Reliance on compliance

By Mike Brown, Matrikon

Mike Brown outlines how the security of operations in the bulk electric system depends largely on the ability to comply with reliability standards.

“The best possible approach for managing compliance would also be an asset-based or bottom up approach to compliance management”
-Mike Brown

Few people associated with the electric grid in North America have yet to hear of the pending NERC regulations. National catastrophes such as the blackout of 2003 and the events of 9/11 have led to countless resources being spent on security for the process control networks of North American utility companies. The goal is to ensure the reliable operation of the bulk electric system. 

Perhaps the most discussed and most ambitious of the reliability standards is the Critical Infrastructure Protection (CIP) security standard, CIP 002-009. This particular standard focuses on areas that many utilities have never even bothered to implement. The plant floor lags behind corporate IT in terms of up-to-date patching of control systems and intrusion detection programs. Nonetheless, this standard is on its way to being implemented and soon to be enforced.

Achieving compliance
Most discussion up to now has been centered on interpreting, applying, and establishing the various components of the standard within the context of the bulk electric system in North America. Companies are primarily focused on the first phase of NERC CIP compliance: achieving compliance.

The second phase of CIP compliance - maintenance - is just starting to become the new challenge. Many companies purport to offer compliance management packages, but most are retooled Sarbanes-Oxley (SOX) systems or corporate tools that are being forced onto the plant floor. In order to properly manage a CIP compliance program, the standard, its intention, and the environment it regulates all need to be taken into consideration.

The first stage of any CIP compliance program is to define a Critical Asset and a Critical Cyber Asset. All other aspects of the program point back to this list. Therefore, it would follow that the best possible approach for managing compliance would also be an asset-based or bottom up approach to compliance management. 

We must always remember that the environment being monitored and managed is a production environment. The network is more critical, potentially more fragile (from an automated, true IT lockdown and management perspective) and the number of Windows-based systems typically outnumbers the users by an order of magnitude. Therefore any program that does not report in real or near-real time while simultaneously being mindful of production systems, proprietary protocols, and other plant floor restrictions, is similarly flawed.

The CIP standard is complex and specific interpretation does not exist in simple document management or workflow programs. Multiple data sources being cross-referenced against the specific language of the standard is the only way to truly track and monitor your program for on-going compliance.

Existing Offerings
There is no shortage of retooled SOX offerings but they fail to integrate with the assets.  Corporate IT has tools but they don't work on the plant floor or have the document management capabilities required for massive NERC CIP documentation. Similarly there are excellent solutions in the plant that solve specific sections of NERC CIP, like Incident Response, OS and Application Patching, and anti-virus, but they fail to integrate information from other systems.

The ideal solution is one that incorporates safe and reliable (i.e., proven) access to assets, fed into a system that provides document management and workflow capabilities, and then integrated with multiple data sources and the capability to provide NERC CIP-specific interpretation of the information. With this compiled information and the near real time status of your compliance program, you will truly have a valuable compliance management tool.

Matrikon is working with our valued clients in the power industry to bring to market just such an offering. Matrikon Imperium is the first tool that will provide near real-time monitoring of your Critical Cyber Assets and provide the information in conjunction with your other data sources and give you the necessary context to manage and maintain your CIP compliance program. 

Mike Brown, Vice President North America Solutions, Matrikon Inc., has over 20 years experience of process control engineering and experience in industrial IT networks for performance monitoring projects. He manages the Operational Excellence portfolio for plant performance improvement, which includes compliance-based applications such as Alarm Management, Industrial Network Security and NERC CIP, and Plant Regulatory Reporting.