Interested in linking to "Cyber security for the electric sector "?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
While implementation is likely to vary a great deal by sector, the underlying requirements could be used in any industry with little modification. The NERC CIP requirements are similar to banking, e-commerce, health care or government best practices. They require:
Measurement and accountability are key features of the CIP standards. Each standard includes the audit requirements to achieve compliance and requires a “senior management officer’s approval,” which will certainly help achieve management buy-in to cyber security.
NERC chose to be very general in the requirements, rather than state how to meet each requirement. It’s certainly easier to achieve consensus on general requirements and meeting them is bound to improve cyber security to some degree. But a lack of specifics also means a company could be compliant from an audit standpoint without necessarily achieving the intended goal: security.
The standards and related audit requirements apply only to “bulk electric systems,” and most organizations already know if they are subject to NERC standards. But electric systems that don’t fall under NERC’s “bulk electric system” definition would have a cyber security program if they voluntarily comply with these standards.
To take this a step further, other critical infrastructure fields, such as chemicals, oil and gas and water, could use these standards until a more applicable one is developed for their industry.
Complying with NERC CIP
All organizations fall into one of five stages in the evolution toward compliance with the NERC CIP or other compliance mandates such as Sarbanes-Oxley, ACC’s Responsible Care or HIPAA.
Stage I: No clear understanding of the organization’s risks and liabilities in relation to cyber security.
Stage II: General understanding of risks and liabilities, but cyber security as a program is ad hoc and purely reactive.
Policy and Procedures Development and Implementation
Security policies and procedures provide the enabling “glue” to bind a sustainable, scalable security program. Operational procedures span change control, configuration management, patch management and back up and recovery in relation to overall information security policies.
For organizations at Stages I or II, the consulting fees alone to develop and implement robust policies and procedures start at $50,000 for a small utility operation and $500,000 for large utilities. Stage III organizations can expect a 30 percent lower entry point given the running start they have toward the definition stage of the work. Their expenditure is required to roll out effective training programs with demonstrated results. Stage IV and V organizations likely will not require outside services to continue improving themselves in relation to NERC CIP and other mandates.
Dedicated Security Personnel, 24x7x365
At any stage, personnel costs generally dwarf technology costs, since companies must staff an incident response process with dedicated personnel, 24x7x365. Typically, personnel costs represent 70 percent of ongoing resource requirements. Furthermore, the expertise required to staff these positions is in relatively short supply given the specialized skills associated with installing, managing and monitoring network security systems. Outsourced managed security service providers (MSSPs) have emerged as a result of the opportunity to aggregate expertise for application across hundreds of networks from security operations centers designed to deliver these services.
The average cost of a fully loaded, full-time-equivalent trained security professional is $120,000 per year, assuming a base salary for a certified information systems security professional of about $85,960, plus overhead costs of approximately 40 percent over base. Assuming a minimum of three FTEs are required to staff a continuous incident response process, $360,000 per year or $30,000 per month is the minimum entry point for any size organization to fully comply with not just NERC CIP but Sarbanes-Oxley and HIPAA.
These security professionals must review anywhere from 2,000 to 3,000 alerts per year, or 5 to 10 a day, if network security devices are properly tuned to reduce the number of false positives they generate. When devices are not properly tuned, the volume of alerts is overwhelming. For instance, organizations at Stage I, II or III often install intrusion detection systems (IDS) but tune them into a state of irrelevance for lack of time.
Intrusion Detection and Monitoring
CIP-005 requires all bulk electric systems to have a 24- hour intrusion detection capability to detect intrusions and intrusion attempts at the electronic security perimeter and on critical cyber assets. For utility companies, specific IDS signatures have been written with funding from the Department of Homeland Security Advanced Research Projects Agency (HSARPA), to identify attacks embedded in SCADA and DCS protocols. These signatures are primarily focused on the MODBUS TCP and DNP3 protocols, which are widely used in the electric industry. A single IDS sensor can identify attacks on Microsoft operating systems and SCADA field devices such as IEDs and PLCs.
Organizations will require a minimum of one IDS, and larger enterprises will need up to four. Costs start at $40,000 to $50,000 for typical enterprise-grade vendor-supported products.
Monitoring technology used internally by an organization, typically referred to as Security Information Management systems (SIMs), ranges widely in cost. But they typically start at $100,000, including systems integration fees, for any organization large enough to deploy the technology. According to the Gartner Group, the cost and complexity of using SIM tools put them out of reach for all but the top 20 percent of the Fortune 1000. SIMs collect syslog events, Windows event logs, SNMP traps, firewall logs and other information from all the security devices in the organization, store that information in a common database, analyze it and present it in a format that is easier for security specialists to interpret.
All or part of the intrusion detection and monitoring can be outsourced. For example, the management and monitoring of an IDS sensor can be outsourced for $750 to $1,500 per month. Management and monitoring of the protection devices, such as firewalls, and monitoring of key servers that are designated as critical cyber assets can also be outsourced. Most of the outsourced services allow full visibility of the monitored information so internal resources can be as involved as they need or want to be.
Vendors provide reporting tools for each set of products monitored, such as firewalls and IDS devices. Alternatively, reports are provided as a standard part of MSSP services. Most importantly, reports must provide an uninterrupted audit trail for review by internal and external auditors.
The NERC CIP standards will be in force shortly. The requirements are very similar to best practices found in other industries, but the implementation will need to take into account the critical availability and performance requirements in a DCS or SCADA system. Given the approaching deadline, bulk electric systems will need to find the right mix of products and services to implement an effective and compliant cyber security program in the available timeframe. They also need to keep an eye on the long-term cost implications of these decisions.
|About the Authors|
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.