Coalfire Systems - Public Utilities

IT audit and compliance solutions

designed for public utilities.

The electric utility industry joined financial services, healthcare and government in establishing comprehensive information technology or cyber asset protection requirements. In June 2006, the North American Electric Reliability Corporation (NERC) formally adopted a set of Critical Infrastructure Protection (CIP) standards that became effective in 2007. However, the majority of standards were not required to be validated until 2009.

The new standards have been given the force of law by the Federal Energy Regulatory Commission (FERC). All owners and operators in the bulk electric generation and distribution industry must comply with the rigorous new standards. Failure to comply with these standards could result in fines and penalties of $1 million per day. In addition, many electric utilities are also required to comply with COBIT, ISO and SOX.

NERC CIP Compliance Solutions

The criteria for measuring effective control operation significantly raise the bar for internal audits previously established with the Sarbanes Oxley (SOX) regulations. It is anticipated that many organizations will identify gaps in compliance at the start of this process and remediation may require months, if not years, to close gaps. With "audibility" of compliance required by December 31, 2010, some electric utility organizations are already finding that they are operating on compressed schedules to complete compliance gap closure.

By providing proven processes, existing document templates and an online portal for information distribution and compliance management, Coalfire is helping a wide range of energy providers accelerate compliance program implementation and greatly reducing risk of control failure or compliance deficiency fines.

The CIP standards include eight (8) critical controls:

Critical Cyber Assets: Requires a responsible entity to identify its critical assets and critical cyber assets using a risk-based assessment methodology.
Security Management Controls: Requires a responsible entity to develop and implement security management controls to protect critical cyber assets.
Personnel and Training: Requires personnel with access to critical cyber assets to have identity verification and a criminal background check. It also requires employee training.
Electronic Security: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology.
Physical Security: Requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter.
Systems Security Management: Requires a responsible entity to define methods, processes and procedures for securing the systems identified as critical cyber assets, as well as the non-critical cyber assets within an electronic security perimeter.
Incident Reporting and Response Planning: Requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets.
Recovery Plans: Requires the establishment of recovery plans for critical cyber assets using established business continuity and disaster recovery techniques and practices.

Resources

>Rapid CIP Brochure

>IT Security Planning

>NERC web site

>FERC web site

>AWWA Journal article

>View archived webinars

>Application Penetration Testing Brochure

>Network Penetration Testing Brochure

IT audit and compliance solutions

designed for public utilities.

NERC CIP Compliance Solutions

Cyber Security Solutions