A structured approach to NERC Reliability Standards compliance and cyber security
This author no longer works for DNV GL.
On June 18, 2007, the Federal Energy Regulatory Commission (FERC) mandated all users, owners, and operators of the bulk electric system (BES) comply with the North American Electric Reliability Corporation’s (NERC) Reliability Standards. Since then, the energy industry has been earnestly implementing the Critical Infrastructure Protection (CIP) NERC Cyber Security Standards CIP-002 through CIP-009. FERC appointed NERC as the electric reliability organization (ERO) with the authority to develop and enforce these standards.
NERC is currently working with the eight Regional Entities that cover the contiguous United States; the neighboring Canadian provinces; and Baja California, Mexico, to conduct compliance enforcement, which includes spot-checks and audits.
Technical CIP Standards are a major challenge
Industry Responsible Entities (utilities registered with NERC) have gone through at least one round of spot-checks and/or audits with their Regional Entities. Has this been successful?
The industry has improved its state of security by implementing, at least, minimal security controls, but there is still a great deal to do. Technology and the business environment are constantly changing; new threats are continuously discovered; and vulnerabilities are evolving, often ahead of security efforts. Responsible Entities must be diligent in designing and implementing controls, measures, and practices to protect their portions of the BES and, together as an industry, to protect the grid from threats and vulnerabilities that target our national critical infrastructure.
The industry’s biggest challenge is implementing the CIP Technical Standards. The following chart shows the number of cyber security compliance violations from September 1, 2010, through August 31, 2011.
CIP compliance violations, September 1, 2010 – August 31, 2011
Cyber security programs
A Responsible Entity can sustain compliance to the CIP Standards by implementing a comprehensive cyber security program. Executive management support and proper planning, design, and resource allocation are paramount factors to establish a successful cyber security program, which involves implementing the controls, measures, and practices needed to protect the Responsible Entity’s cyber assets that also impact the BES.
Compliance to the CIP Standards could be a daunting challenge; however, a structured approach will help. A Responsible Entity can apply the following concepts to develop, implement, and manage a successful cyber security program:
- > Identify a C-level manager to be accountable and responsible for cyber security, since this is not a project (with start and end dates) but rather a sustainable program that lasts throughout its life
- > Assign an organizational structure to understand the CIP Standards; design, implement, and manage the cyber security program; and report to the C-level manager
- >Take stock of what is already in place by performing a risk assessment to determine what is missing and what is needed to improve
- > Prioritize resources to focus on what is missing and areas for improvement
- > Document and implement policies, with non-compliance consequences, to set a direction and establish a strong stance on cyber security
- > Document all processes and procedures, which will provide evidentiary evidence and enhance program maturity
- > Work with the operations and information technology groups to design a network and system architecture that integrates cyber security requirements (confidentiality, integrity, availability, non-repudiation)
- > Work with the compliance group to integrate the cyber security program with the compliance program, in order to sustain what is already in place and determine what will be put in place
- > Know who has access to its applications, systems, and networks by implementing a robust monitoring process, as well as monitoring the performance of cyber security controls, measures, and practices, including processes to identify cyber security events that require actions
- > Design and implement an incident response and reporting process
- > Develop a management reporting process to inform key personnel of the implementation progress and program management efficiencies and effectiveness, which will also facilitate the collection of proper material evidence to support compliance spot-checks and audits
- > Follow its system develop lifecycle (SDLC) and change management processes to ensure proper design and planning of technical solutions
- > Provide cyber security training to all levels of personnel, including contractors and vendors, and maintain an effective awareness program
- > Institute business and process improvement practices to ensure periodic reviews and revise policies and procedures as needed
Several cyber security governance frameworks are available. The Responsible Entity must choose one that is flexible and scalable to incorporate current and future CIP Standards.
For additional insight into NERC reliability compliance and cyber security, contact our expert: Sam Brattini, KEMA Executive Consultant
Learn more in Brattini’s article, “NERC Reliability Compliance,” published in the September 2011 issue of Power Grid International.
This article was written for KEMA’s TECH Notes series, a monthly publication that provides business and technical insights for secure transmission and distribution systems.