Corporate Risk Solutions Expands Security and NERC CIP Consulting Team: Introducing Michael Taylor, Security/Compliance Analyst

Corporate Risk Solutions, Inc. (CRSI), a wholly-owned subsidiary and premier security consulting firm of Corporate Enterprise Security, Inc., is pleased to announce the addition of Mr. Michael S. Taylor as a Security/Compliance Analyst to its team of dedicated NERC (693 and 706) Compliance and security consulting experts. Mr. Taylor will assist in the growth and continued success of CRSI’s Managed Services Support (MSS) offerings.

“Michael’s experience in infrastructure security design reviews and various aspects of a security program will prove invaluable to our MSS and compliance programs,” says Susan Tibbs, Security Consultant, Managed Services Support Section, of the addition to CRSI’s team.

As a Security/Compliance Analyst, Mr. Taylor will work with senior consultants to develop policies and procedures for physical, information, and operations security, assist in the review of threat and vulnerability assessments and risk management tools, as well as mock audits, inspections, and compliance evaluations. Mr. Taylor comments, “I am excited and honored to be a part of the CRSI team. I look forward to the challenges and opportunities ahead of me, and feel my military experience and background in security has prepared me to provide exceptional services to our clients.”
 
Mr. Taylor has over 23 years’ experience working in multiple security disciplines while serving in the United States Army Military Police Corp.  He started as a Physical Security Compliance Inspector and continued his professional training and development eventually working as a Security Program Manager for Army installations and facilities in North Carolina, Texas, Kansas, South Korea, Germany, and Iraq.  Mr. Taylor also served as the Antiterrorism and Force Protection Officer and Emergency Response Coordinator at military bases in Landstuhl and Bamberg, Germany, and in support of military contingency operations in Iraq.  His specialties included Threat and Vulnerability Assessments, Risk Analysis and Mitigation, Compliance Inspections, Physical and Electronic Security Systems design, Police Intelligence Operations, and developing plans, policies, procedures, and training packages for security programs aimed at protecting information, personnel, facilities, and critical assets.

CRSI is a wholly-owned subsidiary security consulting firm of Corporate Enterprise Security, Inc.  CRSI specializes in NERC operational and CIP Compliance (693 and 706), as well as cyber and physical security solutions to the energy and government sectors. CRSI has provided consulting services to more than 100 electric utilities across all eight (8) NERC regions and is also under contract by NERC Regional Entities for Audit Support. For more information, contact: Trisha Breckenridge, Marketing Associate, 913-422-0410. Email: info@corpenterprisesec.com.

The "Smarter" the Smart Grid, the Greater Potential for Security Issues

Cyber Security Solutions Must Be at the Development Stage Rather Than a Retrofit

Smart Grid Cyber Security Drivers                   

Sometimes called the world’s largest interconnected machine, the electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change that will unfold over a number of years. As the grid is modernized, it will become highly automated, leverage information technology more fully, and become more capable in managing energy from a variety of distributed sources. However, in this process of becoming increasingly “smarter,” the grid will expand to contain more interconnections that may become portals for intrusions, error-caused disruptions, malicious attacks, and other threats.

The convergence of the information and communication infrastructure with the electric power grid introduces new security and privacy-related challenges. The introduction of these technologies to the electric sector also presents opportunities to increase the reliability of the power system, to make it more capable and more resilient to withstand attacks, equipment failures, human errors, natural disasters, and other threats. These greatly improved monitoring and control capabilities must include cyber security solutions in the development process rather than as a retrofit.

Potential cyber security issues to the smart grid are numerous. The "Smart Grid Cyber Security Drivers" chart outlines certain drivers to increased attack surface and increased risk to operations.
Included in the potential cyber security issues to the smart grid are:

• Increasing complexity that could introduce vulnerabilities and increase exposure to potential attackers.
• Without proper planning, a natural- or man-made event could disable the communications infrastructure, rendering the smart grid ineffective at coping with an emergency situation;
• A cyber intruder could compromise electricity use data and send false information to the utility and either lower or increase the billing, depending upon the motivation;
• Linked networks can introduce common vulnerabilities;
• Increasing vulnerabilities to communication disruptions and introduction of malicious software that could result in denial of service or compromise the integrity of software and systems;
• Increased number of entry points and paths for potential adversaries to exploit;
• Potential for compromise of data confidentiality, including the breach of customer privacy; and
• Compromise of the automated device/service control functionality of the Smart Grid devices, in such a way that significantly disrupts, impairs, or destroys the self-sensing and monitoring, self-adaptive, self-healing electricity generation, transmission, and distribution infrastructure.

The first and possibly most important recommendation for “securing the smart grid” is in the mindset - cyber security must be viewed as a critical element of the Smart Grid deployment. It is then important to apply a “defense in depth” concept isolating and segregating systems and applications, and then allow selected connectivity. These concepts are best accomplished at the foundational/design level. Once the mindset and strategy is set, it is crucial to keep in mind the “you can’t manage what you can’t measure” philosophy, and establish a security management system.

You are not alone. Remember to involve your vendors and interconnected partners throughout the process, and embed into your corporate governance systems. And finally, you never want to commit to a project without developing and tracking a business case. It is important to do this on a project by project basis and as an integrated system. This will be life-saving when it comes to evaluating and repeating the process.

For the full “Securing the Smart Grid” presentation, and more information on cyber security practices and solutions, contact Trisha Breckenridge at tbreckenridge@corprisk.net.