Adaptive Newsletter

Spotlight

Cyber Security

As I write this week Defense Secretary Leon Panetta warns of an ever increasing escalation of cyber terrorism. Since September 11, 2001 there has been a growing concern about Cyber Security. The Federal Energy Regulatory Commission designated the North American Electrical Reliability Council, NERC as the Electric Reliability Organization. Through this authority NERC has developed a set of Cyber Security Standards for electric utilities to ensure Critical Infrastructure Protection. These standards provide a set of minimum requirements required to ensure the security of electronic information exchange. These standards outlined as CIP-002 through CIP-009 are listed as follows:

CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. Complete Standard

CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Complete Standard

CIP-004 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Complete Standard

CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Complete Standard

CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Complete Standard

CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the
Electronic Security Perimeter(s). Complete Standard

CIP-008 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Complete Standard

CIP-009 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. Complete Standard

Electric utilities are required to comply with these standards however an exception is allowed for Technical Feasibility. Equipment does not have to be replaced in order to achieve compliance however
when equipment is replaced it may need to be upgraded to meet compliance. Exceptions must be submitted and approved.

A list of FAQ’s is available to help clarify these standards. These standards may serve as guidelines for other industries not required to comply but who wish to implement a plant network secure from attack.

Doug Deiterman – Senior Controls Engineer
ddeiterman@adaptiveresources.com

Adaptive eNews, Spring 2012

In this Issue

To sign up for our eNewsletter please contact us.