Stage IV: The cyber security program is implemented as a cross-functional process and generally understood throughout the organization, with minimal dependence on individuals for its perpetuation.
Stage V: The cyber security process is measured by the organization in terms of the human and technology costs, incident response times and standardized reporting involved in mitigating critical vulnerabilities and responding to attacks as they happen.
As a rule, organizations rarely jump over stages in implementing cyber security programs without help from external supliers. A common mistake made by organizations is to aim for Stage IV when starting at Stage I or to aim for Stage V when starting from Stage II. Implementing a robust policy, coordinated with a process enabled by predictable, automated technologies and reporting mechanisms, takes time internally.
Yet the NERC CIP compliance schedule will require just such a jump for many electric systems. The CIP standards are scheduled to become effective on Oct. 1 and electric systems must comply, in varying degrees, as soon as the first quarter of 2006. Given the current level of comments on the drafts, this schedule may slide but probably not more than a couple of quarters.
Fortunately security technologies and processes have evolved considerably over the last five years. Vendors offer a range of tools, technologies and fully automated outsourced processes that can speed the CIP compliance effort. These products and services need to be factored into the cost estimates.
The cost of complying with NERC CIP varies significantly depending on which stage the organization is at. The size of the organization also matters, but given the fixed costs associated with continuous monitoring of the network by trained IT and SCADA Security personnel, the size matters less than the stage.
Key components of cost of complying with NERC CIP include:
- Policy and procedures development and implementation;
- Dedicated security personnel, 24x7x365; and
- Intrusion detection and monitoring.
Policy and Procedures Development and Implementation
Security policies and procedures provide the enabling “glue” to bind a sustainable, scalable security program. Operational procedures span change control, configuration management, patch management and back up and recovery in relation to overall information security policies.
For organizations at Stages I or II, the consulting fees alone to develop and implement robust policies and procedures start at $50,000 for a small utility operation and $500,000 for large utilities. Stage III organizations can expect a 30 percent lower entry point given the running start they have toward the definition stage of the work. Their expenditure is required to roll out effective training programs with demonstrated results. Stage IV and V organizations likely will not require outside services to continue improving themselves in relation to NERC CIP and other mandates.
Dedicated Security Personnel, 24x7x365
At any stage, personnel costs generally dwarf technology costs, since companies must staff an incident response process with dedicated personnel, 24x7x365. Typically, personnel costs represent 70 percent of ongoing resource requirements. Furthermore, the expertise required to staff these positions is in relatively short supply given the specialized skills associated with installing, managing and monitoring network security systems. Outsourced managed security service providers (MSSPs) have emerged as a result of the opportunity to aggregate expertise for application across hundreds of networks from security operations centers designed to deliver these services.
The average cost of a fully loaded, full-time-equivalent trained security professional is $120,000 per year, assuming a base salary for a certified information systems security professional of about $85,960, plus overhead costs of approximately 40 percent over base. Assuming a minimum of three FTEs are required to staff a continuous incident response process, $360,000 per year or $30,000 per month is the minimum entry point for any size organization to fully comply with not just NERC CIP but Sarbanes-Oxley and HIPAA.
These security professionals must review anywhere from 2,000 to 3,000 alerts per year, or 5 to 10 a day, if network security devices are properly tuned to reduce the number of false positives they generate. When devices are not properly tuned, the volume of alerts is overwhelming. For instance, organizations at Stage I, II or III often install intrusion detection systems (IDS) but tune them into a state of irrelevance for lack of time.
Intrusion Detection and Monitoring
CIP-005 requires all bulk electric systems to have a 24- hour intrusion detection capability to detect intrusions and intrusion attempts at the electronic security perimeter and on critical cyber assets. For utility companies, specific IDS signatures have been written with funding from the Department of Homeland Security Advanced Research Projects Agency (HSARPA), to identify attacks embedded in SCADA and DCS protocols. These signatures are primarily focused on the MODBUS TCP and DNP3 protocols, which are widely used in the electric industry. A single IDS sensor can identify attacks on Microsoft operating systems and SCADA field devices such as IEDs and PLCs.
Organizations will require a minimum of one IDS, and larger enterprises will need up to four. Costs start at $40,000 to $50,000 for typical enterprise-grade vendor-supported products.
Monitoring technology used internally by an organization, typically referred to as Security Information Management systems (SIMs), ranges widely in cost. But they typically start at $100,000, including systems integration fees, for any organization large enough to deploy the technology. According to the Gartner Group, the cost and complexity of using SIM tools put them out of reach for all but the top 20 percent of the Fortune 1000. SIMs collect syslog events, Windows event logs, SNMP traps, firewall logs and other information from all the security devices in the organization, store that information in a common database, analyze it and present it in a format that is easier for security specialists to interpret.