This post was authored by Ellen Fussell Policastro.
The power industry has a white elephant in the room — the NERC and CIP regulatory requirements for all the power fossil hydro transmission distribution within the U.S. and North America in general. So says Bryan Singer of Kenexis Security Corp. while gleening input from power industry gurus at an ISA POWID Symposium.
Since early compliance for regulatory requirements has historically favored the transmission distribution side, and since the conference was weighted toward the generation side, Singer admitted there could be some questions as to why his company was there. Operators in generation facilities have become a lot more aware in the past year of security needs, but particularly vendors of systems in generation facilities.
“I’ve had a number of projects over the past year or so by vendors that realize that what’s coming down the pike regarding NERC/CIP compliance is going to drive a lot of changes into the product development life cycle,” he said. Vendors’ customers are asking how the system is actually NERC/CIP compliant. “That’s a bit of a fallacious question because you don’t make a system that’s NERC/CIP compliant,” Singer said. “The owner operator is going to be evaluated to be NERC/CIP compliant. But the vendors need to provide those asset owners lots of information about what features and functions are in their systems to aid them in their compliance effort. They’ll need to know what kinds of things they’ll have to pay attention to. And quite obviously some of the vendors are going to need to harden their systems to be able to facilitate NERC/CIP compliance for their operators.”
Heavy interest in vendor community
What are vendors going to need to be prepared for the owner operator demands coming in the near future?
“I think the NERC/CIP 05 and 07 documents are the primary crux of the technical requirements that need to be addressed, and a lot of those have to do with the hardening of the electronic security perimeter — reducing the footprint of a potential attack, the number of ports and services, and communications that are external and allowed into an environment,” he said. “So a lot of the early requirements we’re seeing are along those lines.”
Some questions coming Singer’s way include: How do you harden these systems? How do we limit ports and services? What ports and services are you using? What are you doing for access control? How do we do vulnerability scanning and vulnerability management? How do we do patching and antivirus and all the things that are part of the requirements of NERC/CIP?
Vendors are looking for ways to augment or retrofit their systems so that they’re able to provide the functions the owner operators will need.
Some vendors are concerned about what the other guy is doing. “They’re thinking, ‘Well wait a minute; do we really have an obligation to provide them a firewall and a very well defined ESP and an obligation to provide them antivirus solutions and everything else?’ You need to at least have a recommended solutions set, so that when owners come to you asking these question, you have a way to address it.”
“Some owners have come back to their vendors and said, ‘Look, I want one compliance management solution, not 14.’ So they’ve pushed back on their primary vendor to say, ‘I need you to support these things as well.’ I think a lot of it too is the vendors are saying it’s not our responsibility to make our customers CIP compliant, but we do need to help them. They’re playing responsible citizen in this field,” Singer said.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information: