Enhancing NERC CIP Compliance with Private LTE: Secure Solutions for Utilities

Ensuring compliance with the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards is essential for utilities to protect critical assets and maintain the reliability of the Bulk Electric System. In this webinar, we break down NERC CIP standards and how to abide by them.

Please take a moment to complete the form below and gain instant access to this recorded webinar.
 cover page

Recorded Webinar

Enhancing NERC CIP Compliance with Private LTE: Secure Solutions for Utilities

Apr 08, 2025 | Length: 56:20

Ensuring compliance with the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards is essential for utilities to protect critical assets and maintain the reliability of the Bulk Electric System. In this webinar, we break down NERC CIP standards and how to abide by them.

This webinar, featuring experts from Digi International, Anterix, and Sierra Nevada Company, explores how private LTE networks coupled with industrial IoT connectivity and security solutions can bolster security and streamline NERC CIP compliance. Learn how integrating 3GPP specifications with NERC CIP standards enhances communication security and reduces vulnerabilities, the importance of leveraging private LTE networks to strengthen utility cybersecurity, and more.

Connect with Digi

Want to learn more about how Digi can help you? Here are some next steps:

Follow-up Webinar Q&A

In our recent webinar on NERC CIP compliance, we had an excellent discussion with our subject matter experts on how utilities can utilize private Anterix networks and Digi solutions as part of their compliance strategy. See the Q&A session below. If you have additional questions, be sure to reach out.

Moderator: 

  • Mitch Sinon, Senior Marketing Manager, Digi International

Presenters: 

  • Kyle Shepard, Chief Engineer, Cyber Security Programs, Sierra Nevada Company
  • Michael Finegan, Director, Ecosystem Program Management, Anterix
  • Phil De Carlo, Senior Field Applications Engineer, Digi International

If Anterix's licensed spectrum is used to create private networks, how can users test and validate their solutions?

Michael: Yes. Great question. So, when the spectrum is sold, or leased, long-term, to utilities, it's their network, and they basically do not get a chance to share that with anybody. So, having a private network, you need to go someplace where there is 900 megahertz to be able to test, and so Anterix provides a lab environment in New Jersey, where we allow our ecosystem partners and our customers to be able to test and validate their solutions, ensure connectivity, that the application's running, and there's security behind those. So, that's an area that we would like to foster. We also have the ability to help support the ecosystem and customers, to be able to have experimental license, and be able to have that in their own environments. Of course, they have to be compliant to the way that the FCC looks at that spectrum. But in some cases, we provide a starter kit, to be able to go out there and help folks to be able to test when they have high volume. Somebody like Digi, who's an ODM (original design manufacturer) that puts out hundreds of thousands of devices, it may make sense to be able to have your own testing environment in-house, to be able to do that to support utilities. So those are a couple instances where the spectrum can be used and to be able to really have a secure environment that you can test in-house.

Is there a formal NERC standard that Digi routers comply with, or show on the spec sheet?

Phil: Sorry. Not a specific NERC standard. We operate as part of a system which would be certified for NERC compliance.

How do these cyber principles apply to systems that are separated by an air gap?

Kyle: It depends on the system. So, the idea of an air gap is something that is going away, in terms of what is considered best practice for security, except for specific use cases. Nuclear is a big one there, but they are governed by a separate set of standards. So, when you look at something like an air gap, you can still do some form of monitoring, and use something... Binary Armor can do it, but also, data diodes are common for being able to monitor and enforce one-way transfer out of a system, to understand what's going on. So, there are ways to actually apply that type of monitoring within those types of systems.

One word of caution there is when you say that it's an air gap, in a lot of cases, there are challenges associated with that. And one of the things that you end up seeing in the real world is, at some point, someone gets tired of it being an air gap, and they create some form of shadow backdoor, to be able to make their lives easier. So, you need to be able to enforce that it actually stays an air gap, or you're dealing with the challenges of working with an air-gapped system that you're now having to drive two hours to get to where that system is. And so, it's very much a trade-off there. A lot of the securities come along where, if you don't have to do an air gap for your requirements, generally speaking, it's best to appropriately secure the connections, and enforce according to best practices, as opposed to using air gap as your security measure.

What vulnerabilities are exposed when using local device configuration versus a cloud-based device management system like Digi Remote Manager®?

Phil: I think the main loss that you have if you're not using Digi Remote Manager (Digi RM) is that you don't have the ability to be instantly alerted to local changes. And so, whereas Digi Remote Manager allows you to scan devices constantly, to make sure that you're maintaining that configuration management, you lose that if you don't have a connection.

And so, you risk somebody being able to either log in, or gain physical access to the device, and make local changes to them, that you wouldn't necessarily be aware of it. I think on a more meta level, you also lose the ability to easily aggregate the data from the devices, as far as parameters, configuration management, and performance, which also will help you spot trends and spot perhaps more subtle ways that people are trying to gain access to your network.

If our organization uses NIST certification, how does that map to NERC CIP requirements?

Michael: That's a good one. This is a bit of a challenge, right, because everybody's going after slightly different security standards, right? And so, NIST is a very popular one, that is actually being used by many organizations, to help with SOC 2 compliance and other capabilities around that. But it's challenging because if you're going after those particular validations and certifications, how do you know that you're actually mapping to maybe some of the NERC requirements?

So, I think there the entities like the WECC organization, which has done a great job at mapping these NIST compliance parameters directly to the NERC CIP requirements. And so there's a nice mapping between them, and I would encourage utilities and customers to be able to go to their entities at NERC, and get that mapping. There's the online information resource, and there's a large team that has helped do a complex mapping of those individual standards, and how they align with NERC CIP compliance. I would encourage folks to be able to do that, because although they're different, they do solve many of the same problems. It's just a matter of how do you report, and how do you audit those particular capabilities to go into? So, that's what I would recommend, because although they're different, there is an overlapping of them, so check out your entity, and really go after seeing how NERC aligns with NIST.

We had a client ask, 'If your routers are NERC-compliant, how do you recommend answering that question?' You mentioned it is part of a broader system. Is there a checklist of items we should be asking for from our customer?

Phil: I'll probably defer to Kyle and Michael on the processes for system certification in that case. But, I mean, I will say that we can certainly talk about the individual security certifications, like FIPS 140-2, and other things that we have applied to the router itself. But, yeah, you need to talk about those things in the context of the entire system.

Michael: It's a great question, because actually, it's the reason why I think Digi and Binary Armor are coming together. Because you make great features and capabilities with Digi RM. It has a lot of advantages to be able to do that. But when you add the security aspects and policies, that maybe Kyle's products come together, those two align within a private network, and help provide the overall tools for the system to align with the NERC CIP area.

So, this is an evolution where ecosystem partners need to work together, to help make sure that these policies are implemented with the features, so that you can be able to do the appropriate auditing and reporting that goes back up to the organization like NERC and be compliant in some of the numbers that we were mentioning earlier. So, it's not a one company can do it, but maybe multiple companies can help at a system level. Kyle, maybe you have a perspective.

Kyle: Yeah, I think the big thing is to make sure that, when you look at NERC CIP, similar to NIST 800-171, or 800-53 on the government side, that is a certification for the overall system. So, when you say, ‘I am NERC CIP compliant,’ you're saying, ‘I have a power distribution system that is NERC CIP compliant,’ right? Just as, when I go through NIST 800-53 for an aircraft, I say, ‘That aircraft is certified.’

One thing we didn't really talk about in this is the actual supply chain security side of things. And that's where you end up talking about what am I actually using as my routers, right? Did I go on Alibaba and buy a $5 router, or did I go to someone like Digi that has the types of supply chain controls on, ‘Here's how we build our hardware and our software? That is something that, on the defense side, we have very rigorous standards associated with doing that, related to for example your FIPs compliance on the hardware and things along those lines. So, the question's a little bit different. So, when you say, ‘Hey, is this component NERC CIP compliant?’ the answer is almost always no, because that certification is on the whole system. But it's when you start talking about what hardware am I putting into the system, that's usually where that answer comes in.

How does LTE help meet NERC CIP? For example, what security controls built into LTE facilitate the use of LTE versus other communication options.

Michael: So, part of the standards that happened with 3GPP align the absolute security that's being used in part of the LTE infrastructure. So, looking at encryption, and looking at the way that there's data integrity with those particular elements, specifically how the UE, or user equipment, connects directly to the eNodeB, or the network itself, to make sure that the integrity of the data hasn't been compromised… there are alerts and notifications, and then there's a well-defined  encryption methodology that happens with it. So, with the identity and encryption and connectivity between those elements, we're able to really prove that the devices are connected in a secure way.

And then, when you take the other elements within, say, Phil's system, on the router side, or even when we start looking at Kyle's software, to be able to do further intrusion detection, to see if it's been compromised, I think you end up having layers of really good security that happens not only at the LTE layer, but then all the way down to the device and UE layer, and down to the application layer. So, that maybe helps to explain a little bit. There's a slide that I had earlier in my presentation that hopefully you'll be able to get your hands on, that shows a little bit about how the encryption and how the keys are mapped, specifically in LTE. Hopefully, that answers the question. Kyle, maybe you want to add a little bit to that?

Kyle: I think that really it will end up depending per system, but when you talk about the private LTE support, the two things that you get are: one, the device authentication, meaning that by using the actual identifiers within the devices and the SIM cards, you can actually provide some authentication, authorization to a network, to help you know that what's on your network is trusted. You aren't able to just plug into a network switch and add devices. It is kind of scary how much I've seen that in military bases. But that is one thing that's actually very useful, is you now know everything that's connected to your network.

And then, where it also helps you is it does help from a cost reduction standpoint, of enforcing other standards. So, LTE itself helps give you a network that gives you a lot of the device authentication, if you're not going through, like, a lot of your RADIUS or types of authentication and device inventory management. That's frankly not very widely adopted. So, LTE gives you an ability to get that jump. And then, being able to layer on top of that other security processes is a lot more streamlined to do, because you're using this wireless network to be able to do it, as opposed to having to lay fiber to get to somewhere.

Michael: Just to chime in, to wrap it up, and I didn't really highlight this, but this is a private network, right? Meaning that the utility itself owns the infrastructure, sees all the elements behind it, and basically has control, end to end, including the prioritization of that traffic, the authentication of the traffic, and how it works, to their SIM and to their identity. They have control in every step of that and are able to do interrogation. So it doesn't just go into the mobile operator's network and they no longer have any visibility into it. Now they have complete end-to-end visibility, through all the elements. I think that's a very important point here, is they have every layer that they can be able to interrogate and be able to resolve problems if needed.

How do I manage my costs with widespread monitoring of my systems?

Kyle: This actually comes up a lot when everyone starts talking about AI-enabled predictive maintenance and everything, the goal would be to do enrichment out at the edge. So, this is a value out of the more modern cell gateways, like Digi EZ 4i or Digi IX30. Being able to run containers on those systems, like we do with our Binary Armor product, it does give you an ability to actually do security processing out at the edge. Gives you the value, in addition to if you have some form of connectivity issue, you're still having your security run, but then on top of that, we call it pre-enrichment, right? You end up looking at your network, and you're only really feeding back stuff that you care about. You're not feeding everything back. So, you are able to use that to help manage how much traffic is going back to a system to monitor, and then keeping that data throughput down, while still being able to get that monitoring.

Download our Digi IX30 Datasheet
Discover the power of an intelligent 4G LTE router designed for critical infrastructure and industrial applications

Have a Question? Connect with a Digi Team Member Today!