As I write this week Defense Secretary Leon Panetta warns of an ever increasing escalation of cyber terrorism. Since September 11, 2001 there has been a growing concern about Cyber Security. The Federal Energy Regulatory Commission designated the North American Electrical Reliability Council, NERC as the Electric Reliability Organization. Through this authority NERC has developed a set of Cyber Security Standards for electric utilities to ensure Critical Infrastructure Protection. These standards provide a set of minimum requirements required to ensure the security of electronic information exchange. These standards outlined as CIP-002 through CIP-009 are listed as follows:
CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. Complete Standard
CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Complete Standard
CIP-004 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Complete Standard
CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Complete Standard
CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Complete Standard
CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the
Electronic Security Perimeter(s). Complete Standard
CIP-008 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Complete Standard
CIP-009 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. Complete Standard
Electric utilities are required to comply with these standards however an exception is allowed for Technical Feasibility. Equipment does not have to be replaced in order to achieve compliance however
when equipment is replaced it may need to be upgraded to meet compliance. Exceptions must be submitted and approved.
A list of FAQ’s is available to help clarify these standards. These standards may serve as guidelines for other industries not required to comply but who wish to implement a plant network secure from attack.
Doug Deiterman – Senior Controls Engineer