Matrikon

Reliability standards have created a frenzy over the last few years for corporations in various industries, including pipelines, food and beverage, pharmaceuticals, and oil and gas, but none of these has been more predominant that in the power industry. The most recent of which is the mandatory Critical Infrastructure Protection (CIP) standards issued by the North American Reliability Commission (NERC). Once finalized the standard will be fully enforceable in the US on behalf of the Federal Energy Regulatory Council (FERC) and by provincial authorities in Canada. These standards are bringing with them a myriad of new and exorbitant costs for power companies.

The establishment of a compliance system itself can bring enormous costs, ranging from hundreds of thousands of dollars to over $1 million in order to create and implement the program. Once complete there is the potential cost for noncompliance or compliance infarctions, which can easily cost up to $1 million. However the final issue, with which a great cost can be associated, is the maintenance of these systems. This is a cost to which most companies are just starting to give serious thought, and this cost is also potentially excessive, with industry estimates ranging to upwards of $2 million a year for larger, more complex utilities. With all of this money being spent on adopting systems that will allow power companies to be CIP-compliant, thought should now be turned to what is involved in maintaining these systems, and how this can be done with less financial and human capital investment, while ensuring that the system remains near-foolproof.

In total, 107 standards have been submitted to FERC for approval, of which 24 have already been approved and 83 are pending. Within this compliance process, there will be periodic, formal audits by NERC, as well as active self-certification, periodic reporting and self-reporting of any noncompliance.

The current CIP standards being released to the power industry by NERC consist of 8 topics, and are applicable to any entity that owns, operates, or uses and portion of the bulk power supply in the United States. These standards outline procedures that must be adhered to regarding:

• Critical Assets: Identifying and documenting critical assets and critical cyber assets
• Security Management Controls: establishing governance of a compliance program and a cyber security program
• Personnel and Training: security awareness and training, documenting risk assessment and access to critical cyber assets
• Electronic Security Perimeter: Define, document, monitor, and control access to the electronic perimeter that encloses the critical cyber assets
• Physical Security of Critical Cyber Assets: Define, document, monitor, and control access to the physical perimeter that encloses the critical cyber assets
• Systems Security Management: Define, document, monitor, and control access to critical cyber assets
• Incident Reporting and Response Planning: Develop, test, execute incident response plans and reporting incidents to the appropriate agencies
• Recovery Planning: develop, test, and exercise plans for backup and disaster recovery

While many companies have already begun to think about how to establish a documentation system to gain compliance, the next major thought should be given to the issue of how to maintain a system that is implemented to keep the organization or entity CIP compliant. The compliance program involves financial resources, physical resources, and human resources in order to ensure that the standards are consistently being adhered to. In terms of human assets, market research shows that many power companies that have already begun to implement a maintenance system have forecast the need for up to 10 additional full time employees to ensure that the proper documentation is being maintained, the proper reports are compiled, and that information is being submitted to NERC in a timely and accurate fashion.

Due to the criticality of establishing a compliance system and ensuring that it is enforceable within the timelines dictated by NERC, many power companies have begun to find ways of using existing document management systems to complete the tasks necessary within the CIP standards. The concerns with using an existing physical documentation system that relies upon human factors to orchestrate the workflow involved with maintaining any compliance are three-fold.

First, there is the concern that a paper-based or manual documentation system creates too large of a time gap. In order to report on what is happening in an entity’s network effectively, there needs to be an automated system in place that can pull data in as close to real-time as possible. This not only ensures that the reports are as current as they can be, but that if there are any threats to security that do come about, or any potential risks that need to be mitigated, they can be addressed as soon as possible, minimizing the effects of a potential security threat or critical activity. We can also find value in reducing the gap between problems occurring and our reaction to them, because it can significantly reduce downtime. This downtime can affect one piece of equipment, or it can affect the entire organization, depending on where this problem originates. This all allows companies to move from a reactive mode of operation to a more proactive approach.

The other major problem with relying on human factors to complete the compliance requirements is that there is a risk of human error that cannot be mitigated. With a physical documentation system, the best-case solution is to use an electronic system to create reminders at appropriate landmarks in the audit process, but the system cannot ensure that the tasks are carried out on time and in full. Without using technology to automate this process, there is no way to lessen the risks associated with human error, especially when people are working beyond what their physical bandwidth allows.

Finally, most existing document management systems are built to comply with regulations that are enforced on a corporate level. These systems work with Sarbanes-Oxley and other such audit regulations, and are unable to work within the scope of a plant floor, simply due to the systems within which they are associated. These corporate systems are used to managing data fed through to an ERP system or other enterprise-wide system, and are unable to communicate effectively with resources on the plant-level. A custom system needs to be built to these resources, in order to be used at the most efficient level.

The only way to create a solution to this problem is to look at a system that automates the data collection and entry component involved in the compliance program. There are many benefits to creating an automated compliance management system for any compliance program. First, the accuracy of the data in the compliance system is much better. Therefore the risk of incurring any noncompliance fines associated with submission errors is dramatically reduced. Second, once the system is in place, the amount of human capital dedicated to this task can be cut down by over half, with the main responsibility of the compliance team now being analysis, management and reporting, rather than data collection, data entry, clarification, correlation and submission.

In terms of efficiency, the ability to orchestrate workflow and automate systems into real-time deliverables allows companies to manage their compliance program in an on-going basis as opposed to ad-hoc or deadline driven as audit cycles approach. On-going programs are much more secure as well. For example, if you are not using a real-time systems with automatic updates the only source of information (and frequency) would be for local staff to look at the data, sort through all of the documentation, realize that there is a security problem, and then begin to address it. By this time, there is already a risk to your network, your critical assets and your compliance program. By moving to a real-time automated system, you can be alerted when there is a change to your protected systems and supporting systems that is misaligned with your normal expectations and then generate work processes to update and re-align your compliance program.

The benefits of an automated system are obvious, but it is imperative that an organization understands the importance of these compliance standards and all of the associated long-term costs and risks, not only those incurred in the short-term when establishing a regulator compliance program such as for CIP compliance. And since this particular standard is mandatory, the only difference each organization will see is how each manages change over time against this standard. The emergence of this standard signifies a change that will impact the organization on every level and it is important to understand how am emerging compliance program can be managed most effectively with the least amount of financial outlay.

In summary, if your company is looking to implement a compliance management solution for industrial cyber security, strong consideration should be given to a single system that will provide automatic information gathering and updates, contextual tools like workflow and document management and integration with best-in-class supporting systems like your firewalls, antivirus systems and intrusion detection systems. In addition, a platform which received real-world updates on regulatory standards and emerging threats would provide for an adaptive and dynamic program. User empowering tools such as automatic notification, baseline comparison and risk profiling should also be key. Simple document management and workflow without the context of real time status and on-going updates is just not going to be enough to effectively manage risk and compliance on the plant floor.