TheNorth American Electric Reliability Corporation (NERC for short) is an organization whose mission is to ensure the reliability of the bulk power system in North America. Founded in 2006, NERC does this through a set of standards and through its strong enforcement program. NERC’s standards specify requirements for planning, operating and maintaining the bulk power system. Of specific interest today are the Critical Infrastructure Protection (CIP) standards which help protect Critical Cyber Assets* (CCA) that control or could otherwise affect the reliability of the bulk power system.
Regulatory compliance is not new to utilities. Ever since Thomas Edison patented a system for electricity distribution, utilities have had to deal with regulatory compliance issues. But NERC’s most recent CIP standards, dealing with Critical Cyber Assets, are posing new challenges due to the complexity of the reporting and auditing requirements, as well as the regulations’ reach and impact within the utility organization. With NERC’s strong enforcement system and penalties ranging anywhere between $1,000 to $1,000,000 per day per incident, utilities are looking for ways to successfully comply with the standards and pass the periodic NERC audits that need to be performed.
Under the new CIP standards, utilities must meet certain security benchmarks to secure their Cyber Assets – which involves the following tasks and goals: planning for business continuity, planning for disaster recovery, identifying their Critical Cyber Assets, defining procedures to manage specific incidents, logging activities for future audits, and training personnel to manage physical and cyber threats.
Of course, these tasks can be managed manually, but more and more utilities are finding technology a great help. For example,Situation Management technology can offer utilities a structured, consistent and flexible way to meet CIP standards, by providing a framework for:
Planning responses to incidents that could impact Critical Cyber Assets; Defining and implementing procedures to manage and recover from such incidents; Creating situational awareness by identifying the assets being used, what they are being used for, and who is responsible for their management; Logging and documenting the set of responses/actions taken at the time of an incident; Providing extensive reporting needed for efficient investigations and auditing; Training personnel through simulation of incidents; Measuring performance in terms of how well incidents were managed.
What role do you play when it comes to regulatory compliance? Have you “NERCed your utility? Are you looking for a better way to ensure NERC compliance? What are your thoughts on Situation Management? What other approaches or best practices have you employed?
Want to learn more about this subject? Please join us for a webinar (Achieving NERC CIP Compliance – A Utility Case Study) on July 28th at 12:00 EDT (9am PDT). NICE will co-host this webinar with Mike Dunn. Mike is a former Manager of Security for American Electric Power and founder of GMD Security Consulting Services LLC.
*Note: a Critical Cyber Asset is any Cyber Asset essential to the reliable operation of facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.