As recent research shows, the good news is that cyber defenses continue to improve. The bad news is that cyber threats continue to advance as well. To that end, the North American Electric Reliability Corporation (NERC) has issued a critical infrastructure protection (CIP) standard in draft form that requires utilities to devise cybersecurity protections for control center communications. It is important to get ahead of all NERC CIP requirements. In particular, achieving CIP-012-1 compliance is important for utilities seeking to protect their control centers. Three specific forward-looking actions can help.
Understanding the impact
CIP-012-1 compliance requires responsible entities to meet a mix of technical and people-centered requirements. Technical stipulations include the identification of the utility’s control centers, their respective data centers, all real-time data links between control centers, all demarcation points, the security controls employed to protect data, and critical roles and responsibilities. Utilities also need to identify the personnel required for ongoing management and process governance for CIP-012-1. Key positions include the ongoing management of affected operating technology and information technology (OT/IT) support staffs, especially the network engineers and data engineers, developers, administrators, as well as communications and data link support personnel.
Addressing potential challenges
CIP-012-1, which covers communications between in-scope industry control centers, applies to all impact levels, whether high, medium or low. To help responsible entities correctly identify facilities where CIP-012-1 requirements apply, NERC is proposing a new glossary definition of the term “control centers.” While the NERC CIP glossary will define a control center, the actual perceived limiting factors regarding what it includes or omits could lead to competing definitions. Three ways to overcome these and other CIP-012-1 compliance challenges involve understanding the scope of the plan, choosing the right partners, and making several production changes.
As any track star knows, a good start can provide the momentum to win at the finish line. Utilities can successfully achieve CIP-012-1 compliance if they:
- Develop a strategy: take a comprehensive approach to the strategy so that it considers a responsible entity’s strengths and weaknesses.
- Mobilize the CIP-012-1 team: assemble and empower the team and work to ensure the sustainability of the program from the outset.
- Plan for sustainability from the start: design appropriate controls, redesign circuit provisioning processes in alignment with change control processes, and standardize all evidence-gathering processes and tooling while orchestrating and converting them to appropriate formats.