By Tom Schmidt
Matching up security policies with NERC CIP regulatory requirements, compiling appropriate NERC CIP compliance documentation, and reporting on current compliance levels are labor- and capital-intensive tasks. A key strategy for reducing the risk and cost associated with implementing IT controls is to automate as many procedures as possible. By minimizing error-prone manual processes, he explained, companies can eliminate the fragmentation and duplication of efforts to avoid deploying redundant or unnecessary solutions.
A recent study by the IT Policy Compliance Group vividly underscores the risks related to manual processes. According to the study:
"In one form or another, human error is the overwhelming cause of sensitive data loss, responsible for 75% of all occurrences. User error is directly responsible for one in every two cases, while violations of policy -- intended, accidental and inadvertent -- are responsible for one in every four cases." ("Taking Action to Protect Sensitive Data," February 2007)
This article looks at some of the challenges the electric power industry currently faces in improving cyber security, followed by an overview of the steps companies can take to automate NERC CIP compliance.
Cyber security challenges
Improving cyber security in the electric power industry is challenging for several reasons. Chief among them:
- Increased interconnectivity SCADA/EMS and DCS systems were initially designed with efficiency and reliability -- rather than security -- in mind. These systems are increasingly being integrated with business information systems, thus introducing new vulnerabilities.
- Remote access requirements At the same time, company engineers, contractors, and others require remote access to plant/power system control systems via modem or other means to maintain 24/7 operations. Unfortunately, this access introduces additional vulnerability points and could lead to the unleashing of viruses or malicious code within the control systems.
- Nonstop operations The nonstop operational requirement of utility control systems complicates security implementation and testing because systems can never be taken offline.
- Standardization The drive to improve operational efficiency and drive costs down is also leading to increasing standardization of control system technologies and use of off-the-shelf IT technologies. SCADA/EMS and DCS are increasingly implemented on Microsoft Windows and Linux operating system-based platforms. In parallel with this trend, technical information about these standards is increasingly available in trade journals and online, enabling would-be attackers to identify vulnerabilities that can be used to attack SCADA/EMS and DCS systems.
- Shortage of resources Another significant challenge is the shortage of security resources in key areas of the electric power industry -- for example, in energy control centers. Most control centers are not staffed 24/7 with IT and security experts, and such staffing wouldn't be economically feasible. This complicates interpretation of security logs and other activities related to maintaining security around the clock.
Gearing up for NERC CIP compliance
Formidable as these challenges to enhancing security are, it is also the case that the need for security has never been more acute, especially now that it has been formalized as a regulatory requirement. In general, most electric power utilities are in the planning stages of compliance with NERC CIP. Compliance, needless to say, is a complex issue, touching on many areas of operation. For the sake of discussion, let's focus on automating the highly repetitive and manually intensive IT control-related portion of compliance.
One reason automation has become critical is that auditors will demand proof of due care that IT security policies are sufficient, in place, and effective. Consider, too, this finding from that IT Policy Compliance Group study:
"A challenge uniquely found among the organizations with the fewest data losses is classifying data. Moreover, the prioritized responses being taken by the leaders are unlike all other organizations, and include ... automating IT controls and procedures for protecting sensitive data."
Conclusion
IT compliance is an ongoing process, not a one-time event, and it requires automation to reduce cost and inefficiencies. Moreover, much of the cost of compliance involves IT security tasks that require weekly or even daily activities. Many electric power companies are working on new and better methods for implementing these activities in order to reduce the costs of NERC CIP compliance and improve overall IT security.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.