are for all of your devices in inventory. What makes this harder is that these are industrial control systems and the vendors that support them may not have ever created a security patch or do so, but it is difficult to find them. These vendors for example do not have robust security patch management notification programs which are equivalent to what Microsoft does. The challenge is that the utility is unable to comply with the standards.
When you look at NERC CIP and understand how utilities operate as well as what they operate. With this understanding you will see that cyber security in utility environments is a major challenge for the industry.