All Topics > Business Services > Automating NERC CIP Compliance >

Automating NERC CIP Compliance Connecticut

Local Companies

Nathan & Lewis Securities Incorporated
(203) 967-8633
30 Oak St
Stamford, CT

Connecticut Adhd Treatment Center
(203) 445-8463
15 Corporate Dr
Trumbull, CT

Harris Management Services Llc
(860) 873-8989
15 Main St
East Haddam, CT

Inter-Options Inc
(203) 855-1884
15 Cricket Ln
Norwalk, CT

Gager International Inc
(860) 526-5922
29 Wig Hill Rd
Chester, CT

Swan Place Productions
(860) 231-0555
12 Northcliff Dr
West Hartford, CT

Future Planning Consultants Inc
(203) 453-5057
21 Copper Hill Dr
Guilford, CT

Icare Management
(860) 570-2140
25 Lorraine St
Hartford, CT

Northeast Resource Group
(860) 526-2222
17 River St
Deep River, CT

Flath & Associates Consulting
(860) 443-2020
New London, CT

By Tom Schmidt

Matching up security policies with NERC CIP regulatory requirements, compiling appropriate NERC CIP compliance documentation, and reporting on current compliance levels are labor- and capital-intensive tasks. A key strategy for reducing the risk and cost associated with implementing IT controls is to automate as many procedures as possible. By minimizing error-prone manual processes, he explained, companies can eliminate the fragmentation and duplication of efforts to avoid deploying redundant or unnecessary solutions.

A recent study by the IT Policy Compliance Group vividly underscores the risks related to manual processes. According to the study:

"In one form or another, human error is the overwhelming cause of sensitive data loss, responsible for 75% of all occurrences. User error is directly responsible for one in every two cases, while violations of policy -- intended, accidental and inadvertent -- are responsible for one in every four cases." ("Taking Action to Protect Sensitive Data," February 2007)

This article looks at some of the challenges the electric power industry currently faces in improving cyber security, followed by an overview of the steps companies can take to automate NERC CIP compliance.

Cyber security challenges
Improving cyber security in the electric power industry is challenging for several reasons. Chief among them:

Increased interconnectivity SCADA/EMS and DCS systems were initially designed with efficiency and reliability -- rather than security -- in mind. These systems are increasingly being integrated with business information systems, thus introducing new vulnerabilities.
Remote access requirements At the same time, company engineers, contractors, and others require remote access to plant/power system control systems via modem or other means to maintain 24/7 operations. Unfortunately, this access introduces additional vulnerability points and could lead to the unleashing of viruses or malicious code within the control systems.
Nonstop operations The nonstop operational requirement of utility control systems complicates security implementation and testing because systems can never be taken offline.
Standardization The drive to improve operational efficiency and drive costs down is also leading to increasing standardization of control system technologies and use of off-the-shelf IT technologies. SCADA/EMS and DCS are increasingly implemented on Microsoft Windows and Linux operating system-based platforms. In parallel with this trend, technical information about these standards is increasingly available in trade journals and online, enabling would-be attackers to identify vulnerabilities that can be used to attack SCADA/EMS and DCS systems.
Shortage of resources Another significant challenge is the shortage of security resources in key areas of the electric power industry -- for example, in energy control centers. Most control centers are not staffed 24/7 with IT and security experts, and such staffing wouldn't be economically feasible. This complicates interpretation of security logs and other activities related to maintaining security around the clock.

Gearing up for NERC CIP compliance
Formidable as these challenges to enhancing security are, it is also the case that the need for security has never been more acute, especially now that it has been formalized as a regulatory requirement. In general, most electric power utilities are in the planning stages of compliance with NERC CIP. Compliance, needless to say, is a complex issue, touching on many areas of operation. For the sake of discussion, let's focus on automating the highly repetitive and manually intensive IT control-related portion of compliance.

One reason automation has become critical is that auditors will demand proof of due care that IT security policies are sufficient, in place, and effective. Consider, too, this finding from that IT Policy Compliance Group study:

"A challenge uniquely found among the organizations with the fewest data losses is classifying data. Moreover, the prioritized responses being taken by the leaders are unlike all other organizations, and include ... automating IT controls and procedures for protecting sensitive data."

Conclusion
IT compliance is an ongoing process, not a one-time event, and it requires automation to reduce cost and inefficiencies. Moreover, much of the cost of compliance involves IT security tasks that require weekly or even daily activities. Many electric power companies are working on new and better methods for implementing these activities in order to reduce the costs of NERC CIP compliance and improve overall IT security.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

Read more about Automating NERC CIP Compliance

- Electric Utilities: Securing the Perimeter Connecticut

As part of their effort to meet pending NERC CIP compliance requirements, and to mitigate the risk of potential service disruptions, electric utility companies would do well to follow the perimeter security best practices outlined in this article.

- Containing Compliance Costs Connecticut
- The Cost of Regulatory Compliance Connecticut
- Sustaining a Competitive Edge in a Changing World Connecticut
- The Compliance Officer's Killer Application Connecticut
- How To Build A Business Ethics Program Connecticut
- How Compliance Controls Can Minimize Data Loss Connecticut
- IT Budgeting Tips Connecticut
- Sarbanes Oxley 404 Compliance Connecticut
- Stepping Up to Security Compliance Connecticut

Regional Articles

- Stepping Up to Security Compliance Connecticut

The intent of multiple regulations, industry standards and best-practice frameworks across industries today is unambiguous: the emerging compliance paradigm seeks to ensure the security, availability and integrity of business information.

- IT Budgeting Tips Connecticut
- How Compliance Controls Can Minimize Data Loss Connecticut
- The Cost of Regulatory Compliance Connecticut
- Electric Utilities: Securing the Perimeter Connecticut
- How To Build A Business Ethics Program Connecticut
- Sustaining a Competitive Edge in a Changing World Connecticut
- The Compliance Officer's Killer Application Connecticut
- Sarbanes Oxley 404 Compliance Connecticut
- Containing Compliance Costs Connecticut

Advertising	Food & Beverage	Nightlife
Business Services	Franchise	Online Database
Career	Health	Pets
Cars	Holidays	Real Estate Resources
Computer Hardware	Home Appliances	Retail & Consumer Services
Construction	Home Electronics	Software
Education	Home Services	Technology
Entertainment	Industrial Goods & Services	Telecommunications
Environmental	Insurance	Trade Shows
Family	Internet	Travel
Fashion	Legal	Weddings
Financial Services	Miscellaneous	World History

Advertising	Family	Home Services	Real Estate Resources
Business Services	Fashion	Industrial Goods & Services	Retail & Consumer Services
Career	Financial Services	Insurance	Software
Cars	Food & Beverage	Internet	Technology
Computer Hardware	Franchise	Legal	Telecommunications
Construction	Health	Miscellaneous	Trade Shows
Education	Holidays	Nightlife	Travel
Entertainment	Home Appliances	Online Database	Weddings
Environmental	Home Electronics	Pets	World History