Last month, the Federal Energy Regulation Commission (FERC) ratified critical infrastructure protection requirement 015 version 1 (CIP-015-1) for select bulk electric systems (BES) across the U.S. Though the intent of the requirement had been known for a year and a half prior to ratification and many utilities had at least begun consideration—the action was momentous.
We recently wrote about CIP-015-1, collectively referred to as internal network security monitoring (INSM) in our blog, where we wrote about its potential for jumpstarting zero-trust architecture (ZTA) for cyber-physical systems (CPS) at utilities. However, there is another key detail: the standard, as presented, is not fully compliant with FERC’s original Order No. 887.
With the recent ratification, NERC must now further mature the standard to include electronic access control monitoring systems (EACMS) and physical access control systems (PACS)—and it has 12 months to complete this revision.
What are EACMS and PACS?
Electronic Access Control or Monitoring Systems (EACMS) include all systems and controls responsible for providing, denying, or otherwise supporting access electronically within and between CIP-networked environments.
Physical Access Control Systems (PACS), by extension, include all systems and controls responsible for allowing physical access into the facilities containing the EACMS and the critical resources behind them. Access control is central to both sub-requirements.
Legacy Remote Access No Longer Suitable
For many years, jump boxes were standard in air-gapped environments.
Typically, these hardened and purpose-built machines ran on Linux or Windows and were configured with the bare minimum applications required to allow remote access into and out of air-gapped LAN segments. Jump boxes included user accounts configured on a one-to-one basis and using the principle of least privilege (PoLP). They also featured host-based firewall (HBFW) rules allowing acceptable protocols in or out, as well as a secure shell (SSH) or remote desktop (RDP) client, and logging of access attempts for non-repudiation.
Jump boxes are no longer a suitable means for secure remote access and with an ever-evolving threat landscape, this is especially true of operational technology (OT) environments where cyber-physical systems (CPS) are contained and processes are mission-critical. Though not a power utility, the bizarre incident in 2021 at the Oldsmar Florida water treatment facility teaches us that it is not enough to simply provide remote access controls: those controls require proper authorization and governance.
Security perimeters require expansion.
Utilities Need Robust Security Perimeters
For utility managers, the term “asset” could mean the transmission lines feeding thoroughfares, or the step-down substations used to transform the higher-voltage electricity coming in from transmission lines to levels suitable for distribution throughout neighborhoods. The physical perimeter for these assets is typically controlled by service ladders in the case of transmission lines, and locked barbed wire fences with connected closed-circuit television (CCTV) cameras and locked control buildings in the case of switchyards.
Assets also refer to smart devices in control buildings.
Within the control building at the switchyard are the sensors, actuators, switches, and meters responsible for intelligent control and management of power distribution to U.S. residents. The buildings are equipped with a variety of physical access control systems which require magnetic stripe badge readers or proximity cards (prox cards) using 125kHz frequency to contact the card reader, granting access to the person in possession.
That is a large attack surface.
Obviously, there are critical implications if an authorized badge makes it into the hands of an unauthorized person. Not only might critical infrastructure be compromised by a remote unauthorized person using a connected compromised system, but an unauthorized person at the facility attempting to gain entry to critical infrastructure behind the door. Both actors are insider threats, and this is the crux of the problem EACMS and PACS is expected to solve.
Zero-Trust Architecture as a Nervous System
Zero-trust is only possible when the architecture is purpose-built as a nervous system.
Though a zero-trust architecture (ZTA) has never been about a single point-solution, it may be tempting to look instead for a productized fix, such as relying solely on a next-generation firewall or network access control (NAC). The market has over-rotated a bit toward the network access tenet of zero-trust. However, ZTA operates along a continuum.
A ZTA cannot function if not deterministic; ZTA must confidently answer the interrogatives for every request or event in the operational environment. Recalling primary school, interrogatives are the who, what, where, when, why, which, and how; in an operational context, these are the questions that a purpose-built architecture must ask of every subject-object interaction. It must do so automatically as a continuous risk and posture check. This is how our brains work.
Using human biology as an example, our brains keep constant watch over every function of our bodies. For functions such as breathing and heart rhythm, it does this without our input.
Similarly, in a robust ZTA, policy enforcement and anomaly detection are vastly improved and automatic because signals are learned and actionable. Provided with high-fidelity signals, EACMS and PACS present a reflexive, formidable defense for your critical infrastructure.
Zero-Trust Principles Enhance EACMS and PACS
As mentioned, ZTA in a CPS environment is going to look different for power utilities.
The connected, configured environment must be monitored for change, and this capability demands context. For clarity, change refers to any aspect or component within a system that is modified to satisfy an outcome, while the context refers to events, policies, and processes that impact or govern operations. Modifications of a system, for example, might be authorized by a change management authority at the utility. In the worst case, the change is unauthorized and thus unmonitored, and uncontrolled.
Access controls must be governed.
Authorized changes should be made by a person with authority and requisite access to execute the proposed change; however, authorized parties might also perform changes that are deemed unauthorized in the broader context, such as outside of a maintenance window and without a pre-approved change ticket or prior communication of intent.
Modern PACS now include features such as simple network management protocol (SNMP) notifications, Syslog forwarding and REST APIs allowing them to integrate into the broader security perimeter stack at a utility. With this functionality, it becomes possible to correlate a door badge event triggered by an authorized person to an approved change control ticket at a control building by that same person, for example.
Without explicit approval, the doors to facilities protecting our critical infrastructure—logical or physical—must remain locked even to authorized persons. Done right, INSM becomes telemetric, informing your zero-trust architecture and enhancing cyber-operational resilience at once.
In Summary
For utilities, the security perimeter keeps expanding. With the EACMS and PACS sub-requirements, monitoring schemes at power utilities must evolve to not only include the workstations and devices themselves, but the operational context in total.
In a CPS environment, the operational context includes all managed physical facilities, authorized persons, authentication levels, project files saved to engineering workstations, firmware levels on CPS devices, and protocol usage above established or expected norms. Developing an operational baseline is now table stakes.
Deviations from access control baselines must trigger additional scrutiny by cybersecurity teams, and this will be crucial for cyber-operational resilience.
Taken together, EACMS and PACS are critical components of an INSM capability. We recommend that public utilities, independent power providers (IPPs), co-operatives, and BESs approaching “medium” status take notice of this requirement as implementation planning is pivotal. This is a societal matter and we’re all in this together.
How Claroty Can Help
Install Claroty Edge: Using non-disruptive means to gather asset intelligence and risk information in minutes, Edge is ideal for air-gapped networks or remote substations. Edge collects protocol and deep asset insights without needing full infrastructure revamps.
Deploy Claroty xDome Secure Access: xDome Secure Access provides strong security controls to protect your organization’s OT systems against unauthorized access and identity risks. The Claroty xDome platform incorporates a tailored Zero Trust framework that is further enhanced by privileged access management (PAM) capabilities and identity governance and administration (IGA) functionality. These features are vital in managing and monitoring privileged accounts and their access to critical systems.
Configure network protection: Reduce the attack surface further by analyzing network communication graphs then configuring network zones designed to enforce granular, zero-trust-principled policies and integrate directly with existing solutions within the security operations environment.
Leverage Project File Analysis: As part of a comprehensive data collection and analysis methodology, it enriches your situational awareness by analyzing backup configurations and engineering workstations in air-gapped operational environments.
Integrate with Claroty CTD: Push that intelligence into continuous threat detection (CTD), enabling scalable threat and exposure management for improved security posture and governance.
Claroty’s ecosystem is designed to empower utilities of all types—public or private, co-op or investor-owned—to meet the moment.
Final Thought
Failure of one control should not equate to failure of all controls. EACMS and PACS must complement each other. These CIP-015 sub-requirements are intended to enhance your utility’s cyber-operational resilience and, done thoughtfully, they offer a critical inflection point for broader cybersecurity strategy considerations and utilities aspiring toward ZTA.
Visit https://claroty.com/platform or schedule a demo or more details.
