…compliance with standards developed by the North American Electric Reliability Corp. (NERC), of Princeton, N.J. The NERC Critical Infrastructure Protection (CIP) standards will soon become required for electric grids.
The article quotes Emerson’s Eric Casteel, manager of security, SCADA and renewable energy development in the Power & Water Solutions business. Concerning the development of smart grids and the connections of new plants to it, Eric offered:
Renewable power needs to be monitored more frequently than traditional power… You have wind that’s variable, solar that’s variable, and those variables need to be managed frequently. Oversight is deeper and it’s shared with executives, so it’s exposed to the outside world.
As we’ve highlighted in many cyber security-related posts, the article notes the need treat cyber-security as a program, not a collection of cyber defense technologies. It should be treated like the plant safety program where everyone has a role, looks out for one another, and has a feeling of ownership.
Eric points out the conflicting objectives IT and the control teams have. IT has deep experience with security and the procedures to keep everything patched and up to date. For the process control team, availability is paramount. It echoes a conflicting-objective thought with respect to screensaver passwords that I expressed in an earlier post:
For example, if an operator gets locked out and can’t immediately address a plant alarm condition, the results can be very different than if an accounts payable professional gets locked out from their workstation.
Eric highlights how some electric plants address these conflicts:
Some plants are bringing in a consultant to work with control, and bridge the gap with IT… Where it’s been most successful is where control still has the responsibility for security, but they work closely with IT.
The article highlights the dilemma of the Smart Grid requirement to share information outside a plant with that communication path being an entry point for cyber security threats. It concludes:
NERC programs and audits are compelling electric plants to demonstrate their ability to withstand cyber attacks. To cope with all of this, plants are bringing together the expertise of consultants, vendors and their IT departments to ensure that they’re well protected.