EnergySec is a consortium with the mission, “…to support energy sector organizations with the security of their critical technology infrastructures.” Their EnergySec Summit 2017 is happening this week. The focus of this conference is:
Emerson’s Jaime Foose has been attending this gathering and shared some notes and panelist quotes that I’d like to pass along from one of the sessions she attended, How to Survive the Ever Expanding Scope of NERC CIP. Whether you’re in the electrical power generation and distribution business or another industry, cybersecurity program planning and execution likely plays a large role in your overall efforts.
- Defining and developing strategies to strengthen critical infrastructure protection programs
- Learning the details about the latest standards (e.g, AMI Security, NERC CIP compliance, CFATS, etc)
- Understanding the complexities to balance security and compliance in a highly-regulated industry
- Making valuable connections with industry-recognized security leaders who are at the forefront of physical and cyber security.
- Meeting and learning more from leading security solution vendors, communication suppliers and technologists in the energy sector
For the power industry, complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards poses a significant challenge. One of the panel sessions Jaime attended included representation from Tripwire, who provide security configuration change management software. Tripwire Enterprise is included as one of the components in the Power and Water Cybersecurity Suite.
Tripwire did a survey in 2016 of various industries looking at how they are handling cyber-related activities such as patching, asset identification and vulnerability management. Overall the energy sector is doing better at detecting changes to the system than other industries as well as doing much better at validating patches prior to deployment. Jaime noted that this sector is doing pretty well compared to other industries when it comes to patching and vulnerabilities but is struggling with identifying new hardware and software on the network.
Many utilities are using the NERC CIP standards as a basis for their control system cybersecurity efforts, but going above and beyond to secure systems and standardize across their fleets. It’s important for power producers to stay abreast of future state requirements. Architecture and scalability will be key for long-term success for both compliance and security.
Evaluation criteria for technologies and solutions to address changing standards should look at whether it provides a control function, validates a control function or supports a control function. For some power producers, fines have driven a focus on cybersecurity efforts. These fines lead one producer to invest in security controls across operational technology (OT) and information technology (IT) because the organization sees the value even where compliance is not mandated. Key drivers in starting the program were the fines and executive leadership experiencing identity theft. This increased awareness and drove action, change and investment in security controls, processes and procedures.
The bottom line is that organizations need to create a program that makes sense, that’s repeatable, that meets compliance obligations, while truly securing assets. They should leverage supplier resources for guidance and advice, and be in contact with local auditing bodies for additional support. These efforts should be scaled programs that are actionable and sustainable over time.