Muscle to Protect Your Grid July Sustainable and Cost-effective Muscle to Protect Your Grid

Transcription

1 July 2009 Sustainable and Cost-effective Muscle to Protect Your Grid

2 Page 2 Ensuring the reliability of the North American power grid is no small task and one that continues to grow in complexity on a daily basis. The mix of aging infrastructure, migration from analog to digital technology, low levels of automation at critical substations, along with disjointed processes, systems and controls all serve to make the threat of major power outages very real. There is also the ongoing challenge of either operator error or deliberate sabotage. In fact, in 2006, the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by the North American Electric Reliability Corporation (NERC) to ensure that the bulk electric system in North America is reliable, adequate and secure. Among these standards are the nine Critical Infrastructure Protection (CIP) security standards for the protection of cyber and physical assets. For example, CIP Standard 001 requires suspected or confirmed incidents of sabotage to be reported to the necessary entities. The nine standards comprise a framework for protection of critical cyber assets and the reliability of the bulk electric system. These standards require organizations to have clearly defined and regularly tested controls in place with enough muscle to be able to demonstrate the consistent and timely practice of preventative measures as well as prompt detection, termination and reporting of violations. Phased Implementation Timeline The timeline for the implementation of the NERC sponsored CIP Standards follows a phased approach that is being rolled out based on the critical nature of each entity to the national grid. Entities defined as Responsible Entities by NERC (Functional Model entities) were required to have completed Phase I by mid 2008 while the remaining Multiple Functional Model entities have until June 2009 or 2010 before they must comply. Phase I : Begin Work Approved plans, identified and secured resources and initiated implementation. Phase II: Substantially Compliant Substantial progress in implementation met.

3 Page 3 Phase III: Compliant Controls are in place and meeting the full intent of the requirements as well as beginning to maintain required audit documentation, logs and records. Phase IV: Auditably Compliant Must be able to demonstrate to an external auditor that the full intent of the requirements are being met, including being able to provide a minimum of 12 months of audit artifacts. It is important to keep in mind that regardless of whether or not an organization has reached the date for a regular NERC audit, all entities are still expected to notify NERC if there is a compliance breach and are still subject to daily fines from the date of the incident if a breach is discovered. The first audits were conducted in 2008 and covered 350 power organizations. Of that, slightly over 10 percent were actually cited for compliance issues and only two were ultimately fined for a total of $255,000, well below the maximum of $1 million per incident, per day. It is believed by many experts who keep a close watch on the industry that NERC is taking the tact of warning utilities in this first round of audits in order to give them a chance to take corrective actions before levying the higher fines for non-compliance. Meeting NERC Compliance Requirements Securing and controlling access to the nationwide bulk electric system is nothing new to utilities. Processes established for security measures (e.g., preventing vandalizing of substations, unauthorized building access or network access through unsecured laptops) is something that has been in place for many years. Often these processes have been managed through paper-based manual processes with inherent vulnerabilities in keeping them up-to-date with organizational changes, managing remote facilities and ensuring timely and consistent action. In addition, with the change from analog to digital networks, there will be new opportunities to hack the system digitally.

4 Page 4 Once organizations started becoming compliant with CIP Standards, many were surprised by the thoroughness of the new regulations. For example: All physical and electronic access points must be accounted for, locked down, verified and monitored on an ongoing basis Personnel screening exceptions need to be fully documented and signed off by several senior executives Exception handling must be dealt with by applying a consistent process All activity needs to be documented, consistently handled, timely and proved during an audit Yet, even though there is a great deal of risk mitigation required to be in place, the how or the who is not specified and is left up to each entity to develop based on their individual utility environments. What ensued could be likened to a race to develop armies of binders with documented processes to prove compliance with current standards along with the strategy to automate the compliance processes in later budget cycles. This gave many organizations a false sense of security that they were farther along in the compliance phases than they actually were; it didn t take long before forms and processes documenting specific tasks by specific personnel became obsolete. It became clear that to keep the required information current, processes needed to be put in place that didn t require humans to remember to make appropriate updates as personnel changed and the configuration of the assets changed. Today, similar to initial attempts at Sarbanes-Oxley compliance, many organizations are involved in resource-intensive documentation drills, often captured and reported through legions of spreadsheets. While this approach is not surprising, and actually serves to help start identifying and formalizing processes and reporting, it must be followed by the implementation of a sustainable and cost-effective compliance program so that the rest of the utility operations do not suffer and ultimately expose the very grid the work is trying to protect.

5 Page 5 Moving Toward Sustainable and Cost-effective Compliance While cobbling together processes and running manual reporting fire drills have served to jump start individual utility NERC compliance based on CIP Standards, it is probably unrealistic to expect that this activity will provide the type of safeguarding muscle that FERC has mandated. For many, a next step of patching together existing legacy systems and creating new applications for compliance reporting will prove too costly, take too long and create its own set of vulnerabilities. Cost-effective implementation of CIP Standards must be sustainable and scalable to accommodate organizational changes, while being reusable for other needs of the utility. New compliance investments should reduce labor costs, improve the consistency and predictability of the process, and eliminate expensive, last-minute surprises. Key elements of a strong, sustainable and cost-effective NERC CIP Standards compliance program include: Centrally managed audit data and documentation o Reuse of data and a reduction in duplicative testing o Version control o Consistent application of NERC mandated records o Reduce the time and effort to prepare for audit actions o Reduce the potential for audit fines Workflow capability o Specific actions will trigger consistent process handling o Process bottlenecks will become visible and allow corrective action o Reduce the potential for audit fines Scheduling capability o Recurring events are automatically initiated o Reduce the potential for audit fines Auditing capability with reporting filters o Centralized capture and reporting of actions taken, personnel involved and timeliness of activity o Filters turn overwhelming data into focused information o Reduce the time and effort to prepare for audit actions o Reduce the potential for audit fines

6 Page 6 Senior management visibility o Meet NERC mandate for senior management to actively foster a strong compliance ethic o Mitigate impact of negative public perception from non-compliant operations o Reduce the potential for audit fines Controls mapped against governance directives that include regulatory documents, industry best practices and corporate policies o Rationalize the control program across different regulatory standards o Reuse of work across all compliance programs CGI CIP Framework for NERC Compliance The CGI Critical Infrastructure Protection Framework for NERC Compliance, built on the IBM Enterprise Content Management suite of products, helps energy utilities comply with standards and protocols established by NERC. This solution provides an enterprise framework to meet requirements for managing, tracking and monitoring NERC-related compliance. CGI s CIP Framework for NERC Compliance architecture consists of: An expandable suite of NERC compliant products all accessible from within a single, browser-based solution Preconfigured interfaces for all users Flexible workflows, queues, decisioning screens, and system interfaces that are simple to modify and maintain Tight security model controls access to screens, work items, and documents to protect confidential data CGI s CIP Framework for NERC Compliance captures data relative to each NERC process and stores it in a central, consolidated location. Each business process is designed to meet NERC compliance requirements and lessen the work burden on employees. In addition, the system helps adhere to the defined processes each and every time the process is executed. As a result, at any point in time, energy utilities can access data related to NERC compliance and produce an audit trail of any captured NERC-related event.

7 Page 7 The following chart demonstrates how the CGI CIP Framework for NERC Compliance can help utilities address challenging NERC CIP compliance pain points in a sustainable and cost-effective manner. CIP Standard Topic Typical NERC CIP Standards Compliance Pain Points CGI CIP Framework for NERC Compliance Addresses by CIP Sabotage Reporting Recording sabotage events Procedure for communicating sabotage events Sabotage event recording process automation Automatically communicates sabotage events to necessary parties Providing up-to-date event reporting CIP Critical Cyber Asset Identification Identification of critical cyber assets Annual reviews using risk-based methodology CIP Security Management Controls Documentation of access control levels for critical assets Documentation of incident handling process Documentation of consistent incident handling Documentation of consistent monitoring and logging Audit trail of policy change management flowing throughout compliance process Incident handling process automation Consistent, repeatable, and auditable documentation processes CIP Personnel and Training Documentation of personnel screening Documentation of approved background check exceptions Scheduling planned training Documentation of course completion Exception handling process automation CIP Electronic Security Protection Documentation demonstrating that all critical cyber assets are contained within Electronic Security Perimeter (ESP) and access control process Documentation of perimeter access monitoring and logging 24x7 Schedule and document annual vulnerability assessment Schedule and document assessment and shut-down of non-active ports and services Audit trail of network changes flowing throughout compliance process retention policies Incident handling process automation (continued)

8 Page 8 CIP Standard Topic Typical NERC CIP Standards Compliance Pain Points CGI CIP Framework for NERC Compliance Addresses by CIP Physical Security Program Identification and documentation of critical assets used for physical security Documentation of perimeter access monitoring and logging 24x7 Documentation of incident handling process Documentation of timely, consistent incident handling Audit trail of any perimeter access changes flowing throughout compliance process Incident handling process automation CIP Systems Security Management Documentation and demonstration of control processes for securing Critical Cyber Assets and non-critical Cyber Assets within the Electronic Security Perimeter (ESP) including: - Testing of security impact of changes to Cyber Assets - Required ports and services are operational - Security patch management program operational - Authentication of User activity - Security Status Monitoring Documentation of perimeter access monitoring and logging 24x7 Alerts automatically sent to key personnel Schedule and document annual vulnerability assessment CIP Incident Response and Reporting Documentation of incident handling process All cyber security incidents addressed by an internal computer incident response team (CIRT) All cyber security incidents are reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC) retention policies Role-based process management Incident handling process automation CIP Disaster Recovery Documentation of plan Scheduling of annual drill Audit trail of updates being made to keep plan current

9 Page 9 To highlight what CGI s CIP Framework for NERC Compliance, based on the IBM ECM suite of products, offers beyond NERC Compliance point solutions and your in-house legacy systems, please see the chart below. NERC CIP Compliance Feature CGI CIP Framework for NERC Compliance with IBM ECM Typical NERC Compliance Point Solution Typical Legacy Systems/Manual Processes Enables compliance with all CIP Standards Centralized document management with version control Consistent, repeatable, and auditable documentation processes Audit trail capture and reporting with user-based filters Incident handling process automation Exception handling process automation Automatic scheduling of assessments Sabotage event recording process automation Automatically communicates sabotage events to necessary parties Providing up-to-date event reporting Role-based process management Automated records management and retention program To learn more on how you can empower your organization with a sustainable and cost-effective muscle to protect your grid, please contact: Don Chamberlin CGI, Inc. Ph: (703) don.chamberlin@cgi.com

10 About CGI Founded in 1976, CGI Group Inc. is one of the largest independent information technology and business process services firms in the world. CGI and its affiliated companies employ approximately 25,500 professionals in over 100 offices across 16 countries. CGI provides end-to-end IT and business process services to clients worldwide from offices in Canada, the United States, Europe, Asia Pacific as well as from centers of excellence in North America, Europe and India. CGI s annual revenue run rate stands at $3.8 billion and at March 31, 2009, CGI s order backlog was $12.0 billion. CGI shares are listed on the TSX (GIB.A) and the NYSE (GIB) and are included in the S&P/TSX Composite Index as well as the S&P/TSX Capped Information Technology and MidCap Indices. Website: Copyright IBM Corporation 2009 IBM Corporation 3565 Harbor Boulevard Costa Mesa, CA USA Printed in the USA All Rights Reserved. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/ legal/copytrade.shtml About IBM ECM IBM s Enterprise Content Management software enables the world s top companies to make better decisions, faster. As a market leader in content, process and compliance software, IBM ECM delivers a broad set of mission-critical solutions that help solve today s most difficult business challenges: managing unstructured content, optimizing business processes and helping satisfy complex compliance requirements through an integrated information infrastructure. More than 13,000 global companies, organizations and governments rely on IBM ECM to improve performance and remain competitive through innovation. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided as is without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. Each IBM customer is responsible for ensuring its own compliance with legal requirements. It is the customer s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.