Operations personnel at many energy companies feel the pressure of achieving compliance with the North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) standards. Some worry that they are not aware of the problems and security incidents that have occurred within their critical infrastructures. Some know that they do not have the procedures in place to maintain CIP compliance. In many cases, significant system and procedural changes to their operational environment may be required—changes that may be extremely time- and resource-intensive to establish.
What most organizations may not realize is that their IT departments already have a head start on the process through a widely accepted approach to IT service management called the Information Technology Infrastructure Library (ITIL). By using the ITIL framework, companies may be able to achieve and maintain CIP compliance in a much simpler manner than if they did not use any established framework.
With regulatory deadlines looming, the challenge is to recognize synergies between ITIL and CIP and to begin the implementation process.
The NERC CIP standard comprises eight specific standards. These standards are listed, along with a brief description of their purpose, in Table 1. Each standard has a mandatory set of requirements that must be implemented, tracked, and capable of being audited.
The challenge that utilities face in complying with the CIP standards has been documented. The standards define what the requirements are, but not specifically how compliance should be achieved. This leaves utilities to deal with the ambiguity of determining how they can best comply.
To compound the problem, utilities often struggle with organizational difficulties that arise from issues between the operations and IT departments. These challenges can be best addressed with a comprehensive approach to critical assets that is compatible with the systems and processes used throughout the organization for maintaining other IT assets. Additionally, the approach should combine the efforts of the operations and the IT organizations, both of which have a vested interest in protecting the entity’s cyber assets.
The CIP standards require a utility to manage the risks of attacks against its infrastructure and provide continuing service in the face of a successful attack or natural incident. The standards require the establishment and maintenance of a cyber-security posture that reduces the risk of successful attacks within the utility and externally. The standards also require the utility to reduce the adverse effects of a successful attack or natural incident against the utility’s critical assets through business continuity and disaster recovery plans.
• Security Posture. The foundation of the cyber-security posture is the security policies and programs established at the corporate level. The foundation sets the security direction of the company and manifests the buy-in, commitment, and intent of senior management to establish and maintain cyber security. The cyber-security posture is established through the implementation and continual monitoring of the security policies and programs that control access, changes and configuration of critical cyber assets.
The cyber-security posture has processes, procedures, and tools that are both outward facing and inward facing. The aspects that are “outwardly” focused identify and manage the electronic and physical security perimeters of the cyber environment. The components that comprise the perimeters, their configurations, and the processes and tools used to monitor and manage access and respond to threats are established and continuously evaluated for effectiveness.
The aspects that are “inwardly” focused control the cyber assets within the cyber-security perimeter. These ensure that changes to systems will not affect reliability. This also ensures that security patches are up to date and that backup and recovery mechanisms are in place to provide business/system continuity.
• Business Continuity/Disaster Recovery. The reliability of the electrical system depends upon the ability of a utility to respond to incidents that affect its critical assets. Business continuity and disaster-recovery plans ensure the continuance of electrical service once a security incident, or natural disaster, occurs. The objectives (i.e., levels of service and recovery time frames) of business continuity and disaster recovery are established in the corporate policies of the utility. The processes, procedures, and tools for implementing disaster recovery and business continuity are embodied in specific plans. All critical infrastructure assets and configurations are included and prioritized in these plans, which must be continually updated to keep in step with changes that occur in the production environment. The plans must be tested on an ongoing basis to ensure their viability and to discover/resolve issues and problems that arise during execution.
A comprehensive best-practice methodology can fill the specific requirements of CIP 002-009 by providing the framework for managing security and reliability risks. A striking alignment is evident by looking at a side-by-side comparison in Table 2 of the high-level CIP requirements with the ITIL IT service-management best-practices areas.
The alignment becomes more pronounced when comparing some of the specific CIP requirements to ITIL. For example, compare CIP-005 electronic perimeter security to the ITIL asset management and configuration management, which provides the framework to define and document the critical cyber assets and configuration of those assets to form the electronic perimeter.
ITIL service support covers one functional area (the service desk function) and five processes (Incident-, Problem-, Change-, Configuration- and Release Management). As a whole, ITIL service support works to minimize any IT service disruptions to business operations. In effect, it works to restore IT services efficiently in the event of a service disruption; permanently remove any causes to service disruption; ensure the efficient supply of IT services; identify, control, maintain, and verify configuration items (CIs) within the organization; and manage all technical and non-technical aspects of the IT service.
Similar to ITIL service support, the ITIL service-delivery area covers five management processes including service level, capacity, availability, IT service continuity, and financial. Overall, these processes manage and maintain the quality of IT services, ensuring that all IT services and capabilities, and performance and capacity requirements operate at effective, cost-efficient levels. Service delivery also plans and accommodates for disaster recovery and prevention.
By implementing the ITIL framework, utilities fulfill the CIP 002-009 cyber-security requirements. However, the problem for the utilities still remains: How do we get from where we are today to where we want to be tomorrow (i.e., fully and auditably compliant)? To move “from here to there” a utility must implement three key components: a structured approach, a security assurance framework, and a road map to compliance.
The structured approach will help organize the CIP compliance initiatives into a project that implements project-management principles and uses assessment and planning methodologies. The best way to incorporate these aspects is to include standardized phases, tasks, and deliverables to manage and maintain the structure.
Once the structure is in place, the security assurance framework evaluates the organization’s compliance to the NERC CIP standards. The framework’s processes, procedures, and practices define how ITIL will carry out the day-to-day business operations. Technology and tools facilitate the automated execution of processes, procedures, and practices.
Finally, by developing a road map to compliance, organizations can track project initiatives, estimated timelines, resources, and costs to achieve the end state of full compliance. The road map should provide logical steps to implementing CIP compliance through ITIL. The steps should be sequenced to accomplish the most critical and important tasks and then align them with the CIP implementation schedules.
Over the next few years, achieving and maintaining CIP compliance will be challenging for utilities. However, they can leverage industry best practices, such as ITIL service management, as the framework for compliance. Best of all, their IT departments already may be using these best practices and tools. By planning ahead, implementing a structured approach such as ITIL, and establishing a collaborative effort between the IT and operations organizations, utilities will succeed in achieving compliance, and in the process will establish a long-lasting approach to managing their critical assets.