Cybersecurity: NERC CIP protects control centers
October 22, 2018
October 22, 2018
As recent research shows, the good news is that cyber defenses continue to improve. The bad news is that cyber threats continue to advance as well. To that end, the North American Electric Reliability Corporation (NERC) has issued a critical infrastructure protection (CIP) standard in draft form that requires utilities to devise cybersecurity protections for control center communications. It is important to get ahead of all NERC CIP requirements. In particular, achieving CIP-012-1 compliance is important for utilities seeking to protect their control centers. Three specific forward-looking actions can help.
CIP-012-1 compliance requires responsible entities to meet a mix of technical and people-centered requirements. Technical stipulations include the identification of the utility’s control centers, their respective data centers, all real-time data links between control centers, all demarcation points, the security controls employed to protect data, and critical roles and responsibilities. Utilities also need to identify the personnel required for ongoing management and process governance for CIP-012-1. Key positions include the ongoing management of affected operating technology and information technology (OT/IT) support staffs, especially the network engineers and data engineers, developers, administrators, as well as communications and data link support personnel.
CIP-012-1, which covers communications between in-scope industry control centers, applies to all impact levels, whether high, medium or low. To help responsible entities correctly identify facilities where CIP-012-1 requirements apply, NERC is proposing a new glossary definition of the term “control centers.” While the NERC CIP glossary will define a control center, the actual perceived limiting factors regarding what it includes or omits could lead to competing definitions. Three ways to overcome these and other CIP-012-1 compliance challenges involve understanding the scope of the plan, choosing the right partners, and making several production changes.
As any track star knows, a good start can provide the momentum to win at the finish line. Utilities can successfully achieve CIP-012-1 compliance if they:
About the Authors