“Regulatory compliance is considered one of the primary business risks for
industries such as the energy utilities. The National Energy Regulatory
Commission (NERC) can fine a company up to $1 million a day for
non-compliance," said
Rick Doten, vice president of cyber security for DMI.
http://smart-grid.tmcnet.com/channels/nerc-compliance/articles/287417-importance-developing-nerc-compliance-procedures.htm
Tuesday, April 24, 2012
Friday, April 20, 2012
Corporate Risk Solutions’ NERC CIP Compliance Guide Addresses Version 4
The recent announcement of the Federal Energy
Regulatory Commission (FERC) approving the final rule that updates certain
reliability standards (www.ferc.gov/.../Files/20120419105338-summaries.pdf) may have some utilities shaken up. This
final rule approves the Version 4 CIP Reliability Standards submitted by the
North American Electric Reliability Corp (NERC), and involves a change in the
way Critical Assets are identified. These NERC CIP Reliability Standards
provide a framework to identify and protect Critical Cyber Assets in
association with Critical Assets that support the Bulk-Power System.
While
those involved with NERC Compliance may be worried about what this means for
previous version of the Standards, Corporate Risk Solutions, Inc. (CRSI) has a
solution to help lessen the blow. CRSI has produced an extensive, holistic NERC
CIP Compliance Guide that includes guidance for Version 4 as approved by the
NERC Board of Trustees.
CRSI’s NERC CIP Compliance Guide
includes narration of each of the NERC CIP Requirements and supporting
information to assist with comprehension and compliance. Not only does the Guide
provide detailed information as to what documentation is needed per Requirement
and Sub-Requirement and details additional evidence that must be provided
during an audit to achieve compliance, but it also provides best practice
recommendations and problem areas to avoid.
So far, CRSI has sold 160 Guides to utilities
across all eight NERC Regions. Clients have been providing CRSI with great
feedback about the functionality and features of the Compliance Guide. The
Compliance Guide is designed for all members of the company. Those that will
benefit most from the Guide are Subject Matter Experts, members of the internal
Compliance Team, Senior Executives, Management, employees dealing directly with
NERC CIP on a daily basis. The Guide is designed as a reference source for all
NERC CIP compliance questions.
For future versions of the Guide, a
significant discount will be offered only to those who have previously
purchased the first edition. It is
intended that in future versions (Version 5), the Guide will be offered in a
web format so it can operate within an Intranet platform for which a
subscription service from CRSI will maintain the currency of and provide
enhancements to the Guide and supporting templates. Significant discounts will
also be offered for the web format only to those who have previously purchased
the first edition. It is anticipated that the information contained in this
Guide will be valid and applicable for a minimum of 18-24 months.
For information on how to order, request a
sample, or get in contact with a fellow user of the NERC CIP Compliance Guide,
contact Travis Emerson at temerson@corprisk.net
or call 913-322-5404. Visit www.corprisk.net/services/nerc-cip-compliance-guide
to find out how CRSI’s clients have found value in the Compliance Guide.
CRSI is a wholly-owned subsidiary security consulting firm of Corporate
Enterprise Security, Inc. CRSI specializes
in NERC operational and CIP Compliance (693 and 706), as well as cyber and
physical security solutions to the energy and government sectors. CRSI has
provided consulting services to more than 100 electric utilities across all
eight (8) NERC regions and is also under contract by NERC Regional Entities for
Audit Support. For more information, contact: Trisha Breckenridge, Marketing
Associate, 913-422-0410. Email: info@corpenterprisesec.com.
Thursday, April 19, 2012
FERC Approves Version 4
FERC approves final rule that updates certain reliability standards
E-6, Version 4 Critical Infrastructure Protection Reliability Standards, Docket No. RM11-11-000. This final rule approves the Version 4 CIP Reliability Standards submitted by the North American Electric Reliability Corp (NERC) and retires the currently-effective Version 3 CIP Reliability Standards. The CIP Reliability Standards provide a cyber-security framework for the identification and protection of “Critical Cyber Assets” associated with “Critical Assets” that support the reliable operation of the Bulk-Power System. The main difference between Version 3 and Version 4 is found in CIP-002-4 and involves a change in the way “Critical Assets” are identified. Specifically, Version 4 includes uniform “bright line” criteria for the identification of “Critical Assets,” which replace the “risk-based assessment methodology” developed and applied by individual responsible entities under Version 3. The final rule does not include any new substantive directives, but it does provide NERC with guidance regarding achieving full compliance with the directives contained in Order No. 706. The final rule also imposes a deadline of March 31, 2013 by which time NERC must submit the next version of the CIP Reliability Standards and further requires NERC to provide quarterly status reports on its CIP development efforts.
For your information, here is the item from FERC’s meeting summary: http://www.ferc.gov/EventCalendar/Files/20120419105338-summaries.pdf
E-6, Version 4 Critical Infrastructure Protection Reliability Standards, Docket No. RM11-11-000. This final rule approves the Version 4 CIP Reliability Standards submitted by the North American Electric Reliability Corp (NERC) and retires the currently-effective Version 3 CIP Reliability Standards. The CIP Reliability Standards provide a cyber-security framework for the identification and protection of “Critical Cyber Assets” associated with “Critical Assets” that support the reliable operation of the Bulk-Power System. The main difference between Version 3 and Version 4 is found in CIP-002-4 and involves a change in the way “Critical Assets” are identified. Specifically, Version 4 includes uniform “bright line” criteria for the identification of “Critical Assets,” which replace the “risk-based assessment methodology” developed and applied by individual responsible entities under Version 3. The final rule does not include any new substantive directives, but it does provide NERC with guidance regarding achieving full compliance with the directives contained in Order No. 706. The final rule also imposes a deadline of March 31, 2013 by which time NERC must submit the next version of the CIP Reliability Standards and further requires NERC to provide quarterly status reports on its CIP development efforts.
For your information, here is the item from FERC’s meeting summary: http://www.ferc.gov/EventCalendar/Files/20120419105338-summaries.pdf
Monday, March 5, 2012
Corporate Risk Solutions Expands Security and NERC CIP Consulting Team: Introducing Michael Taylor, Security/Compliance Analyst
Corporate Risk Solutions, Inc. (CRSI), a wholly-owned subsidiary
and premier security consulting firm of Corporate Enterprise Security, Inc., is
pleased to announce the addition of Mr. Michael S. Taylor as a Security/Compliance
Analyst to its team of dedicated NERC (693 and 706) Compliance and security consulting
experts. Mr. Taylor will assist in the growth and continued success of CRSI’s Managed Services Support (MSS) offerings.
“Michael’s experience in infrastructure security design reviews and various aspects of a security program will prove invaluable to our MSS and compliance programs,” says Susan Tibbs, Security Consultant, Managed Services Support Section, of the addition to CRSI’s team.
As a Security/Compliance Analyst, Mr. Taylor will work with senior consultants to develop policies and procedures for physical, information, and operations security, assist in the review of threat and vulnerability assessments and risk management tools, as well as mock audits, inspections, and compliance evaluations. Mr. Taylor comments, “I am excited and honored to be a part of the CRSI team. I look forward to the challenges and opportunities ahead of me, and feel my military experience and background in security has prepared me to provide exceptional services to our clients.”
Mr. Taylor has over 23 years’ experience working in multiple security disciplines while serving in the United States Army Military Police Corp. He started as a Physical Security Compliance Inspector and continued his professional training and development eventually working as a Security Program Manager for Army installations and facilities in North Carolina, Texas, Kansas, South Korea, Germany, and Iraq. Mr. Taylor also served as the Antiterrorism and Force Protection Officer and Emergency Response Coordinator at military bases in Landstuhl and Bamberg, Germany, and in support of military contingency operations in Iraq. His specialties included Threat and Vulnerability Assessments, Risk Analysis and Mitigation, Compliance Inspections, Physical and Electronic Security Systems design, Police Intelligence Operations, and developing plans, policies, procedures, and training packages for security programs aimed at protecting information, personnel, facilities, and critical assets.
CRSI is a wholly-owned subsidiary security consulting firm of Corporate Enterprise Security, Inc. CRSI specializes in NERC operational and CIP Compliance (693 and 706), as well as cyber and physical security solutions to the energy and government sectors. CRSI has provided consulting services to more than 100 electric utilities across all eight (8) NERC regions and is also under contract by NERC Regional Entities for Audit Support. For more information, contact: Trisha Breckenridge, Marketing Associate, 913-422-0410. Email: info@corpenterprisesec.com.
“Michael’s experience in infrastructure security design reviews and various aspects of a security program will prove invaluable to our MSS and compliance programs,” says Susan Tibbs, Security Consultant, Managed Services Support Section, of the addition to CRSI’s team.
As a Security/Compliance Analyst, Mr. Taylor will work with senior consultants to develop policies and procedures for physical, information, and operations security, assist in the review of threat and vulnerability assessments and risk management tools, as well as mock audits, inspections, and compliance evaluations. Mr. Taylor comments, “I am excited and honored to be a part of the CRSI team. I look forward to the challenges and opportunities ahead of me, and feel my military experience and background in security has prepared me to provide exceptional services to our clients.”
Mr. Taylor has over 23 years’ experience working in multiple security disciplines while serving in the United States Army Military Police Corp. He started as a Physical Security Compliance Inspector and continued his professional training and development eventually working as a Security Program Manager for Army installations and facilities in North Carolina, Texas, Kansas, South Korea, Germany, and Iraq. Mr. Taylor also served as the Antiterrorism and Force Protection Officer and Emergency Response Coordinator at military bases in Landstuhl and Bamberg, Germany, and in support of military contingency operations in Iraq. His specialties included Threat and Vulnerability Assessments, Risk Analysis and Mitigation, Compliance Inspections, Physical and Electronic Security Systems design, Police Intelligence Operations, and developing plans, policies, procedures, and training packages for security programs aimed at protecting information, personnel, facilities, and critical assets.
CRSI is a wholly-owned subsidiary security consulting firm of Corporate Enterprise Security, Inc. CRSI specializes in NERC operational and CIP Compliance (693 and 706), as well as cyber and physical security solutions to the energy and government sectors. CRSI has provided consulting services to more than 100 electric utilities across all eight (8) NERC regions and is also under contract by NERC Regional Entities for Audit Support. For more information, contact: Trisha Breckenridge, Marketing Associate, 913-422-0410. Email: info@corpenterprisesec.com.
Thursday, March 1, 2012
The "Smarter" the Smart Grid, the Greater Potential for Security Issues
Cyber Security Solutions Must Be at the Development Stage Rather Than a Retrofit
Sometimes called the world’s largest interconnected machine, the electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change that will unfold over a number of years. As the grid is modernized, it will become highly automated, leverage information technology more fully, and become more capable in managing energy from a variety of distributed sources. However, in this process of becoming increasingly “smarter,” the grid will expand to contain more interconnections that may become portals for intrusions, error-caused disruptions, malicious attacks, and other threats.
The convergence of the information and communication infrastructure with the electric power grid introduces new security and privacy-related challenges. The introduction of these technologies to the electric sector also presents opportunities to increase the reliability of the power system, to make it more capable and more resilient to withstand attacks, equipment failures, human errors, natural disasters, and other threats. These greatly improved monitoring and control capabilities must include cyber security solutions in the development process rather than as a retrofit.
Potential cyber security issues to the smart grid are numerous. The "Smart Grid Cyber Security Drivers" chart outlines certain drivers to increased attack surface and increased risk to operations.
Included in the potential cyber security issues to the smart grid are:
You are not alone. Remember to involve your vendors and interconnected partners throughout the process, and embed into your corporate governance systems. And finally, you never want to commit to a project without developing and tracking a business case. It is important to do this on a project by project basis and as an integrated system. This will be life-saving when it comes to evaluating and repeating the process.
For the full “Securing the Smart Grid” presentation, and more information on cyber security practices and solutions, contact Trisha Breckenridge at tbreckenridge@corprisk.net.
The convergence of the information and communication infrastructure with the electric power grid introduces new security and privacy-related challenges. The introduction of these technologies to the electric sector also presents opportunities to increase the reliability of the power system, to make it more capable and more resilient to withstand attacks, equipment failures, human errors, natural disasters, and other threats. These greatly improved monitoring and control capabilities must include cyber security solutions in the development process rather than as a retrofit.
Potential cyber security issues to the smart grid are numerous. The "Smart Grid Cyber Security Drivers" chart outlines certain drivers to increased attack surface and increased risk to operations.
Included in the potential cyber security issues to the smart grid are:
- Increasing complexity that could introduce vulnerabilities and increase exposure to potential attackers.
- Without proper planning, a natural- or man-made event could disable the communications infrastructure, rendering the smart grid ineffective at coping with an emergency situation;
- A cyber intruder could compromise electricity use data and send false information to the utility and either lower or increase the billing, depending upon the motivation;
- Linked networks can introduce common vulnerabilities;
- Increasing vulnerabilities to communication disruptions and introduction of malicious software that could result in denial of service or compromise the integrity of software and systems;
- Increased number of entry points and paths for potential adversaries to exploit;
- Potential for compromise of data confidentiality, including the breach of customer privacy; and
- Compromise of the automated device/service control functionality of the Smart Grid devices, in such a way that significantly disrupts, impairs, or destroys the self-sensing and monitoring, self-adaptive, self-healing electricity generation, transmission, and distribution infrastructure.
You are not alone. Remember to involve your vendors and interconnected partners throughout the process, and embed into your corporate governance systems. And finally, you never want to commit to a project without developing and tracking a business case. It is important to do this on a project by project basis and as an integrated system. This will be life-saving when it comes to evaluating and repeating the process.
For the full “Securing the Smart Grid” presentation, and more information on cyber security practices and solutions, contact Trisha Breckenridge at tbreckenridge@corprisk.net.
Wednesday, February 29, 2012
See Scott Roe, President of CRSI & CESI, in Protecting Utilities through Business Continuity
Scott Roe from Corporate Risk Solutions, a solution provider at the marcus
evans Generation Summit 2012, on protecting utilities from internal and external
attacks.
Interview with: Scott Roe, President, Corporate Risk Solutions
FOR IMMEDIATE RELEASE
“It is crucial for power utilities to be prepared for malicious attacks and internal actions that could potentially bring down their organization,” says Scott Roe, President, Corporate Risk Solutions. Organizations must consider how the utility is being accessed and maximize security, he adds.
From a solution provider company attending the marcus evans Generation Summit 2012, in San Antonio, Texas, February 7-8, Roe discusses the three primary phases organizations must go through when responding to an attack on a utility.
Why must there be more focus on the protection of utilities?
The reliability of the electricity sector is paramount. Most of the nation’s critical infrastructures, such as telecommunications, banking and finance, and transportation are dependent upon reliable power to operate. Every process and operation in the energy industry requires dynamic information flow which can put systems at risk. This could be a customers’ personal information or information that the system relies on to manage electricity. Simply stated, utilities must protect their customers’ information and the systems in place.
Managers should identify how the utility is being accessed both physically and logically. Does the public have any access? How is the information being stored? While typically a private network, does it use or allow public interface? What is the remote-access capability of the system? There must be a focus on the access points where information has the potential to be leaked and how that is being protected from within.
What benefits does Business Continuity bring?
Security solutions and Business Continuity are risk management tools that can assist the organization in defending against and responding to malicious attacks. While utilities are used to handling impacts and risks related to severe weather, outages, etc., they are not as adept at handling the recovery processes surrounding malicious events, such as cyber attacks or internal actions that could potentially bring down the organization.
What are the three primary phases for responding to an attack on a utility?
The first is incident response. This typically includes containing or isolating the event to reduce total impact and to limit continual collateral impact.
The second phase is disaster recovery. This involves returning to a state of operations, through the use of redundant systems, spare parts and temporary processes.
The third is business resumption, when operations return to a normal state. Another key goal of this phase is to complete an After Action Review to identify what occurred and what can be done in the future to prevent it from happening again.
Any final comments?
Utilities have a reputation for engineering just about everything, yet with Security, they often treat this as an “add-on”. To ensure effective regulatory compliance and, more importantly, to enhance their risk management program, Security and Business Continuity should be “engineered” into their processes. They must consider how security can be maximized more efficiently, including whether it can be built into the operations and structures themselves.
About the Generation Summit 2012
This unique forum will take place at The Westin La Cantera Resort, San Antonio, Texas, February 7-8, 2012. Offering much more than any conference, exhibition or trade show, this exclusive meeting will bring together esteemed industry thought leaders and solution providers to a highly focused and interactive networking event. The Summit includes presentations on meeting future energy demands whilst advancing clean air objectives, revolutionizing the energy mix and preparing for regulations which lie ahead.
Interview with: Scott Roe, President, Corporate Risk Solutions
FOR IMMEDIATE RELEASE
“It is crucial for power utilities to be prepared for malicious attacks and internal actions that could potentially bring down their organization,” says Scott Roe, President, Corporate Risk Solutions. Organizations must consider how the utility is being accessed and maximize security, he adds.
From a solution provider company attending the marcus evans Generation Summit 2012, in San Antonio, Texas, February 7-8, Roe discusses the three primary phases organizations must go through when responding to an attack on a utility.
Why must there be more focus on the protection of utilities?
The reliability of the electricity sector is paramount. Most of the nation’s critical infrastructures, such as telecommunications, banking and finance, and transportation are dependent upon reliable power to operate. Every process and operation in the energy industry requires dynamic information flow which can put systems at risk. This could be a customers’ personal information or information that the system relies on to manage electricity. Simply stated, utilities must protect their customers’ information and the systems in place.
Managers should identify how the utility is being accessed both physically and logically. Does the public have any access? How is the information being stored? While typically a private network, does it use or allow public interface? What is the remote-access capability of the system? There must be a focus on the access points where information has the potential to be leaked and how that is being protected from within.
What benefits does Business Continuity bring?
Security solutions and Business Continuity are risk management tools that can assist the organization in defending against and responding to malicious attacks. While utilities are used to handling impacts and risks related to severe weather, outages, etc., they are not as adept at handling the recovery processes surrounding malicious events, such as cyber attacks or internal actions that could potentially bring down the organization.
What are the three primary phases for responding to an attack on a utility?
The first is incident response. This typically includes containing or isolating the event to reduce total impact and to limit continual collateral impact.
The second phase is disaster recovery. This involves returning to a state of operations, through the use of redundant systems, spare parts and temporary processes.
The third is business resumption, when operations return to a normal state. Another key goal of this phase is to complete an After Action Review to identify what occurred and what can be done in the future to prevent it from happening again.
Any final comments?
Utilities have a reputation for engineering just about everything, yet with Security, they often treat this as an “add-on”. To ensure effective regulatory compliance and, more importantly, to enhance their risk management program, Security and Business Continuity should be “engineered” into their processes. They must consider how security can be maximized more efficiently, including whether it can be built into the operations and structures themselves.
About the Generation Summit 2012
This unique forum will take place at The Westin La Cantera Resort, San Antonio, Texas, February 7-8, 2012. Offering much more than any conference, exhibition or trade show, this exclusive meeting will bring together esteemed industry thought leaders and solution providers to a highly focused and interactive networking event. The Summit includes presentations on meeting future energy demands whilst advancing clean air objectives, revolutionizing the energy mix and preparing for regulations which lie ahead.
Tuesday, February 28, 2012
Corporate Risk Solutions Produces Fully Abridged NERC CIP Compliance Guide Book
Corporate Risk Solutions, Inc.
(CRSI), a wholly-owned subsidiary and premier security consulting firm of
Corporate Enterprise Security, Inc., has produced a definitive NERC CIP
Corporate Compliance Guide Book for their utility partners. This “Guide Book” was
developed as the first ever, holistic, abridged “Go-To” source for all NERC CIP Compliance questions. It
provides insight from FERC Order 706 that was used as the basis for the
development of each of the CIP Standards, as well as references applicable NERC
documents published for guidance, interpretation, compliance application, and/or
Frequently Asked Questions attributable to each CIP Standard, requirement,
and/or sub-requirement.
The “Guide Book”
also provides enhanced information such as potential auditors’ questions,
evidence of compliance, and even best practices or common problem areas. The “Guide Book” was developed using Version
3 of the CIP Standards, as well as guidance for CIP-002 Version 4 as currently
approved by the NERC Board of Trustees, and is presented in a easy-to-use “lay
flat,” full color, tabbed handbook format.
Michael W.
Tibbs, Senior Vice-President and Chief Operating Officer of CRSI, explains, “The
NERC CIP Compliance Guide Book benefits all members of the utility company.
Those that will benefit most from the Guide are Subject Matter Experts, members
of the Internal Compliance Team, Management and Senior Executives, and
literally any employees dealing directly with NERC CIP on a daily or periodic basis.”
The first
edition of the “Guide Book” will only be available for purchase by CRSI’s
utility partners and will be available in early/mid-March 2012. CRSI has plans to distribute future version
of the “Guide Book” in a web-based resource process with a subscription service
keeping the information current on changes in the NERC CIP regulatory
environment.
CRSI is a wholly-owned subsidiary security consulting firm of Corporate
Enterprise Security, Inc. CRSI specializes
in NERC operational and CIP Compliance (693 and 706), as well as cyber and
physical security solutions to the energy and government sectors. CRSI has
provided consulting services to more than 100 electric utilities across all
eight (8) NERC regions and is also under contract by NERC Regional Entities for
Audit Support. For more information, contact: Trisha Breckenridge, Marketing
Associate, 913-422-0410. Email: info@corpenterprisesec.com.
Subscribe to:
Posts (Atom)