By Dr. Jim Kennedy, MRP, MBCI, CHS-III, CBRM
On October 19, 2006, the Federal Energy Regulatory Commission (FERC) approved its Notice of Proposed Rulemaking (NOPR) on Reliability Standards. In a unanimous vote, the five Commissioners elected to adopt the Security and Reliability Standards proposed by the North American Electric Reliability Council (NERC), which FERC certified as the US’s single Electric Reliability Organization (ERO) in July. The new mandatory Reliability Standards will be codified in FERC’s regulations and will be enforceable against all users, owners and operators of the bulk-power system.
All power utilities will now be required to adhere to the regulations set forth by NERC. As part of these regulations NERC has established the Critical Infrastructure Protection (CIP) 002 – 009 standards passed in May 2006 and which became effective June 1, 2006, with initial compliance auditing starting in late 2007. NERC CIP spells out an auditable guide covering a variety of areas related to cyber security. These standards specify the implementation of a holistic security approach to protect the bulk electric systems in North America. Energy companies and utilities across the US must move quickly towards compliance to the CIP 002 – 009 standards. The challenge is that most of these companies do not have the necessary policies and procedures in place to adequately meet compliance to these new regulation requirements.
What the energy companies and utilities may not be aware of is that there is an international standard in existence which will provide the necessary controls to achieve the CIP compliance requirements. The ISO/IEC 17799:2005 standard establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined within the standard provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
* security policy;
* organization of information security;
* asset management;
* human resources security;
* physical and environmental security;
* communications and operations management;
* access control;
* information systems acquisition, development and maintenance;
* information security incident management;
* business continuity management; and
In contrast the NERC CIP standards are comprised of eight specific standards each of which is mandatory for electric power and utility companies and must be completed within very specific timeframes over a predefined multi-year implementation schedule. Those eight standards are:
* CIP-002-1 Cyber Asset Identification
* CIP-003-1 Security Management Controls
* CIP-004-1 Personnel & Training
* CIP-005-1 Electronic Security Perimeters
* CIP-006-1 Physical Security
* CIP-007-1 System Security Management
* CIP-008-1 Incident Reporting and Response
* CIP-009-1 Recovery Plan for Critical Cyber Assets
The purpose of the NERC CIP standards is to ensure that all of the affected electric utilities which are responsible for the consistent and continued reliability of the US’ electrical grid are properly protecting their critical cyber assets. As with most standards, the NERC CIP standard establishes the minimum requirements necessary to protect those critical cyber assets along with the exchange of any information.
However, the NERC CIP standard only defines the requirements, timeframes for compliance, the steps and procedures for compliance without actually defining and effective way to comply with the standard. This simply leaves the electric utilities to their own devices to address the challenge of compliance.
How then to address compliance?
There are many different security standards and tools to create a security baseline for electric utilities and to establish metrics to measure compliance. None which this author has found to be better than ISO/IEC 17799:2005 to most clearly define the effective security areas and controls necessary to meet most regulatory compliance and most specifically the NERC CIP standards.
Diagram– a mapping of the ISO 17799:2005 control areas with the NERC CIP standards 002 – 009. CLICK HERE TO SEE A LARGER VERSION
Choosing an information security framework of controls is absolutely necessary in order to achieving compliance with CIP. Many organizations in the electric industry feel the international security standard (ISO/IEC 17799:2005) is the framework ‘closest’ to which the NERC CIP standards align. As a result many of the major utilities are planning on using ISO 17799:2005 as a foundation for their NERC CIP compliance efforts.
By using an internationally recognized information security policy framework as a baseline, electric utilities can better prioritize many of the NERC CIP requirements. A policy framework will provide the basis for developing missing policy and procedures, and also helps to develop and implement the requirements for security monitoring that may be necessary to secure the electronic security perimeters. If the electric utility is required to comply with other federal regulatory mandates, a policy framework such as ISO 17799:2005 will enable the utility to standardize its security needs across multiple regulations and use one set of policy documents to fulfill multiple regulatory requirements.
How to use the ISO standard
The most critical of all of the NERC CIP standards is CIP 002-1 as it sets the foundation for all of the other efforts. This standard is the identification and documentation of the ‘critical cyber assets’ within the electric utility. This should be carried out with great detail as it is most important to understand what is being protected before a security program can be developed.
Next as each of the CIP standards are reviewed the implementation team needs to review the ISO standard to create the necessary controls needed for the adherence to the CIP standard. Through the use of the ISO 17799:2005 controls utilities can address a majority of the CIP 002 – 009 cyber security requirements. Implementing a structured approach which addresses each CIP standard in detail will help to organize the various compliance initiatives by making sure that the assessment and planning activities align with the CIP compliance time frames.
The utilization of the ISO standard elements as a framework will allow the electric utility to organize its policies, procedures and processes along those lines. It also provides a mechanism to ensure that each NERC CIP requirement is properly addressed utilizing the ISO controls by identifying gaps in the utility’s current security posture and aligning the CIP requirements with the appropriate ISO 17799 controls.
In all of the standards CIP 002-1 through CIP 009-1 there are documentation and reporting standards which must be met. These must be adhered to and policies developed to ensure that all records and timeframes for developing those records and reports for NERC are strictly adhered to. This is outside the scope of the ISO standard but is also an important element of compliance.
Lastly, the development of a schedule or ‘road map’ for compliance allows the electric utility to establish initiatives, create timelines, identify needed resources, and develop an estimated cost of meeting the NERC CIP compliance schedule for their particular class of electric organization.
In order to meet the very aggressive NERC CIP compliance timeframes will be a significant challenge. However, by utilizing a proven and internationally recognized standard, by thoroughly planning out their approach and utilizing engineering, operations and IT personnel on the teams to provide the compliance efforts the electric companies will be able to successfully achieve NERC CIP compliance.
Dr. Jim Kennedy is the Business Continuity Services Practice Lead and a principal consultant with Alcatel-Lucent. Dr. Kennedy has over 25 years experience in the business continuity, disaster recovery, and information security fields and holds numerous Master level certifications in network engineering, information security and business continuity. He has developed more than 30 recovery plans, planned or participated in more than 100 business continuity and disaster recovery tests, helped to coordinate three actual recovery operations, authored many technical articles on business continuity and disaster recovery and is a co-author for two books, the ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-Book entitled: ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic.’ firstname.lastname@example.org
•Date: 28th June 2007• Region: US •Type: Article •Topic: ISM
Rate this article or make a comment - click here