Ensuring Grid Continuity with Cyber Best Practices
Critical infrastructure facilities face threats that are constantly and rapidly changing. Companies must meet the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards to reduce compliance risk.
Delta Risk understands the unique challenges facing organizations that support and operate Industry Control Systems (ICS) and IT networks associated with critical infrastructure. We have specialized staff to provide tailored cyber security services to evaluate, advise, and assist critical infrastructure industries on these distinct issues.
Our team has the technical and operational experience to effectively assist these organizations with their cyber security needs. We offer a variety of cyber security services including developing your information security program, managing your technical security needs, and responding to a breach, if necessary.
Gain a Detailed Analysis of Your Cyber Security Program
Training is integral for meeting NERC CIP compliance requirements. Our dedicated training services enable your organization to keep your workforce up to speed on the latest cyber security policies. We can also help identify critical assets that need to be secured and develop an incident management plan to help you remediate and respond to an incident quickly.
Efficiently and Effectively Manage Your Security Needs
When it comes to protecting critical assets under BES, the margin of error is thin. ActiveEye managed services and professional services can help manage and monitor your traditional IP-based networks, allowing you to focus your resources on NERC CIP compliance.
Protect Your Network From Attackers
Depending on your incident response requirements under NERC CIP, you’ll need an active and reliable partner to coach you through a cyber security incident.
Cyber Threats to the Grid
The days are gone when companies serving our critical infrastructure could rely on a strategy of security through obscurity. Now, cyber criminals bent on achieving their malicious goals will target the lowest hanging fruit—those entities with the weakest defenses. To combat this weakness, standards like the NERC – CIP and industry cyber best practices have been put in place.
Even with these baseline guarantees, it is a matter of when—not if—a serious cyber-attack will affect a major part of our critical infrastructure. In December 2015, a cyber-attack caused 225,000 citizens in Ukraine to lose power, making it the first ever reported cyber action that had physical consequences for the grid. In 2013, Iranian hackers infiltrated the networks of a small dam outside of New York City, demonstrating the vulnerability of the U.S. grid. Many are now aware of the successful operation known as stuxnet, which consisted of a computer virus that destroyed or disabled large numbers of uranium-enriching centrifuges integral to Iran’s nuclear program.
This category of critical infrastructure includes those companies that have large customer bases whose systems are generally controlled by Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS), or ICS. They include industries like the communications sector, the energy sector, and manufacturing sector, to name a few.
Cyber Compliance Requirements for Critical Infrastructure
Because maintaining the operation of many of these industries is crucial to the security of our nation, the U.S. Government enacted several laws to mandate the strengthening of their defenses. The authority for such regulations comes from the Energy Policy Act of 2005. Under that act, NERC develops cyber security standards, and the Federal Energy Regulatory Commission (FERC) reviews and approves them.
The FERC is the federal entity responsible for standardizing grid connectivity over the three distinct grids (the Eastern, Western, and Texas sections) that service all of the US and parts of Mexico and Canada. The NERC is a collection of industry experts, regional entities, and federal and state government representatives.
NERC/FERC implement the cyber security requirements in several continually updated critical infrastructure protection (CIP) standards. These standards cover multiple issues including; identifying critical assets, training personnel, reporting and responding to incidents, and developing programs and recovery plans. The most recent version of the CIP standards is version 5, approved in 2013. Under this regulation, NERC has the authority to audit companies subject to its jurisdiction. It can also issue fines up to $1 million per violation per day.
Other federal agencies that have jurisdiction over the cyber security of critical infrastructure include:
- The Department of Energy (DOE)
- The Department of Homeland Security (DHS)
- The National Institute of Standards and Technology (NIST)
The protection of critical infrastructure is a complex and dynamic field. For further information on this area of cybersecurity, please see our related content below: