Ensuring Critical Infrastructure Security with Cyber Best Practices
Critical infrastructure facilities face a wide range of ever-evolving cyber security threats. In addition, these companies must meet the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards to reduce compliance risk.
Delta Risk understands the unique challenges facing organizations that support and operate Industry Control Systems (ICS) and IT networks associated with critical infrastructure. We have expert staff to provide cyber security services to evaluate, advise, and assist critical infrastructure industries on these distinct issues.
Our team has the technical and operational experience to effectively help you with your cyber security needs. We offer a variety of cyber security services, including developing your information security program, managing your technical security needs, creating and managing cyber exercises, and responding to a breach, if necessary.
Get a Detailed Analysis of Your Cyber Security Program
Cyber exercises, pen testing, and vulnerability assessments are integral for protecting your organization and meeting compliance requirements. Our services enable your organization to test your workforce using simulated scenarios to ensure that your cyber security processes and policies will work effectively in case of emergency. We can also help identify critical assets that need to be secured, and develop an incident management plan to help you remediate and respond to an incident quickly. We also offer penetration testing services.
When it comes to protecting critical assets, the margin of error is thin. Our Security Operations Center (SOC) as a service (SOCaaS) can monitor your traditional IP-based networks, cloud applications and infrastructure, and endpoints, allowing you to focus your resources on NERC CIP compliance and your business instead of security.
Depending on your incident response requirements under NERC CIP, you’ll need a trusted, reliable partner to coach you through a cyber security incident. Delta Risk offers the expertise you need.
Cyber Threats to the Grid
The days are gone when companies serving our critical infrastructure could rely on a strategy of security through obscurity. Now, cyber criminals bent on achieving their malicious goals will target the lowest hanging fruit—those entities with the weakest defenses. To combat this weakness, standards like the NERC – CIP and industry cyber best practices have been put in place.
Even with these baseline guarantees, it is a matter of when—not if—a serious cyber-attack will affect a major part of our critical infrastructure. In December 2015, a cyber-attack caused 225,000 citizens in Ukraine to lose power, making it the first ever reported cyber action that had physical consequences for the grid. In 2013, Iranian hackers infiltrated the networks of a small dam outside of New York City, demonstrating the vulnerability of the U.S. grid. Many are now aware of the successful operation known as stuxnet, which consisted of a computer virus that destroyed or disabled large numbers of uranium-enriching centrifuges integral to Iran’s nuclear program.
This category of critical infrastructure includes those companies that have large customer bases whose systems are generally controlled by Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS), or ICS. They include industries like the communications sector, the energy sector, and manufacturing sector, to name a few.
Cyber Compliance Requirements for Critical Infrastructure
Because maintaining the operation of many of these industries is crucial to the security of our nation, the U.S. Government enacted several laws to mandate the strengthening of their defenses. The authority for such regulations comes from the Energy Policy Act of 2005. Under that act, NERC develops cyber security standards, and the Federal Energy Regulatory Commission (FERC) reviews and approves them.
The FERC is the federal entity responsible for standardizing grid connectivity over the three distinct grids (the Eastern, Western, and Texas sections) that service all of the US and parts of Mexico and Canada. The NERC is a collection of industry experts, regional entities, and federal and state government representatives.
NERC/FERC implement the cyber security requirements in several continually updated critical infrastructure protection (CIP) standards. These standards cover multiple issues including; identifying critical assets, training personnel, reporting and responding to incidents, and developing programs and recovery plans. NERC has the authority to audit companies subject to its jurisdiction. It can also issue fines up to $1 million per violation per day.
Other federal agencies that have jurisdiction over the cyber security of critical infrastructure include:
- The Department of Energy (DOE)
- The Department of Homeland Security (DHS)
- The National Institute of Standards and Technology (NIST)
The protection of critical infrastructure is a complex and dynamic field. For related information see our related content below: