State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
The Challenge of Implementing NERC's Cyber Standard
How to develop, implement, and operate a security program.
In May 2, 2006, the North American Electric Reliability Council (NERC) board of trustees adopted the Critical Infrastructure Protection (CIP) Cyber Security Standard. The comprehensive standard—which addresses asset identification, security management controls, personnel and training, perimeter security, systems security, incident reporting and response planning, and recovery plans—is intended to “ensure that all entities responsible 1 for the reliability of the bulk electric systems 2 in North America identify and protect critical cyber assets 3 that control or could impact the reliability of the bulk electric systems.”
On July 20, 2006, the Federal Energy Regulatory Commission (FERC) certified NERC as the Electric Reliability Organization (ERO) charged with the responsibility to develop and enforce bulk-power system 4 reliability standards. The forthcoming mandatory enforcement provisions of the standard raise a number of burning questions for electric utilities:
• How much of an effort will it take in terms of cost and time to develop, implement, and sustain a compliant security program?
• How do the provisions of the standard relate to existing security programs?
• What additional processes, procedures, policies, organizational resources, and additional information support infrastructures (software or hardware) will be required?
• Other than complying with the standard, are there any real benefits that can be realized with implementation of the standard?
• To what type of issues will implementation of the standards give rise?
This article provides some answers to these questions in the form of security program development, implementation, and operation.
While the standard is designed specifically to protect only the critical cyber assets, the implications of the requirements reach far beyond the boundaries of the defined critical cyber assets from a cyber, physical, and managerial perspective. As illustrated in Fig. 1, the standard includes eight major topics and 41 specific requirements. As can be observed, the standard complements the premise that security is more than just technical solutions and procedures: It addresses processes, policies, physical security, and management issues.
Security Program Development Strategy
Fifteen different functional program areas, illustrated in Fig. 2, have been identified 5 as relevant to the implementation of a responsive and comprehensive standard-compliant security program. The critical factor within the functional program area definitions is the development of specific interrelationships between the functional program areas that are consistent with the operational characteristics of the entity. This functional program model provides the framework for an organized and logical approach to develop the required policies, procedures, documentation, and subsequent training and security awareness program curriculums. In addition, technical requirements, including supporting software tools such as document control systems, identity management strategies, and network management tools, can be developed in a controlled and consistent manner through this framework. Last, a viable program implementation work plan can be developed from the functional program area perspective.
Multiple organizations will need to be involved in the development of the security program. The responsibility for many of the functional