State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
CIP Compliance: Reducing Your Risk
How utilities can navigate critical infrastructure protection requirements.
security policies and programs that control access, changes and configuration of critical cyber assets.
The cyber-security posture has processes, procedures, and tools that are both outward facing and inward facing. The aspects that are “outwardly” focused identify and manage the electronic and physical security perimeters of the cyber environment. The components that comprise the perimeters, their configurations, and the processes and tools used to monitor and manage access and respond to threats are established and continuously evaluated for effectiveness.
The aspects that are “inwardly” focused control the cyber assets within the cyber-security perimeter. These ensure that changes to systems will not affect reliability. This also ensures that security patches are up to date and that backup and recovery mechanisms are in place to provide business/system continuity.
• Business Continuity/Disaster Recovery. The reliability of the electrical system depends upon the ability of a utility to respond to incidents that affect its critical assets. Business continuity and disaster-recovery plans ensure the continuance of electrical service once a security incident, or natural disaster, occurs. The objectives ( i.e., levels of service and recovery time frames) of business continuity and disaster recovery are established in the corporate policies of the utility. The processes, procedures, and tools for implementing disaster recovery and business continuity are embodied in specific plans. All critical infrastructure assets and configurations are included and prioritized in these plans, which must be continually updated to keep in step with changes that occur in the production environment. The plans must be tested on an ongoing basis to ensure their viability and to discover/resolve issues and problems that arise during execution.
CIP & ITIL Similarities
A comprehensive best-practice methodology can fill the specific requirements of CIP 002-009 by providing the framework for managing security and reliability risks. A striking alignment is evident by looking at a side-by-side comparison in Table 2 of the high-level CIP requirements with the ITIL IT service-management best-practices areas.
The alignment becomes more pronounced when comparing some of the specific CIP requirements to ITIL. For example, compare CIP-005 electronic perimeter security to the ITIL asset management and configuration management, which provides the framework to define and document the critical cyber assets and configuration of those assets to form the electronic perimeter.
How It Works
ITIL service support covers one functional area (the service desk function) and five processes (Incident-, Problem-, Change-, Configuration- and Release Management). As a whole, ITIL service support works to minimize any IT service disruptions to business operations. In effect, it works to restore IT services efficiently in the event of a service disruption; permanently remove any causes to service disruption; ensure the efficient supply of IT services; identify, control, maintain, and verify configuration items (CIs) within the organization; and manage all technical and non-technical aspects of the IT service.
Similar to ITIL service support, the ITIL service-delivery area covers five management processes including service level, capacity, availability, IT service continuity, and financial. Overall, these processes manage and maintain the quality of IT services, ensuring that all IT services and capabilities, and performance and capacity requirements operate at