Hiển thị các bài đăng có nhãn compliance. Hiển thị tất cả bài đăng
Hiển thị các bài đăng có nhãn compliance. Hiển thị tất cả bài đăng

NERC CIPs Catching up to iPhone Version Numbers

   , , , , ,  No comments

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.

----------------------------

Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

Helpful Clarifications Still Leave NERC CIP Version 4 Changes Feeling Overwhelming

   , , , ,  No comments
If your job is to ensure your utility complies with new version 4, certainly you've been scouring info like this for a while now. But if you're a member of electric sector support or regulatory communities, including services providers and state commissioners, it'll behoove you to get a better feel for the massively numerous and often ambiguous compliance hoops through which these folks have to jump.


Thanks for my friend and super sharp energy sector security colleague Tim Deloach for prompting me on this. And if you're going to click through and read it at all, I want you to read this Q&A first for the motivation/urgency/anxiety/terror it produces:
Q: I thought there was an 18-month implementation plan under v4 for newly identified assets?
A: You have a lot of company; many others thought the same thing – but it’s wrong.... Briefly, you have a 12-24 month implementation period under V4 for assets that are newly commissioned. or newly identified after 4/1/2014. But for assets that were in operation as of June 25 of 2012 (the day that FERC Order 761 was published in the Federal
Registry), full compliance with CIP-002-4 through CIP-009-4 is due on 4/1/2014.
Nice job EnergySec and Honeywell, particularly CIP guru Tom Alrich, for the webcast and now for following up with this Q&A infosheet.

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

   , , ,  No comments
Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

  • Some have asked whether 4/1/2014 is the Compliant or Auditably Compliant date. These are CIP V1 terms – 4/1/2014 is the Compliant and Auditably Compliant date for Version 4. This means you have to have everything for compliance in place on that date, and includes all policies, procedures and technologies in CIP-003 through CIP-009
  • There are some who believe that assets identified by the V4 criteria are “newly identified” under V4 – thus they have 6-24 more months to comply after 4/1/2014. They are wrong: NERC and the Region Entities are in agreement on this
Donovan Tindill was no slouch either. Ensure you ingest a few of his lessons learned, like:
  • Cyber Assets not previously inventoried need budgeted >1 hour each!
  • Actual Site Inventory Labor: 11 sites, 1500 Cyber Assets = 2,200 hours
  • Site inventory can uncover >30% more assets than originally thought!
  • Existing network drawings >2 years old cannot be trusted, easier to start over with both logical and physical cable tracing
  • 50% of equipment is non-IT traditional infrastructure and is not easily recognized nor is information you need to collect and report easily collected
OK, I don't want to steal too much more of their thunder, so without further delay or obfuscation, you can see the whole deck by clicking HERE. You realize April 1st 2014 is less than 53 weeks away right? Good luck!

The Future of Naval Installation Energy

   , , , , , , ,  No comments
Posting this one for SGSB readers who might not otherwise see relevant content on the DOD Energy Blog. There's a lot to admire, and learn from what the Navy is doing in Washington DC and the surrounding region. Check it out ...
-----------------------
As projected several years ago in this great 5-minute video, paving the way for demand management, energy efficiency, microgrids, support for renewables and all manner of support-the-mission, energy security goals (with cybersecurity baked in).



From all accounts, the folks involved with this initiative are right on schedule and are meeting their objectives.  Recommend you keep an eye on this.

Alrich on Distributech's 2013 Cybersecurity Focus Panels

   , , , , ,  No comments
I couldn't make it to the panel sessions but fortunately Tom Alrich could and did. Here's are his short-takes on 3 different panels:
Substation Integration and Automation: The Cybersecurity Landscape is Changing - Didier Giarratano of Schneider Electric discussed Role Based Access Control (RBAC) and how to do good job applying RBAC to the challenges of substations. Anthony Eshpeter of SUBNET Solutions discussed “Complexities of Substation Cyber Security”. He provided a very good, lucid discussion – pointing out the need for solutions like those SUBNET sells but without ever making a sales pitch. Bradley Tips of Cisco addressed “Real-world Deployment of Network Security for NERC CIP Compliance”. A good overview of what CIP requires for a substation these days.
Smart Grid Cybersecurity and Standards-based Integration - This session was very well attended. Leading off was Elizaveta "Liza" Malashenko of the California Public Utilities Commission. Both Andy and I have bloggedabout her (and her staff’s) excellent papermaking the case for state regulation of Smart Grid cyber security, and for using a risk-based approach in doing so (in contrast with the NERC CIPs' more prescriptive approach, which also don’t apply to distribution). Elizaveta is a very poised and articulate spokeswoman for this position; judging from the crowd that came up to greet her afterwards, she seems on her way to rock-star status.
Following Elizaveta was Valentine Emesih of CenterPoint Energy, who discussed and showed screens from a product they have developed with Siemens called Utility Operations Center Cybersecurity Manager. It seems to be a very well-designed “dashboard” to let EMS operators – without specialized cyber security training – be notified of security events and be clearly told what needs to be done for each one (I’m simplifying a lot). The third speaker was Ed Hedges of Kansas City Power and Light, on “Innovative Methods and Solutions Drive KCP&L’s End-to-End Smart Grid Program”. This was an excellent overview of KCP&L’s Smart Grid rollout, including some very honest discussion of lessons learned.
You vs. Security: Can you Keep Up? - We got off to a very rousing start with Joseph Fisher of Affinity IT Security addressing what utilities should be doing to achieve real cyber security, not just CIP compliance. He provided a good schematic of all the important domains of cyber security, and discussed what each one means. I don’t think there was any particular idea I hadn’t heard before, but it was very valuable to have all the pieces tied together.\
He was followed by PwC consultant Jon Stanford (formerly with BPA and a longtime member of the CSO 706 Standards Drafting Team). Jon’s topic was “Today’s Advanced Malware Threat” and he provided a great in-depth discussion of the many types of malware attacks in recent years and the different tools available to address them – as well as the processes and procedures that need to drive any effective anti-malware program. The last speaker was Adam Bosnian of Cyber-Ark Software, discussing the need to secure administrator and shared accounts.

So there you go, and thanks to Tom for providing the next-best-thing to being there. BTW, Tom's a bit of a NERC CIP expert, and you can find his latest observations on his new blog right HERE. When you get there be sure to bookmark it for future reading.

The Quest to Better Understand the NERC CIP Bright Lines

   , , , , , ,  No comments
Tom Aldrich and Rick Kaun have written some of the best material we've seen on the topic of the evolution of the CIPs, and Tom has new piece clarifying the lack of clarity of the Bright Lines language.

This is something of interest to all utilities currently busy achieving and demonstrating compliance with version 3, and grappling with what they should do to best prepare for versions 4 and/or 5 coming at them sooner than they would probably like.

Here's Rick's intro followed by a link to Tom's article. Note: you may not like what Tom has to say, but it's better to get this news now than to go ostrich ....

Tom Alrich has identified what he sees as a significant problem looming for the NERC CIP cyber security regulations for electric utilities and power producers: There is a fundamental ambiguity at the heart of NERC CIP Version 4, the version of the standards now set to take effect on April 1, 2014. The big change in Version 4 was the introduction of so-called “bright line” criteria for determining which utility assets (power plants, control centers, transmission substations and others) will need to comply – due to a lot of disagreement on applicability of the standards in previous versions. 
Given that the cost of CIP compliance for even a single power plant can well be in the millions of dollars, this is no small problem. Utilities are currently faced with the unpalatable choice of spending that money on an asset which may later turn out not to be in scope under Version 4, or not spending the money and risking being fined hundreds of thousands or even millions of dollars when a future audit determines the asset was in scope after all. Tom says he can see no real solution to this problem, but he suggests that NERC (the North American Electric Reliability Corporation, which promulgates and enforces electric grid reliability standards, including CIP) develop a comprehensive set of guidelines for applying the bright line criteria, and for producing evidence of compliance.
My guess is this isn't the last we'll be hearing on this topic.  Here's the LINK to full article.

Security Checklists, Compliance Cultures, and Finding a Better Way

   , ,  No comments
Fixating on responding to a compliance regime is in a sense, like agreeing to not learn. You know how when you're in the passenger seat and even if you go to the same destination a hundred times, if you weren't driving you don't remember how to get there cause you never learned in the first place? Fortunately, the GPS came long just in time to save your butt.

Before I go any further, please note this is not intended as invective against the NERC CIPs. I know why they were made and why we still have to have them. Most of us wish it were otherwise, but if and until the majority of utilities are observed performing the activities the CIPs require (and more) on their own initiative, this is the way it's going to be.

Have to tip the figurative hat again to Ernie H, who once again can be counted on for spotting and forwarding the good stuff. THIS recent Dark Reading article lays bare the downside of a checkbox compliance mindset. In it, I like this analogy from security researcher Lamar Bailey:
[Security] standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game. If you can't pass them with two hands tied behind your back, your need to quit and find another game.
I could see how that might make some folks say Ouch!  Anyway, it prompted me do a search to see if
utilities were embracing or resisting some of the downsides of this mindset. Well, didn't take long before I happened upon this. Imagine you pay the salaries of dozens of folks, as many utilities do, engaged in activities described by one CIP compliance manual this way.

It begins, "Evidence is more than just documentation" and continues:
Demonstrating compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.
There have got to be better ways to run and secure a utility, no? And of course, reading to this point is worth it if it means you get to a gem of an article I posted a link to almost exactly one year ago. Once again, HERE's Stephen Flanagan of FERC, giving a keynote on what he terms compliance cultures vs. cultures of commitment, who even as an auditor, keeps this in mind: "Security, not violations, is the primary focus." Like that.