NERC and ERO Enterprise’s 2024 Lessons Learned Report

NERC and the six Regional Entities (collectively the ERO Enterprise) have identified four risk themes that have made it difficult for some entities to mitigate risks associated with the NERC Critical Infrastructure Protection (CIP) Reliability Standards. They published these themes in their 2024 Critical Infrastructure Protection Themes and Lessons Learned report.

The Four Themes Identified:

• Latent Vulnerabilities: The importance of internal detective controls.
• Insufficient Commitment to Low-Impact CIP Programs: The need to revisit approaches to CIP-003 R2.
• Shortages of Labor and Skillsets: Challenges in workforce and succession planning.
• Performance Drift: Physical security issues as markers of performance drift and apathy.

Latent Vulnerabilities:

The report recognizes a maturing approach to cyber and CIP compliance for medium and high-impact BES Cyber systems. While there are fewer widespread programmatic issues, long-standing higher-risk issues persist undetected within entities’ environments. These are referred to as “latent vulnerabilities.”

The report pointed to the following example issues in managing electronic access:

1. Unauthorized Access: An entity discovered thousands of unauthorized users had improper access to BES Cyber System Information (BCSI) for nearly six years due to an inherited and overlooked configuration. Unauthorized access involved files because the user group/configuration causing improper access was not in the scope of their quarterly access reviews. In another example, over 100 admins had unauthorized access to BCSI repositories for over eight years, and multiple user groups had unmanaged backend access to BCSI repositories.some text
   • With robust configuration management capabilities, such as those offered by Industrial Defender, you can centrally manage configurations and catch issues like user access errors when looking at other security configurations. While this example did not involve malicious intent, it’s a reminder that small mistakes can easily go overlooked and can be hard to track, posing real vulnerabilities. Industrial Defender can also monitor changes in access behaviors that should trigger alerts. The platform identifies individuals with access to BCA, EACMS, PACS, and PCAR5, and monitors and manages firewall rules for various devices. This ensures that access, both inbound and outbound, is by permission only, denying all other default access. The ID NIDS detects known or suspected malicious communications.
2. Patching Issues: Another example of a latent vulnerability involves a patching issue discovered during a compliance audit conducted by a Regional Entity. An entity failed to accurately identify a patch source for a critical system application. The entity had identified a legitimate but incorrect patch source with a name very similar to the correct patch source, delaying the discovery of the issue. As a result, security patches for the critical system application were not evaluated or applied for over three years.some text
   • Industrial Defender’s vulnerability management capabilities are precise, based on accurate details gathered from OT assets and endpoints (without disruptive vulnerability scans). The software helps validate and pinpoint the correct vulnerabilities and patches associated with a system, also validating across NVD, ICS-CERT, and other databases, removing human error that caused the issue here.
3. Regular Audits: More generally, these issues were often discovered in a compliance audit by a Regional Entity or close to an upcoming audit. One of the recommendations in the report is to conduct appropriate internal audits and assessments more regularly.some text
   • Industrial Defender’s platform enables continuous monitoring and assessment against security policies, frameworks, and standards. It performs baselines and alerts to any changes that deviate from policies and frameworks. This enables organizations to self-audit and maintain security controls outlined in leading security frameworks with a robust reporting library, including NIST CSF, NERC CIP, CMMC, IEC 62443, MOSAICS, and more.

Insufficient Commitment to Low-Impact Programs

In their section on Insufficient Commitment to Low-Impact Programs, the report highlights the insufficient understanding of the cyber environment and struggles to manage electronic access. This is core to what Industrial Defender partners with utilities on – OT asset management: enabling total visibility of the cyber assets in their OT environment and enhancing situational awareness of related cyber and operational risks.

Customers who have used Industrial Defender for their NERC CIP environments have found significant value in understanding and comprehensively monitoring their OT assets. Many have successfully expanded these practices to their low-impact environments, resulting in enhanced security and operational efficiency.

Industrial Defender’s OT asset management platform improves situational awareness of cyber systems within operational environments. It provides deeper-level asset data and vital endpoint information, along with historical context and change detection. This not only offers visibility of the OT environment but also enables the management of OT assets and associated risks.

Industrial Defender’s granular OT data monitoring enables alerting to unwanted changes in OT environments. This includes suspicious activity such as new or unusual credential use, restricted IP activity, opening of ports and services, and changes to firewall rules. The data collected includes device type, make, model, firmware, software versions, configurations, vulnerabilities, patches, ports and services, user accounts, firewall rules, and PLC key switch positions. This approach maintains a full, comprehensive, and up-to-date view of vulnerabilities without disruptive vulnerability scans.

With this detailed and ongoing monitoring, organizations maintain continuous awareness of whether their systems remain in trusted, secure states.

Shortages of Labor and Skillsets

Quickly touching on this trend, the report notes the skills gap and the increasing strain and complexity on cybersecurity workers across the industry, along with the growing complexity of the cyber landscape. Industrial Defender is a solution to eliminating the manual work in managing OT assets and the daily assessment and compliance tasks. The platform automates these tasks, ensuring current information on your cyber systems and eliminating human error.

Performance Drift

The last trend focuses on physical aspects, which is not something we cover, but we recommend reading the full report if you’re interested in the insights there.

Strategically Addressing OT Cybersecurity Gaps

OT asset management is fundamental to addressing the cybersecurity issues raised in this report. Continuous and detailed monitoring of OT systems is key to understanding what issues you have in your OT environment at any given time, enabling you to take timely and meaningful action to address them. While this helps with compliance audits, it also strengthens your security posture against threats that can occur at any time. The advantage of using Industrial Defender is that we make it easy to obtain deeper, always up-to-date, trustworthy OT asset data to support security and compliance. To learn more, see this case study below.