As noted from my previous blog, cyber vulnerabilities can impact a utility’s most important and expensive assets. Yet since the advent of the NERC CIPs, it appears that “compliance engineering” is making security a “check-the-box” approach rather than actual securing assets. It is analogous to elementary school teachers “teaching to the test” not teaching to learn.
I am working with an investor-owned utility that as far as I know is the only one whose Board of Directors’ feels it is more important to be secure than compliant. As part of that effort, I have been reviewing and modifying their Corporate IT, Physical Security, Business Continuity, and NERC CIP policies to address control system cyber security. This is not a NERC Compliance effort, but a control system security effort. Therefore, the approach does not require any formal audit which is allowing the utility to self-determine the level of documentation necessary to provide engineering due diligence. This approach also allows the utility to have the same level of documentation for cyber as for the rest of their control system requirements.
This first-of-a-kind effort defined the following terms
- “Mission Critical” – what is necessary to meet the utility’s mission of generating and providing electricity and possibly water and/or gas to its customers
- “Mission Critical Assets” – what systems, devices, and networks are needed to meet Mission Critical functions
The approach to develop these new policies was to answer the following questions:
- What assets are mission critical
- What mission critical assets have systems, devices, and networks installed that can be cyber vulnerable
- How does the utility establish and maintain a program to secure these assets
- How does the utility train people to secure and securely use these assets
- How does the utility monitor the security of these assets
- How does the utility physically secure these assets
- How does the utility document changes to these critical assets
- How does the utility document incidents and maintain business continuity
The benefits of this first-of-kind policy effort include:
- addressing all assets that are critical for the utility to perform its mission
- addressing actual control system cyber incidents to maximize system reliability
- addressing all types of control system cyber vulnerabilities to maximize system reliability
- providing an engineering due diligence basis that will meet NERC CIP, NIST, etc.
Given the potential risk and liability, this is the type of approach I would encourage other utilities to consider. I applaud this utility’s Board of Directors for doing what I believe is the right thing for the utility, its customers, the bulk electric grid, and the greater community.
Joe Weiss
