All Topics > Business Services > Automating NERC CIP Compliance >

Automating NERC CIP Compliance Michigan

Local Companies

Manufacturing Management Associate
(269) 279-9057
14860 Mount Zion Rd
Three Rivers, MI

Professional Benefits Services Inc
(616) 285-9894
2959 Lucerne Dr SE Ste 205
Grand Rapids, MI

Skem Inc
(734) 214-0909
5119 Pontiac Trl
Whitmore Lake, MI

L Harding Enterprises Inc
(269) 383-6848
Kalamazoo, MI

AA Management Services
(313) 653-4720
15800 W McNichols Rd
Detroit, MI

Clinical Dynamics Inc
(517) 347-7903
2435 Seville Dr
Okemos, MI

Ajr Marketing
(586) 783-0546
39364 Ormsby St
Clinton Township, MI

Patient Resource Consultants
(616) 454-1189
120 Jefferson Ave SE
Grand Rapids, MI

Mount Olympus Corp
(269) 651-3780
1013 Cato Ln
Sturgis, MI

P P A Financial Concepts
(810) 579-0735
610 E Grand Blanc Rd
Grand Blanc, MI

By Tom Schmidt

Matching up security policies with NERC CIP regulatory requirements, compiling appropriate NERC CIP compliance documentation, and reporting on current compliance levels are labor- and capital-intensive tasks. A key strategy for reducing the risk and cost associated with implementing IT controls is to automate as many procedures as possible. By minimizing error-prone manual processes, he explained, companies can eliminate the fragmentation and duplication of efforts to avoid deploying redundant or unnecessary solutions.

A recent study by the IT Policy Compliance Group vividly underscores the risks related to manual processes. According to the study:

"In one form or another, human error is the overwhelming cause of sensitive data loss, responsible for 75% of all occurrences. User error is directly responsible for one in every two cases, while violations of policy -- intended, accidental and inadvertent -- are responsible for one in every four cases." ("Taking Action to Protect Sensitive Data," February 2007)

This article looks at some of the challenges the electric power industry currently faces in improving cyber security, followed by an overview of the steps companies can take to automate NERC CIP compliance.

Cyber security challenges
Improving cyber security in the electric power industry is challenging for several reasons. Chief among them:

Increased interconnectivity SCADA/EMS and DCS systems were initially designed with efficiency and reliability -- rather than security -- in mind. These systems are increasingly being integrated with business information systems, thus introducing new vulnerabilities.
Remote access requirements At the same time, company engineers, contractors, and others require remote access to plant/power system control systems via modem or other means to maintain 24/7 operations. Unfortunately, this access introduces additional vulnerability points and could lead to the unleashing of viruses or malicious code within the control systems.
Nonstop operations The nonstop operational requirement of utility control systems complicates security implementation and testing because systems can never be taken offline.
Standardization The drive to improve operational efficiency and drive costs down is also leading to increasing standardization of control system technologies and use of off-the-shelf IT technologies. SCADA/EMS and DCS are increasingly implemented on Microsoft Windows and Linux operating system-based platforms. In parallel with this trend, technical information about these standards is increasingly available in trade journals and online, enabling would-be attackers to identify vulnerabilities that can be used to attack SCADA/EMS and DCS systems.
Shortage of resources Another significant challenge is the shortage of security resources in key areas of the electric power industry -- for example, in energy control centers. Most control centers are not staffed 24/7 with IT and security experts, and such staffing wouldn't be economically feasible. This complicates interpretation of security logs and other activities related to maintaining security around the clock.

Gearing up for NERC CIP compliance
Formidable as these challenges to enhancing security are, it is also the case that the need for security has never been more acute, especially now that it has been formalized as a regulatory requirement. In general, most electric power utilities are in the planning stages of compliance with NERC CIP. Compliance, needless to say, is a complex issue, touching on many areas of operation. For the sake of discussion, let's focus on automating the highly repetitive and manually intensive IT control-related portion of compliance.

One reason automation has become critical is that auditors will demand proof of due care that IT security policies are sufficient, in place, and effective. Consider, too, this finding from that IT Policy Compliance Group study:

"A challenge uniquely found among the organizations with the fewest data losses is classifying data. Moreover, the prioritized responses being taken by the leaders are unlike all other organizations, and include ... automating IT controls and procedures for protecting sensitive data."

Conclusion
IT compliance is an ongoing process, not a one-time event, and it requires automation to reduce cost and inefficiencies. Moreover, much of the cost of compliance involves IT security tasks that require weekly or even daily activities. Many electric power companies are working on new and better methods for implementing these activities in order to reduce the costs of NERC CIP compliance and improve overall IT security.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

Read more about Automating NERC CIP Compliance

- Electric Utilities: Securing the Perimeter Michigan

As part of their effort to meet pending NERC CIP compliance requirements, and to mitigate the risk of potential service disruptions, electric utility companies would do well to follow the perimeter security best practices outlined in this article.

- The Compliance Officer's Killer Application Michigan
- How Compliance Controls Can Minimize Data Loss Michigan
- Sarbanes Oxley 404 Compliance Michigan
- How To Build A Business Ethics Program Michigan
- Containing Compliance Costs Michigan
- Sustaining a Competitive Edge in a Changing World Michigan
- The Cost of Regulatory Compliance Michigan
- Stepping Up to Security Compliance Michigan
- IT Budgeting Tips Michigan

Regional Articles

- Sustaining a Competitive Edge in a Changing World Michigan

This article looks at how maintaining consistent and optimized clients that comply with corporate standards enables you to manage change in a predictable way.

- How To Build A Business Ethics Program Michigan
- Electric Utilities: Securing the Perimeter Michigan
- Stepping Up to Security Compliance Michigan
- How Compliance Controls Can Minimize Data Loss Michigan
- Containing Compliance Costs Michigan
- IT Budgeting Tips Michigan
- The Compliance Officer's Killer Application Michigan
- The Cost of Regulatory Compliance Michigan
- Sarbanes Oxley 404 Compliance Michigan

Advertising	Food & Beverage	Nightlife
Business Services	Franchise	Online Database
Career	Health	Pets
Cars	Holidays	Real Estate Resources
Computer Hardware	Home Appliances	Retail & Consumer Services
Construction	Home Electronics	Software
Education	Home Services	Technology
Entertainment	Industrial Goods & Services	Telecommunications
Environmental	Insurance	Trade Shows
Family	Internet	Travel
Fashion	Legal	Weddings
Financial Services	Miscellaneous	World History

Advertising	Family	Home Services	Real Estate Resources
Business Services	Fashion	Industrial Goods & Services	Retail & Consumer Services
Career	Financial Services	Insurance	Software
Cars	Food & Beverage	Internet	Technology
Computer Hardware	Franchise	Legal	Telecommunications
Construction	Health	Miscellaneous	Trade Shows
Education	Holidays	Nightlife	Travel
Entertainment	Home Appliances	Online Database	Weddings
Environmental	Home Electronics	Pets	World History