Are The NERC Requirements Strong Enough To Protect The Power Grid?
The NERC requirements might help the people at NERC and the regions get a better night’s sleep, but a sound action plan, including situational awareness, is the only true way to get there — and ensure greater cybersecurity for all.
With so much at stake, NERC is faced with a daunting challenge of locking down the nation’s cyber infrastructure as it pertains to the power grid. NERC has forced registered entities to establish programs for securing their Critical Assets and Critical Cyber Assets that includes dedicated management, oversight, accountability of corporate officers, processes for securing IT systems, and mechanisms for measuring progress.
Of course, just meeting NERC requirements doesn’t mean a registered entity is secure. NERC should recognize its shortcomings and pass a measure that will, among other things, strengthen the role of an industry recognized leader like the National Institute of Standards and Technology in shaping cybersecurity requirements.
So, why is cybersecurity such a challenge? That’s a loaded question because today’s information infrastructure is a quandary. Some of the issues are:
Advanced Persistent Threat
Cyber criminals have become more sophisticated, outpacing defensive measures. Hackers constantly exploit weaknesses in popular products and create new techniques using viruses, rogue antivirus software, keystroke loggers, botnets, and other tools, for immediate targets or time-triggered actions.
Registered entities have completely changed the way they communicate, interact and accomplish their missions. They’re sharing information in new, amazing and sometimes scary ways—from portals (regional scale for the most part) to social networking websites like LinkedIn. They’re even bringing trusted third parties into the fold. And their flexible IT model is establishing technology options that could present more risks, such as mobility and cloud computing.
All of this is extending NERC’s reach into the critical infrastructure. Yet, 95% of that infrastructure is in the hands of the private sector. Risk to that infrastructure, information assets and private data is rampant with potentially deep and catastrophic consequences. The fact is, registered entities are giving more and more access to data and applications, a concept that runs counter to most security type of thinking. Traditional network security that relies on reactive measures simply isn’t enough.
Pay Closer Attention To Applications
Whether off-the-shelf or home-grown, most applications are not engineered with security in mind, so you need to ensure trusted development processes to maintain their integrity. Today, that means adhering to requirements set-forth by the NERC requirements. Trusted delivery is also critical — especially with innovations like cloud computing. Protecting the perimeter around applications is not a sufficient defense and you must extend security to the application layer. In every case, you need to be able to measure an application’s ability to process and handle sensitive information throughout its deployment lifecycle.
James Holler is founder of Abidance Consulting.