Security must be organizational – simply complying will leave you vulnerable.
Chip Scott (Denver office), Justin Lowe (London), and Amanda Levin (Greater New York City) are energy and cyber security experts at PA Consulting Group. Mr. Scott focuses on system integration, and worked previously with Black & Veatch, Enspiria Solutions, and Schlumberger. Mr. Lowe specializes in energy sector cyber issues, with over a decade’s experience in industrial control systems and SCADA security. Ms. Levin is a journalist who worked previously with the Financial Times Group.
Cyber incidents used to be sporadic. Now they're front-page news. Sony Pictures Entertainment, Target, JPMorgan Chase, and Anthem count as just a few of the most recent casualties - now known not just for the products they sell and the services they provide, but also for the data breaches that have damaged their reputations.
For utilities, security has been on the radar for some time now, with baseline standards under development from the early 2000s.
The Energy Policy Act of 2005 created an Electric Reliability Organization (ERO) to develop and enforce mandatory cybersecurity standards. The North American Electric Reliability Corporation (NERC) was designated as the ERO in 2006 and has worked with electric power industry experts to develop the NERC Critical Infrastructure Protection (CIP) standards, which were approved by the Federal Energy Regulatory Commission (FERC) in 2008, making them mandatory for owners and operators of the bulk electric system.
And these standards have been updated since 2008, as threats continue to evolve. The latest set of CIP standards, Version 5, which was approved by FERC in November 2013 with modifications, is set to take effect in April 2016, with the utility industry considering how it will comply this latest and even future versions.