State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
The Challenge of Implementing NERC's Cyber Standard
How to develop, implement, and operate a security program.
it is recommended that each entity evaluate the need to protect, from a physical security perspective, those critical assets that fall into this category.
In the development of a security program work plan, technical solutions (hardware and software) that can support the compliance sustainability of the program with the standard also may be needed. Typical considerations follow:
• Managing configuration control of the assets through an appropriate change control process may require new information support systems;
• New requirements for access control and authentication for application systems, servers, routers, firewall, and physical facilities can be a difficult and expensive process to manage and may require new user management and provisioning solutions to efficiently maintain compliance; and
• Document control is an integral component of managing security-related documents that may require new systems.
One of the first steps in moving forward with the implementation of a NERC-compliant security program is to conduct a gap analysis inclusive of the following tasks:
• Identify the critical assets, critical cyber assets, the electronic security perimeter, and the physical security perimeter;
• Conduct a security vulnerability assessment of the network infrastructures included within the physical security perimeter and the electronic security perimeter. 10 Include an assessment of both the cyber and physical security provisions. (Note: If the logical network infrastructure design contains critical vulnerabilities, or the physical security measures are ineffective, policies and procedures, while compliant with the standard, will not ensure that the critical cyber assets are secure.);
• Understand and document the gaps between the existing policies and procedures, and the requirements of the security standard; and
• Use the results of the gap analysis to provide the basis for developing a detailed work plan to implement a NERC compliant security program.
Level of Effort
The level of effort required to develop and implement a NERC-compliant security program can vary significantly by organization and depends on a number of factors, including the:
• Functional responsibility of the entity; 11
• Size and complexity of the entity’s organization;
• Number of critical assets and critical cyber assets within the organization;
• Experience of the implementation team (internal and consultants);
• Current level of compliance of the existing policies and procedures; and
• Current cyber and physical security of the network infrastructures that protect the critical cyber assets.
Recognizing these factors for a typical entity, an organization can expect a level of effort projected to require from 30 to 60 man months, excluding the potential need for advanced technical solutions or enhanced information support systems. The resultant work schedule can range from 12 to 18 months for a typical implementation plan.
These types of projects, driven by mandatory standards, typically are viewed as a necessary expense. However, recognizing that the reliability of the bulk electric system is a critical success factor for most entities, and that the focus of the standard is increased reliability of these assets, significant operational benefits can be achieved through a well-designed security program. As succinctly stated in a recent publication, “an improvement in the overall resiliency