The replacement of dial-up modems to digital-always-on internet connections is nearing complete saturation in the United States (to the point that AOL *gives* away their site depending if you are dial-up or broadband) on the consumer side, and the business realm. This shift to always-on has tremendous benefits in all aspects of business, but especially with organization’s that operate equipment that is critical (at least to their business if not to the general population- such as electricity generation).
“NERC’s mission is to ensure that the bulk electric system in North America is reliable, adequate and secure. Since its formation in 1968, NERC has operated successfully as a self-regulatory organization, relying on reciprocity and the mutual self-interest of all those involved.” http://www.nerc.com
NERC, until recently, could not require (i.e. mandate) compliance to information security standards, as they were a volunteer organization. Although they have done a tremendous job of sharing information and furthering the stability and safety of bulk electric systems (which I thank, as my stack of gadgets would be worthless without said power), the recent Energy Act signed into law provided the necessary support. The Act among other things allows for FERC to mandate NERC requirements are adhered to across the country. FERC being the Federal version of NERC, in essence w/o getting into a large visio chart.
NERC initially issued a security standard that was referred to as 1200. This standard was recently replaced with CIPs 1-9. It is important to realize this fact, because these CIPs were all reviewed, approved, and accepted by the council and the enforcement group. CIPs = “Critical Infrastructure Protection”, and include the following topics:
CIP-002-1 Critical Cyber Asset Identification
CIP-003-1 Security Management Controls
CIP-004-1 Personnel & Training
CIP-005-1 Electronic Security Perimeter(s)
CIP-006-1 Physical Security of Critical Cyber Assets
CIP-007-1 Systems Security Management
CIP-008-1 Incident Reporting and Response Planning
CIP-009-1 Recovery Plans for Critical Cyber Assets
I excluded CIP-001-1 Sabotage Reporting, as the standard has not yet been officially adopted. There is a phase in plan for implementation, and regulatory compliance audits will happen right afterwards – overseen by FERC.
Overall the standards are not complicated, over burdensome, or unclear. These standards are very specific to the electric systems, and the risks the SCADA systems become exposed to by being interconnected to corporations and the internet. Despite recent postings at Threat Chaos, stating the opposite – the U.S. bulk electric system has (finally) adopted a security standard, has the necessary teeth to enforce them (thanks Mr. Bush), and with real penalties on line – adoption is the most profitable and appropriate response.
Recently I worked with a major bulk electric provider in the South East, and created a very nice breakdown of the controls (technical and relevant to their infrastructure / topology) that meet the specified requirements. This crosswalk allowed the client to meet their upstream and downstream counterparts requirements with a single response – totally eliminating duplicate testing and wasted efforts. I have seen others use such a method, but was hoping some feedback on the acceptance of this practice across the electric industry / others. If others have experience in the this space, please post away below!! Depending on interest I will post the crosswalk.
James DeLuccia IV