High standards

Matrikon’s Rick Kaun discusses the challenges utility companies are facing from new reliability standards.

Reliability standards have created a frenzy over the last few years for corporations in various industries, including pipelines, food and beverage, pharmaceuticals and oil and gas, but none of these has been more predominant than in the power industry.

The most recent of these standards is the mandatory critical infrastructure protection (CIP) standards issued by the North American Reliability Commission (NERC). Once finalized, the standard will be fully enforceable in the US on behalf of the Federal Energy Regulatory Council (FERC) and by provincial authorities in Canada. These standards are bringing with them a myriad of new and exorbitant costs for power companies.

The establishment of a compliance system itself can bring enormous costs, ranging from hundreds of thousands of dollars to over $1 million in order to create and implement the program. Once complete, there is the potential cost for noncompliance or compliance infractions, which can easily cost up to $1 million The final issue, with which a great cost can be associated, is the maintenance of these systems. This is a cost to which most companies are just starting to give serious thought, and it is also potentially excessive, with industry estimates ranging to upwards of $2 million a year for larger, more complex utilities.

With all of this money being spent on adopting systems that will allow power companies to be CIP-compliant, thought should now be turned to what is involved in maintaining these systems, and how this can be done with less financial and human capital investment, while ensuring that the system remains near-foolproof.

Procedures
The current CIP standards being released to the power industry by NERC consist of eight topics, and are applicable to any entity that owns, operates, or uses any portion of the bulk power supply in the United States. These standards outline procedures that must be adhered to regarding:

• Critical assets
• Security management controls
• Personnel and training
• Electronic security perimeter
• Physical security of critical cyber assets
• Systems security management
• Incident reporting and response planning
• Recovery planning

While many companies have already begun to think about how to establish a documentation system to gain compliance, thought should now turn to the issue of how to maintain a system that is implemented to keep the organization or entity CIP compliant.

The compliance program involves financial resources, physical resources and human resources in order to ensure that the standards are consistently being adhered to. In terms of human assets, market research shows that many power companies that have already begun to implement a maintenance system have forecast the need for up to 10 additional full time employees to ensure that the proper documentation is being maintained, the proper reports are compiled, and that information is being submitted to NERC in a timely and accurate fashion.

Due to the criticality of establishing a compliance system and ensuring that it is enforceable within the mandated timelines, many power companies have begun to find ways of using existing document management systems to complete the tasks necessary within the CIP standards. The concerns with using an existing physical documentation system that relies upon human factors to orchestrate the workflow involved with maintaining any compliance are two-fold.

Concerns
First, there is the concern that a paper-based or manual documentation system creates too large a time gap. In order to report on what is happening in an entity’s network effectively, there needs to be an automated system in place that can pull data in as close to real-time as possible. This not only ensures that the reports are as current as they can be, but that if there are any threats to security that do come about, or any potential risks that need to be mitigated, they can be addressed as soon as possible, minimizing the effects of a potential security threat or critical activity.

We can also find value in reducing the gap between problems occurring and our reaction to them, because it can significantly reduce downtime. This downtime can affect one piece of equipment, or it can affect the entire organization, depending on where this problem originates. This all allows companies to move from a reactive mode of operation to a more proactive approach.

The other major problem with human dependency is that there is a risk of human error that cannot be mitigated. With a physical documentation system, the best-case solution is to use an electronic system to create reminders at appropriate landmarks in the audit process, but the system cannot ensure that the tasks are carried out on time and in full. Without using technology to automate this process, there is no way to lessen the risks associated with human error, especially when people are working beyond what their physical bandwidth allows.

The only way to create a solution to this problem is to look at a system that automates the data collection and entry component involved in the compliance program. There are many benefits to creating an automated compliance management system for any compliance program.

First, the accuracy of the data in the compliance system is much better. Therefore the risk of incurring any noncompliance fines associated with submission errors is dramatically reduced. Second, once the system is in place, the amount of human capital dedicated to this task can be cut down by over half, with the main responsibility of the compliance team now being analysis, management and reporting, rather than data collection, data entry, clarification, correlation and submission.

In terms of efficiency, the ability to orchestrate workflow and automate systems into real-time deliverables allows companies to manage their compliance programs on an ongoing basis as opposed to ad-hoc or deadline driven as audit cycles approach. Ongoing programs are much more secure as well.

For example, if you are not using a real-time systems with automatic updates, the only source of information (and frequency) would be for local staff to look at the data, sort through all of the documentation, realize that there is a security problem, and then begin to address it. By this time, there is already a risk to your network, your critical assets and your compliance program. By moving to a real-time automated system, you can be alerted when there is a change to your protected systems and supporting systems that is misaligned with your normal expectations and then generate work processes to update and re-align your compliance program.

Benefits
The benefits of an automated system are obvious, but it is imperative that an organization understands the importance of these compliance standards and all of the associated long-term costs and risks, not only those incurred in the short-term when establishing a regulator compliance program such as for CIP compliance. And since this particular standard is mandatory, the only difference each organization will see is how each manages change over time against this standard.

The emergence of this standard signifies a change that will impact the organization on every level and it is important to understand how am emerging compliance program can be managed most effectively with the least amount of financial outlay.

In summary, if your company is looking to implement a compliance management solution for industrial cyber security, strong consideration should be given to a single system that will provide automatic information gathering and updates, contextual tools like workflow and document management and integration with best-in-class supporting systems such as your firewalls, antivirus systems and intrusion detection systems.

In addition, a platform which has received real-world updates on regulatory standards and emerging threats would provide for an adaptive and dynamic program. User empowering tools such as automatic notification, baseline comparison and risk profiling should also be key. Simple document management and workflow without the context of real-time status and on-oing updates is just not going to be enough to effectively manage risk and compliance on the plant floor.

Rick Kaun is the Director of Matrikon's Industrial Security and Compliance group. Kaun frequently presents whitepapers and participates in industry initiatives related to the energy industries. He has directed a number of consulting projects, including industrial cyber security audits and CIP compliance efforts, and contributes to the development of security guidelines within NERC’s CSSWG.