Energy and Utilities
In January 2008, the Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation's bulk power system against potential disruptions from cyber security breaches. These reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO).
"Today we achieve a milestone by adopting the first mandatory and enforceable reliability standards that address cyber security concerns on the bulk power system in the United States," FERC Chairman Joseph T. Kelliher said. "The electric industry now can move on to the implementation of the standards in conjunction with improvement of these standards in order to increase the security and reliability of the bulk power system." The NERC Critical Infrastructure Protection mandate (NERC CIP) became effective June 1, 2006, with initial compliance auditing starting in late 2007. NERC CIP spells out an auditable guide covering a variety of areas related to cyber security and affects all electric energy producers, transmission and distribution (T&D) organizations, and others involved in providing power in North America.
The eight separate CIP cyber security standards that NERC has passed and FERC has adopted set out details concerning who the responsible party is, what the requirements are, and what constitutes different levels of noncompliance. The eight CIP cyber security standards include requirements for each of the following areas:
- Critical Cyber Asset Identification
- Security Management Controls
- Personnel and Training
- Electronic Security Perimeters
- Physical Security of Critical Cyber Assets
- Systems Security Management
- Incident Reporting and Response Planning
- Recovery Plans for Critical Cyber Assets
The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident.
The Challenge
The challenge most organizations face is that systems used to control and manage the generation and transmission of power - known as Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) - were never designed for security. These systems were designed to be reliable, to run 24 hours a day, 365 days a year without fail - and they do that very well. However, these systems were not designed with IT security in mind.
Any new form of regulatory compliance is a challenge for organizations, even if the organization is in an already regulated industry. Factors such as manpower, cost and ambiguity of the standards make implementation difficult.
In addition to NERC CIP, key IT-related risk and compliance regulations and mandates that energy and utility companies must comply with include:
- SOX 404 (Sarbanes-Oxley Act, section 404) – requires publicly traded companies to protect the integrity of financial reporting information
- PCI DSS (Payment Card Industry Data Security Standard) – ensures ongoing risk assessments to protect personal credit card data
- California SB 1386 and emerging equivalent Federal laws – require protection of personal information
The Solution
Agiliance IT-GRC 3.0 provides energy and utility enterprises with the ability to:
- Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the enterprise, including partners and vendors
- Implement a robust operational IT risk program including automating survey workflow throughout the organization, developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 3460 standard methodologies
- Demonstrate continuous multi-regulatory compliance with a “test once, comply with many” capability, dramatically reducing the cost, quality and cycle time of testing and reporting
- Integrate and automate technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, Segregation of Duty systems and other systems to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
- Migrate over time to standard control frameworks such as ISO 17799/27001, CobiT, NIST
- Create enforceable policies and monitor controls across functional and geographical boundaries