Last week at the ARC Forum, James Goosby of Southern Company presented a case study on how Southern is approaching NERC CIP compliance with their Control System Integrity, or “CSI,” initiative. Southern, like all power companies in the US and Canada, faces a looming deadline of April 2016 for NERC CIP Version 5 compliance. Their CSI initiative automates compliance for control systems by:
- Configuration management processes to identify and maintain a comprehensive inventory of control assets,
- Managing change to configurations and policies,
- And finally, having a reliable, recent backup available in case something bad happens.
So, what were the primary takeaways for the power companies in the audience?
Be proactive. Southern is a progressive company that has focused more on adopting sound security practices and technologies versus anticipating and reacting to regulatory requirements. Because their focus has been on doing what makes sense for Southern, they have been able to simply focus on fill any gaps that might occur as new regulatory requirements manifest.
Before you can manage it, you have to know what is there. As the saying goes, “You can’t manage what you can’t measure.” One of Southern’s biggest hurdles was diverse systems they have across their fleet or even in the same plant. Goosby joked that when a vendor is selling them something, the fact is that Southern likely already has one of it somewhere in their fleet. Understanding what you have, being able to detect unauthorized changes, and identifying potential vulnerabilities give Southern a valuable defense in today’s cyber war.
Transform data into useful information. It’s not enough to collect and archive plant automation data. You must then transform that data into compliance information to document, support, and manage security processes and compliance requirements. This is where technology comes into play. Southern has adopted the PAS Cyber Integrity technology not only to tackle specific regulatory compliance requirements; but more importantly to provide plant operators critical data for asset inventory, management of change, and backup and recovery. Are you prepared for the day your COO calls you after hearing about a specific vulnerability on a certain vendor’s device and asks what your exposure may be?
Pick a technology that addresses the heterogeneous control asset environment. Not surprisingly, many of the questions from the audience were focused on addressing configuration management for a heterogeneous control asset environment. When evaluating technologies, it is an important consideration. What challenges are you facing around NERC CIP compliance? With the April 2016 deadline approaching, is NERC CIP Version 5 compliance a key initiative for your organization?