The Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by North American Electric Reliability Corporation (NERC) back in 2006, making the Critical Infrastructure Protection (CIP) Cyber Security Standards mandatory and enforceable across all users, owners and operators of the bulk-power system. The NERC CIP standards were designed to ensure the protection of the Critical Cyber Assets (CCAs) that control or directly affect the reliability of North America’s bulk electric systems.
“There is nearly universal agreement that information security controls must be integrated into daily IT operations, and be ‘baked in’ from conception, not addressed later as an afterthought,” according to Gene Kim (@RealGeneKim), founder and former CTO of Tripwire. But controls evolve and change over time, and must be implemented over time. That’s where the real challenge lays.
“If new security controls must be implemented, where do we start, and in what order? And how do we do this in a way that creates value rather than the perception of information security creating bureaucratic barriers to getting real work done?” Gene wondered.
These are the types of questions that Gene has been trying to answer since 1999 when he began studying how high-performing IT operations and information security organizations run. In his research, he found generally that the high performing organizations he studied consistently had the best security, the best compliance posture, the greatest ability to make changes quickly and successfully, and for the most part all demonstrated an optimal level of efficiency.
“What I learned was that high performing IT organizations have figured out how to build sustainable security controls that integrate into daily IT operational processes and deliver value to other business stakeholders,” Gene wrote. “In these high performers, information security simultaneously enables the business to respond more quickly to urgent business needs and helps provide stable, secure, and predictable IT services.”
In this complimentary white paper, Gene describes seven practical steps owners and operators of the bulk power system can take to meet the mandatory NERC-CIP standards, and how they can avoid incurring huge fines for non-compliance and better protect North America’s bulk power system.
“This paper describes typical information security risks that practitioners will face with NERC compliance, presents seven practical steps to secure the production environment, and the business value of implementing them,” Gene said.