In the U.S., on March 15, President Joe Biden signed a $1.5 trillion omnibus spending bill that requires critical infrastructure providers and federal agencies  to promptly report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA). Not knowing you’ve been hacked is no longer a free pass to avoid reporting that you’ve been hacked. It’s more likely the ticket to large fines and bad press — both undesirable side effects that can be avoided through the visibility that test access points (TAPs) provide.

Grid modernization has created an explosion of network-connected equipment, exposing utilities to a wide range of potential threats from nation states, criminals, disgruntled employees, and accidental misconfiguration (which happens far more often than you may think). These new network connections from supervisory control and data acquisition (SCADA) equipment and others exposes previously air gapped industrial control systems to the internet … and hackers.

The energy sector is particularly vulnerable to cyberattack because core cybersecurity strategies, like the use of switched port analyzer (SPAN) ports that send a mirrored copy of network traffic to security analysis systems, and physical air gaping to separate an Operational Technologies (OT) network from the rest of an enterprise network (IT) have grown outdated.

Critical Infrastructure Standards Emerge

Critical infrastructure operators will be expected to deploy threat visibility and detection technologies to support their incident response and recovery capabilities as well as provide greater information-sharing potential. It’s one of several recent motions from the U.S. federal government to address: 1) threat detection and monitoring; 2) incident response and recovery; 3) information sharing; and 4) supply chain security. The energy sector is already subject to multiple North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, so this isn't unexpected.

The NERC is a regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC’s jurisdiction includes users, owners, and operators of the bulk electric system, which serves nearly 400 million people.

NERC CIP standards include regulatory elements that make collecting and archiving network traffic more important than ever. These standards require utilities to monitor network traffic data at the control center, the plant, and the substation. Utilities are subject to regular NERC compliance audits and must also regularly conduct vulnerability assessments.

Network TAPs vs SPANs

Threat detection and monitoring begins with the addition of network TAPs in power plants and substations at multiple levels of a SCADA network. TAPs give OT personnel and IT network managers secure and ready access to data from critical infrastructure systems without adding to the compliance footprint or requiring network changes. TAPs provide a vital, noninvasive, network-friendly means to monitor and examine large quantities of network traffic. Unlike SPAN ports, TAPs present no load on the network and ensure that no packets are dropped, no changes occur to the timing of frame interactions, and valuable resources are not wasted examining duplicate packets.

Once TAPs are installed, network packet brokers can capture, filter, aggregate, regenerate, and efficiently route network traffic to security tools for inspection and incident response, creating a tightly integrated compliant security solution for utilities. Systems that capture all network packets, (not just representative sample data) create a complete historical archive of required data to meet strict NERC audit requirements.

Quick Guide to NERC CIP Standards

The NERC CIP standards include regulatory elements that make collecting and archiving network traffic more important than ever before.

NERC CIP-007-6 R1.1 requires constant monitoring of network. Entities are required to provide listings of allowed ports and services for each device on the network and to show that they know what is permitted and what is in use.

What it means: Network TAPS send copies of network packets for inspection as a best practice. SPAN ports are not reliable under attack when malware is flooding switch SPAN ports while TAPs are not hindered by the excessive traffic. The use of TAPs to route all network traffic to anti-malware assets for rapid examination is a highly effective way to show full compliance with CIP-007-6. TAPs also aid in detecting east/west malicious code, especially in situations where malware protection software cannot be installed on purpose-built industrial control devices.

NERC CIP-007-6 R4.1 requires entities to demonstrate that they have viable and meaningful event logging measures. Event log data is typically sent over the network to a syslog server (or similar) where the data is evaluated and stored.

What it means: TAPs help ensure full compliance with CIP-007-6 R4.1 since all network traffic is captured under all conditions and no event log data is lost due to network flooding, switch problems, or malicious activity. In addition, TAP data can be readily used by the SIEM to determine failed network access attempts, and/or identify unauthorized devices that might connect and disconnect from the network.

NERC CIP-007-6 R4.2 requires entities to show that alerts are generated for at least detected malicious code and failure of event logging.

What it means: TAPs pull the switch out of the detection mix (no SPAN port needed), which ensures no alerts are missed. A TAP also removes the possibility that the switch configuration was modified by an attacker, which they might do to cover their tracks, or misconfigured during legitimate testing or configuration changes.

NERC CIP-009-6 R1.5 requires that network data must be available and always processed regardless of the operational status of switches and requires utilities to preserve data from cyber security incidents.

What it means: TAPs ensure utilities capture all the data, all of the time, no matter the processing load on the switch where SPAN ports can drop data when under attack.

NERC CIP-010-3 R1.3 requires utilities to update their baseline configuration data within 30 calendar days of implementing a change. New devices that remain activated for more than 30 calendar days may result in violations.

What it means: TAPS ensure the consistent flow of network data to analysis equipment and don’t need to go through configuration change control processes with the activation of new devices. In contrast, SPAN ports require reprogramming with device changes.

The new connected environment between the critical infrastructure OT networks and IT networks make TAPs and network packet brokers essential solutions for maintaining visibility into these networks to ensure security. New government regulations require critical infrastructure providers and federal agencies  to promptly report cyberattacks.