by Jim Romeo
In April 16 of 2013, a sniper took a hundred shots at Pacific Gas and Electric’s (PG&E) Metcalf Electric Power Transformer Station. The utility was able to reroute power on the grid and avert a black out. The whole ordeal took nineteen tension-filled minutes.
The event added muscle to the regulatory grip of The North American Electric Reliability Corporation (NERC) – a not-for-profit entity whose mission is to ensure the reliability of the bulk power system in North America. A terrorist attack, domestic or otherwise, could bring the state’s power grid down. NERC’s job is to regulate bulk power systems to safeguard against this and many other scenarios. For the bulk power industry, regulation stands to protect, but poses a challenge to organizations who must stay compliant. NERC develops and enforces reliability standards for the bulk power industry and annually assesses seasonal and long term reliability.
Entities under NERC’s jurisdiction are users, owners and operators of the bulk power system. NERC works with all stakeholders to develop standards for power system operation. They monitor and enforce compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient. They also investigate and analyze the causes of significant power system disturbances such as the one in San Diego at Metcalf, to help prevent future events. The North American Electric Reliability Corporation Critical Infrastructure Protection (“NERC CIP”) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system.
NERC CIP standards and requirements include electronic perimeters and protection of critical cyber assets, as well as specific requirements for personnel, training, security management and disaster recovery. Companies regulated by NERC CIP must monitor, track and audit equipment and operations to comply with the polygon of requirements that NERC invokes.
Today’s business climate is one where the playing field is often heavily regulated. We see this in financial services, healthcare, food and drug, automotive, insurance, and consumer products industries. The 2013 Gartner CEO Survey noted that the second overall business risk is regulatory change, which requires a punishing regimen of regulatory compliance followed by more compliance. Such requirements force business leaders to respond while trying to compete in an environment of limited resources. Without the right tools, controls and robust monitoring in place, regulatory compliance can be burdensome and near impossible.
SIEM platforms which provide monitoring, tracking and auditing for control is necessary to meet NERC/CIP requirements.
Firstly, SIEM systems aid in the discovery of cyber critical devices and assets, and assign a value to its criticality. But identity is not enough. The assets’ configuration must be checked for security measures and insure that those measures are in place. A SIEM solution reports on such features and controls and enables management to drive decisions and stay compliant.
But NERC CIP requires that the cyber electronic security perimeter is intact by controlling access points and reporting incident alerts, reporting it via dashboard for monitoring. The SIEM system provides some real horsepower by quantifying security and risk reduction of the assets within the electrical perimeter and electrical playing field. It assigns value to various factors and provides a security posture at a glance. This also includes other stakeholders who may be in and out of the perimeter such as vendors and other frameworks. Logs and event data are aggregated and reported in logbooks for status of all salient information. In addition, change audit features of a SIEM solution can provide a “way back” or means of recovery using change management to diagnose and prevent disaster. Again, a concise dashboard equals broad control.
SIEM systems can bolster the oncoming NERC CIP requirements by enabling vulnerable organizations to stay compliant in an industry where nineteen seconds of vulnerability could have had disastrous consequences.