NERC-CIP Requirements Show Cybersecurity's Future

The Electric Power Industry Leads the Way in Developing Standards for Protecting Critical Infrastructure


By Jim Montague, Executive Editor

Cybersecurity is no longer a stranger. It's just another pillar of operational excellence at Invensys Operations Management, much like its well-known "environment and safety," "people," "asset" and "control" cornerstones. And so, wisely making cybersecurity familiar and approachable may be exactly what's needed to take it on and get it done.

Michael Martinez, principal consultant for critical infrastructure and security at Invensys, reports there are several primary drivers for cybersecurity in control systems. "Control networks are no longer islands, and they're using commercial off-the-shelf technologies (COTs). However, this also makes them subject to the same vulnerabilities as COTs, such as the cyber-attacks and viruses like Stuxnet that are such big news," explained Martinez.

"Consequently, corporate and regulatory compliance standards like NERC-CIP have been developed for the electricity generating industry, and other industries are following this lead and developing similar standards." Basically, the North American Reliability Corp. ( and its Critical Infrastructure Protection (CIP) program are requiring bulk electricity producers to draft and implement security policies for their facilities that comply with its NERC-CIP standards.

Martinez presented "NERC-CIP Compliance—Roadmap, Justification and Methodology for Impacted Industries" this week at the Invensys OpsManage'11 conference in Nashville, Tenn.

To make the leap to more standards-compliant control technologies and systems, Salt River Project's (SRP) Navajo Generating Station (NGS) in Page, Ariz., has been migrating from Nodebus to Mesh networking, replacing Sun's operating system (OS) with a Windows OS, and adding FoxNET devices for a secondary network. Also, its control systems are implementing Ethernet switches and Active Directory capabilities.

Martinez added that SRP and NGS's recipe for security began with identifying all its critical assets and their individual vulnerabilities and implementing indicated security devices, services and a layered infrastructure needed to protect them. The team found and documented about 3,000 applicable assets.

However, this first part of updating technology was the easy part because NGS next had to do a performance baseline, make sure it designed its security system and roadmap so they can be rolled into NERC-CIP compliance, and address any new vulnerabilities. For example, NERC-CIP says to define an electronic perimeter and gateway and decide what goes on either side. So, even though the plant recently put firewalls around its corporate network, in late 2010, it also put a second set of firewalls around its control network. "This was done so NGS would have defense-in-depth or multiple layers of security," Martinez explained, "so the plant-level could only push data out to the business side but not accept any coming back in."

Martinez reported the added firewalls also centralized the power plant's anti-virus management and back-up capabilities, improved network monitoring and established a remote access/jump server with role-based user authentication. "We've been working with SRP for many years, so we also helped combine their best practices and deploy them in a NERC-CIP-compliant program," said Martinez.

Besides the extra firewalls, NGS's security team has also added a second maintenance network built on secondary network cards in its PCs, which is another CERC-CIP requirement. Consequently, while the original card performs its regular control operations on the plant's dedicated Invensys Foxboro I/A DCS, the second card does back-up, maintenance, patch deployments and other tasks. This second maintenance network touches all the same points as the process control network at NGS's three generating units, SO2 scrubbers, lake pumps and workstations. Also, the teams added new physical and electronic access controls and password management for logging onto specific cyber-related assets. For example, future plans call or control room access restrictions. Mechanical maintenance staff will no longer be allowed into the control room, but will have to go to a clearance office to have clearances issued.

"The advantage of having the second network for maintenance is that any probes or viruses will only be able to reach the maintenance network, but not the controls network," explained Martinez. "Likewise, the jump server only runs as a virtual device, so while its presentation is similar to logging onto the former plant-floor workstations, it's connected to the control network via one firewall-protected, view-only window, and doesn't have direct access any critical assets. Also, while one set of credentials is needed to log onto SRP's corporate network, a second set is needed to log onto the jump server."

Similarly, another service from Invensys to help users of all sizes with their process security efforts is its Critical Infrastructure Security Practice (CISP). Started in 2002, the CISP team and its director, Doug Clifton, focus on pure consulting about the whole portfolio of cybersecurity requirements. The practice has assisted hundreds of customers worldwide. The team's typical operating procedure is to first assess a user's process application and facility, develop a security gap analysis, use the results to install an improved network design, help execute firewalls and other recommended strategies, and implement a jump server system, if needed.

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments