ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Hardening the Electronic Security Perimeter in the Power Generation Industry

 

This post was authored by Ellen Fussell Policastro.

 

The power industry has a white elephant in the room — the NERC and CIP regulatory requirements for all the power fossil hydro transmission distribution within the U.S. and North America in general. So says Bryan Singer of Kenexis Security Corp. while gleening input from power industry gurus at an ISA POWID Symposium.

Since early compliance for regulatory requirements has historically favored the transmission distribution side, and since the conference was weighted toward the generation side, Singer admitted there could be some questions as to why his company was there. Operators in generation facilities have become a lot more aware in the past year of security needs, but particularly vendors of systems in generation facilities.

 

“I’ve had a number of projects over the past year or so by vendors that realize that what’s coming down the pike regarding NERC/CIP compliance is going to drive a lot of changes into the product development life cycle,” he said. Vendors’ customers are asking how the system is actually NERC/CIP compliant. “That’s a bit of a fallacious question because you don’t make a system that’s NERC/CIP compliant,” Singer said. “The owner operator is going to be evaluated to be NERC/CIP compliant. But the vendors need to provide those asset owners lots of information about what features and functions are in their systems to aid them in their compliance effort. They’ll need to know what kinds of things they’ll have to pay attention to. And quite obviously some of the vendors are going to need to harden their systems to be able to facilitate NERC/CIP compliance for their operators.”

Heavy interest in vendor community

What are vendors going to need to be prepared for the owner operator demands coming in the near future?

“I think the NERC/CIP 05 and 07 documents are the primary crux of the technical requirements that need to be addressed, and a lot of those have to do with the hardening of the electronic security perimeter — reducing the footprint of a potential attack, the number of ports and services, and communications that are external and allowed into an environment,” he said. “So a lot of the early requirements we’re seeing are along those lines.”

Some questions coming Singer’s way include: How do you harden these systems? How do we limit ports and services? What ports and services are you using? What are you doing for access control? How do we do vulnerability scanning and vulnerability management? How do we do patching and antivirus and all the things that are part of the requirements of NERC/CIP?

Vendors are looking for ways to augment or retrofit their systems so that they’re able to provide the functions the owner operators will need.

Some vendors are concerned about what the other guy is doing. “They’re thinking, ‘Well wait a minute; do we really have an obligation to provide them a firewall and a very well defined ESP and an obligation to provide them antivirus solutions and everything else?’ You need to at least have a recommended solutions set, so that when owners come to you asking these question, you have a way to address it.”

“Some owners have come back to their vendors and said, ‘Look, I want one compliance management solution, not 14.’ So they’ve pushed back on their primary vendor to say, ‘I need you to support these things as well.’ I think a lot of it too is the vendors are saying it’s not our responsibility to make our customers CIP compliant, but we do need to help them. They’re playing responsible citizen in this field,” Singer said.

 

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

 


Related Posts

Onward and Upward to 2025: Proud of a Great Year

As my year as president of the International Society of Automation (ISA) comes to a close, I wanted to ta...
Prabhu Soundarrajan Dec 20, 2024 10:00:00 AM

How Did Automation Professionals Benefit from ISA in 2024?

The International Society of Automation (ISA) is proud to be the professional home of thousands of member...
Kara Phelps Dec 17, 2024 9:30:00 AM

Ensuring RCM or DCS Redundancy and Its Security in a Complex Industrial Environment

In industrial automation, remote control managers (RCM) or distributed control systems (DCS) are critical...
Ashraf Sainudeen Dec 13, 2024 10:00:00 AM