EEMag May June 2008

Electric Energy T&D - Index

Electric Energy T&D - EEMag May June 2008 - Index

Energy companies today have more to deal
with than ever before—from a complex
and challenging regulatory environment,
to ecological challenges and pressure from
investors and shareholders to increase
profits. To survive, many energy companies
have had to re-think the way they operate
and make organizational changes to become
more efficient. However, at the same
time, concerns have increased throughout
the industry about the security of energy
companies’ infrastructure and assets. In
response to these concerns and the increased
government oversight from the Federal
Energy Regulatory Commission (FERC) that
soon followed, the energy industry, through
the North American Electric Reliability
Corporation (NERC), developed new security
standards regarding the protection of critical
infrastructure.
While the higher-level goals of these Critical
Infrastructure Protection (CIP) standards
have been clearly defined, NERC has left it
up to each energy company to determine how
best to achieve them operationally. Although
there has been a good deal of discussion and
debate within the industry, best practices for
CIP compliance have yet to be identified—
and no clear consensus has emerged on how
to proceed. The only thing agreed upon at this
point is that the earliest some organizations
are required to be “substantially compliant”
is by mid- 008 and “fully compliant” by mid-
010—meaning that most energy companies
cannot wait until there is a consensus to
act, as they could be facing the prospect of
failed audits and substantial fines for noncompliance.
In order to comply with these standards quickly
and easily and avoid any penalties, energy
companies are turning to security technology
solutions, such as identity management, that
can assist in proving compliance, increasing
overall security and providing a platform for
future security enhancements.
The Challenge of Self-Defining and Self-
Securing Assets
For many energy companies, the mandate to
secure all critical assets—and in particular,
critical cyber assets—is a daunting one. Not
only do energy companies have to organize
and define critical assets for themselves—a
complex task on its own—but they have
to secure the assets from both a physical
and a logical (IT) perspective and provide
documentation of both.
Adding to the challenge is that traditionally
there has been little overlap between
energy companies’ IT departments and the
engineering organizations responsible for the
Supervisory Control and Data Acquisition
(SCADA) and Energy Management Systems
(EMS) that control their operations. Most
energy companies have not dealt with the IT
security requirements that other regulated
industries have faced and subsequently often
do not have the in-house IT security expertise
or dedicated resources needed to develop
and implement a CIP compliance plan for
cyber security.
Despite the challenges, energy companies
have more than one incentive to achieve CIP
compliance. While the threat of disasters
such as terrorism or a blackout has been the
most urgent force driving the development of
the CIP standards, the benefits of compliance
go far beyond minimizing the risk and impact
of cataclysmic problems.
1 I May-June 2008 Issue
“Identity Management: Powering
Compliance and Security in the Energy
Industry”
By David Ting, CTO and founder, Imprivata
The good news is while some of the CIP
standards require a significant commitment
of time and human resources, there
are technology solutions available that
can quickly, easily and affordably help
organizations meet many of the CIP
requirements—and more importantly—
ensure the security of all critical assets.
Organizations that attain CIP compliance
are empowered to better protect against
both physical and logical attacks from both
internal and external sources, preventing
remote access to the system and stopping
insiders looking to sabotage the system from
within. In addition, by fulfilling the CIP
requirements, energy companies can also
gain greater control and visibility over their
operations and use of resources, increase
safeguards for confidential business and
customer data, improve service levels and
compete more effectively.
The NERC Mandate
As the electric reliability organization for
North America, NERC’s mandate is to
improve reliability and security throughout
the bulk power system in the United States
and Canada. The first 83 NERC reliability
standards were approved by FERC in early
007, making them the first mandatory
and legally enforceable standards for the
U.S. bulk power system. These standards
encompass all aspects of power generation
and distribution operations.
Beyond trying to understand what the CIP
standards require, it is equally essential
for energy companies to understand what
problems the standards are intended
to solve. In a report entitled “Top 10
Vulnerabilities of Control Systems and