State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
The Challenge of Implementing NERC's Cyber Standard
How to develop, implement, and operate a security program.
program areas delineated above falls outside the operations groups typically responsible for critical cyber assets— i.e., transmission, engineering, generation, energy delivery.
Fig. 3 illustrates the security program relationships between functional program areas and organizations within a typical integrated electric utility entity. As an example, the human resource organizations most likely will be involved in the access-control function with regard to the relevant physical and cyber assets. Likewise, most organizations will have a stake in the issues surrounding the information classification and handling function.
The unique organizational relationships also are relevant in terms of the governance requirements for the security program. In this regard, leadership for the security program needs to originate at a level within the organization where visibility for all relevant organizations is resident and responsibility can be committed and delegated accordingly. This approach also will address the need for consistency in the application of policies and procedures across all organizations and functions.
In many cases, these organizational issues are compounded by recent separations of generation and transmission organizations, as well as the sensitivities among the traditional business information systems, engineering, and operation organizations. To ensure an optimized security program, the design, development, implementation, and ongoing operations of the security program require an entity-wide perspective.
Finally, recognizing that the security program reaches beyond the operations organizations of the entity, it may be prudent to address other cyber and physical security and auditing standards 6 in setting the objectives and scope of the security program.
Critical Cyber Asset Identification
Identifying critical assets and critical cyber assets are very important tasks. The standard requires that critical assets be identified using a risk-based assessment methodology with specific consideration for a specific list of assets. 7 An appropriate risk-based methodology will need to be developed that quantifies the impact that assets can have on the reliability of the bulk electric system.
Although NERC is interested only in the reliability of the bulk electric system, a load-serving entity may wish to consider including assets that affect the reliability of serving specific critical loads. In any regard, identification of critical assets is a key task in the security program implementation process and significantly can affect the scope and maintenance of the ongoing processes. Subsequently, a list of critical cyber assets, i.e., cyber assets essential to the operation of critical assets, can be defined.
The standard requirements are quite extensive. As the list of critical cyber assets grows, the operational implications of the security program can expand exponentially. Accordingly, the identification of critical cyber assets must be controlled to minimize this potential impact. Strategically, the following activities are beneficial:
• Optimize the electronic and physical security perimeters 8 through appropriate design of the underlying network infrastructures; 9 and
• Recognize and understand the impact of employing routable protocol or dial-up communications with cyber assets.
The standard addresses the physical security of critical cyber assets but does not address the physical security of critical assets that do not contain critical cyber assets. However, given that critical assets by definition affect the reliability of the bulk electric system,