Cyber security and critical infrastructure protection – Managing for success

To say that Utilities are meeting the challenges of a difficult age is probably the understatement of the decade.

One need only look at the comments of Rick Sergel, president and CEO of the North American Electric Reliability Corporation (NERC), to the state regulators at the National Association of Regulatory Utility Commissioners (NARUC) summer meetings on July 20, where he outlines all the various measures being taken to increase cyber and physical asset security of the North American power system.

Of note to utilities with Microsoft solutions in place, we believe our technologies will help address many of the very specific requirements that NERC is laying out. In particular, Sergel mentioned the following two critical infrastructure protection requirements:

CIP-003: Security Management Controls essentially requires entities to document a cyber security policy, review it annually, and make it accessible to appropriate staff, but appropriate staff only. It also requires each entity to document exceptions to the policy, review it annually, and closely control access to the plan. As one additional matter of course, the standard requires each entity to identify a cyber security contact within their organization and provide this information to NERC or their Regional Entity.

CIP-007: Systems Security Management essentially gives some basic requirements about IT maintenance, like installing anti-virus systems, downloading security patches, and securing unused access points (or ports) to critical cyber equipment. It also contains some requirements for logging user access, managing permissions and administrator privileges. Perhaps most importantly, it requires entities to assess cyber vulnerabilities annually and to document this assessment.

We will be writing more about meeting NERC reliability standards in the future but for now you might look at the following discussions about NERC:

Several Microsoft partners sponsored the recent EUCI conference on NERC

Warren Causey wrote a Whitepaper on Microsoft’s role in complying with NERC standards

Using familiar Microsoft tools to reduce the complexity of compliance

2007 Office System Document: Compliance Features in the 2007 Microsoft Office System

Microsoft solutions for regulatory compliance

Of particular interest is the Energy Central Webcast entitled “Are you prepared for your next NERC/RRO Audit”.  In the Webcast Warren Causey of Energy Central along with Steve Rossi of Flexnova, Andre Chon of AUS Consulting and Pat vanMidde of San Diego Gas & Electric discuss the internal process, procedures and documentation responsibility NERC compliance and solutions for preventing NERC compliance activities from turning into a document management nightmare!