Can CIP Compliance Stymie a Cyber Attack?
In the wake of the destruction caused by Hurricane Sandy, it's not difficult to imagine the damage that's possible when the power grid is disrupted. But natural disasters aren't the only threats looming over the electrical grid. According to the National Academy of Sciences (NAS), a cyber attack on the US power grid could be more destructive than superstorm Sandy, costing not only hundreds of billions of dollars, but also thousands of lives.
As a response to this threat, the North American Electric Reliability Corporation (NERC) has increased regulatory requirements in Critical Infrastructure Protection (CIP). But with cyber security standards rapidly evolving, maintaining compliance and protecting systems from cyber attacks becomes increasingly problematic, especially when faced with more sophisticated and more numerous offensives. In a recent interview with marcus evans, John D. Rhea, Compliance Officer and Attorney for OGE Energy shared his personal perspective on meeting CIP standards.
While Rhea provided a strategy for meeting NERC CIP standards (namely standardizing documentation and assigning individuals to each facet of compliance), his most exhaustive point dealt with the relationship between CIP compliance and actual cyber security. “In order for a utility to meet its responsibilities in each realm its compliance and security groups must work hand in hand,” said Rhea. “Most of the NERC CIP standards are rightfully focused on prevention, but as the Stuxnet virus showed, preventing the attack is not always possible. Since it is not always possible or affordable to eliminate every threat, the quick detection of a successful penetration and the immediate elimination of the threat is at least as important.
As for the future of CIP (extending beyond version 5), Rhea believes the goal lies in customization rather than a one-size-fits-all set of rules. This should allow the focus to fall on resolving vulnerabilities unique to each utility.
Perhaps future versions will bridge the gap between compliance and genuine security, helping the US to stymie the sort of attack the NAS warned of.
Full story at marcus evans