|
By Chris Posey, Online Editor
The electric power industry is a relatively exposed component of the nation's infrastructure. Vulnerabilities to natural disasters, system disruptions and human error are native to the industry and the compromise of power generation and/or transmission systems can be financially devastating. Add to these vulnerabilities the daily troubles stemming from the use of new, growing and changing technologies and the need for a proactive, evolving cyber security program becomes obvious.
The North American Electric Reliability Council (NERC), having recognized potential threats to the energy infrastructure both virtual and material, established the critical infrastructure protection (CIP) program to address issues of online and network security within the power generation industry, as well as physical/structural challenges common to the industry.
NERC's CIP program is intended to be dynamic in nature. One goal of the program is to:
Identify what has changed in our environment by extending what we already do well in critical infrastructure protection/asset risk management to include emerging physical and electronic threats… [noting that] interdependencies between other infrastructures and the electricity sector are complex and require continued review and assessment.
The necessarily evolving nature of NERC's CIP program, one of its greatest strengths, allows it to be nimble enough to address constantly changing cyber threats.
Mandated Compliance
Industrial Defender (ID), a CIP-oriented service that provides utilities with a comprehensive cyber security response to CIP mandates, helps North American bulk electric power customers meet compliance requirements through vulnerability assessments, risk mitigation and risk management managed security services. Despite the compulsory nature of the program, Brian Ahern, president and CEO of ID, believes that NERC CIP standards are being well received by utilities. Ahern comments, "From a market perspective, it was certainly a much needed, well overdue initiative to really get the industry to begin taking action." He indicates that his company has seen a "positive and aggressive" position being taken on CIP mandates by the industry. "The bottom line is the industry has embraced the need. I think they've gotten a black eye, but they're taking action, and I would say that the objectives set out by NERC CIP of securing the nation's utility infrastructure are going to work," Ahern says.
Asset Risk Management
Cyber threats, whether intentional or accidental, can affect a number of targets within the nation's integrated electric and communications systems, including:
- power generators
- regional transmission operators
- transmission substations
- distribution control centers
- distribution substations
Landing a punch against any one of these systems can be catastrophic–and costly. NERC's "Approach to Action" in protecting these elements includes a four-tier security model (avoidance, assurance, detection and recovery). Specific elements of NERC's Approach include
- identification of critical services and assets
- vulnerability assessments
- risk assessment and management
- recovery and restoration
- monitoring and updating
- information sharing, education and awareness
- coordination within the electric industry
- interdependencies
- research and development
These purpose of these items is to address the eight NERC-CIP standards: critical cyber asset identification, security management controls, personnel and training, electronic security perimeter(s), physical security, systems security management, incident reporting and response planning and recovery plans for critical cyber assets. Utilities are to meet different levels of compliance through 2008 and 2009 into 2010.
Challenges
NERC CIP still faces several challenges. One such challenge articulated by Brian Ahern is that of realizing a uniform interpretation of NERC CIP standards across utilities. Ahern notes, "From a trends perspective, all utilities are going to interpret the requirements differently…a tier 1 utility with a larger asset base is going to interpret them differently than a coop or a municipality." Auditors are tasked with the challenge of recognizing the role of varying systems on a utility-by-utility basis, determining the significance of these variances contextually and bringing utilities into some sort of uniform compliance.
Closely tied to the challenge of interpreting CIP standards is that of implementing CIP standards. Ahern uses the example of identifying and accessing critical cyber assets (CIP standard 002) to exemplify this challenge. He notes that for some utilities, identification and access measures may be as simple as signing a clipboard that hangs on the doorknob of an office, while other utilities implement the standard through sophisticated card-key access and biometrics. Despite the interpretive nature of the standard, Ahern concludes that "at the end of the day, utilities are going to measure their tolerance for risk, and they're going to comply."
A final challenge Ahern mentions is ownership of compliance management. Implementation of CIP standards crosses internal boundaries between operations and corporate IT and external boundaries between power generators, regional transmission operators and transmission substations among other entities. Aside from logistical and tactical challenges related to ownership, Ahern also mentions the cultural challenge utilities face in bringing "bleeding edge IT and traditional operations folks" together in agreement over issues in which the groups have at times been diametrically opposed in the past.
Utilities are falling into line as the value of NERC CIP becomes readily apparent. Of course, the hefty fines for noncompliance are compelling utilities to adopt appropriate measures quickly. Despite the completion of the initial investments required of utilities tied to the national grid and the seeming finality of "compliance," infrastructure cyber security measures stemming from NERC CIP will continue to grow and evolve as new challenges present themselves.
|
Articles 
| View all PennWell sites | View all PennWell events
Add RSS Feed
