Stage IV: The cyber security program is implemented as a cross-functional process and generally understood throughout the organization, with minimal dependence on individuals for its perpetuation.
Stage V: The cyber security process is measured by the organization in terms of the human and technology costs, incident response times and standardized reporting involved in mitigating critical vulnerabilities and responding to attacks as they happen.
As a rule, organizations rarely jump over stages in implementing cyber security programs without help from external supliers. A common mistake made by organizations is to aim for Stage IV when starting at Stage I or to aim for Stage V when starting from Stage II. Implementing a robust policy, coordinated with a process enabled by predictable, automated technologies and reporting mechanisms, takes time internally.
Yet the NERC CIP compliance schedule will require just such a jump for many electric systems. The CIP standards are scheduled to become effective on Oct. 1 and electric systems must comply, in varying degrees, as soon as the first quarter of 2006. Given the current level of comments on the drafts, this schedule may slide but probably not more than a couple of quarters.
Fortunately security technologies and processes have evolved considerably over the last five years. Vendors offer a range of tools, technologies and fully automated outsourced processes that can speed the CIP compliance effort. These products and services need to be factored into the cost estimates.
The cost of complying with NERC CIP varies significantly depending on which stage the organization is at. The size of the organization also matters, but given the fixed costs associated with continuous monitoring of the network by trained IT and SCADA Security personnel, the size matters less than the stage.
Key components of cost of complying with NERC CIP include:
- Policy and procedures development and implementation;
- Dedicated security personnel, 24x7x365; and
- Intrusion detection and monitoring.
Policy and Procedures Development and Implementation
Security policies and procedures provide the enabling “glue” to bind a sustainable, scalable security program. Operational procedures span change control, configuration management, patch management and back up and recovery in relation to overall information security policies.
For organizations at Stages I or II, the consulting fees alone to develop and implement robust policies and procedures start at $50,000 for a small utility operation and $500,000 for large utilities. Stage III organizations can expect a 30 percent lower entry point given the running start they have toward the definition stage of the work. Their expenditure is required to roll out effective training programs with demonstrated results. Stage IV and V organizations likely will not require outside services to continue improving themselves in relation to NERC CIP and other mandates.
Dedicated Security Personnel, 24x7x365
At any stage, personnel costs generally dwarf technology costs, since companies must staff an incident response process with dedicated personnel, 24x7x365. Typically, personnel costs represent 70 percent of ongoing resource requirements. Furthermore, the expertise required to staff these positions is in relatively short supply given the specialized skills associated with installing, managing and monitoring network security systems. Outsourced managed security service providers (MSSPs) have emerged as a result of the opportunity to aggregate expertise for application across hundreds of networks from security operations centers designed to deliver these services.
The average cost of a fully loaded, full-time-equivalent trained security professional is $120,000 per year, assuming a base salary for a certified information systems security professional of about $85,960, plus overhead costs of approximately 40 percent over base. Assuming a minimum of three FTEs are required to staff a continuous incident response process, $360,000 per year or $30,000 per month is the minimum entry point for any size organization to fully comply with not just NERC CIP but Sarbanes-Oxley and HIPAA.
These security professionals must review anywhere from 2,000 to 3,000 alerts per year, or 5 to 10 a day, if network security devices are properly tuned to reduce the number of false positives they generate. When devices are not properly tuned, the volume of alerts is overwhelming. For instance, organizations at Stage I, II or III often install intrusion detection systems (IDS) but tune them into a state of irrelevance for lack of time.
Intrusion Detection and Monitoring
CIP-005 requires all bulk electric systems to have a 24- hour intrusion detection capability to detect intrusions and intrusion attempts at the electronic security perimeter and on critical cyber assets. For utility companies, specific IDS signatures have been written with funding from the Department of Homeland Security Advanced Research Projects Agency (HSARPA), to identify attacks embedded in SCADA and DCS protocols. These signatures are primarily focused on the MODBUS TCP and DNP3 protocols, which are widely used in the electric industry. A single IDS sensor can identify attacks on Microsoft operating systems and SCADA field devices such as IEDs and PLCs.
Organizations will require a minimum of one IDS, and larger enterprises will need up to four. Costs start at $40,000 to $50,000 for typical enterprise-grade vendor-supported products.
Monitoring technology used internally by an organization, typically referred to as Security Information Management systems (SIMs), ranges widely in cost. But they typically start at $100,000, including systems integration fees, for any organization large enough to deploy the technology. According to the Gartner Group, the cost and complexity of using SIM tools put them out of reach for all but the top 20 percent of the Fortune 1000. SIMs collect syslog events, Windows event logs, SNMP traps, firewall logs and other information from all the security devices in the organization, store that information in a common database, analyze it and present it in a format that is easier for security specialists to interpret.
All or part of the intrusion detection and monitoring can be outsourced. For example, the management and monitoring of an IDS sensor can be outsourced for $750 to $1,500 per month. Management and monitoring of the protection devices, such as firewalls, and monitoring of key servers that are designated as critical cyber assets can also be outsourced. Most of the outsourced services allow full visibility of the monitored information so internal resources can be as involved as they need or want to be.
Vendors provide reporting tools for each set of products monitored, such as firewalls and IDS devices. Alternatively, reports are provided as a standard part of MSSP services. Most importantly, reports must provide an uninterrupted audit trail for review by internal and external auditors.
The NERC CIP standards will be in force shortly. The requirements are very similar to best practices found in other industries, but the implementation will need to take into account the critical availability and performance requirements in a DCS or SCADA system. Given the approaching deadline, bulk electric systems will need to find the right mix of products and services to implement an effective and compliant cyber security program in the available timeframe. They also need to keep an eye on the long-term cost implications of these decisions.
|About the Authors|