Posted by: David Schneier
CIP, FERC cyber security, NERC, PCI, Regulatory Compliance
Through an odd turn of events over the past few months I’ve found myself actively engaged with a group that’s focusing quite a bit of effort on NERC CIP. For those of you not in the know, NERC (North American Electric Reliability Corporation) is to the energy sector what PCI is to the credit card industry and CIP (Critical Infrastructure Protection), like the PCI-DSS, is a set of controls that need to be complied with. My involvement came by way of a relationship I established earlier this year with a security firm that takes a really innovative and interesting approach to helping clients identify risks and vulnerabilities. The firm reached out to me because I have this soapbox and was looking for exposure. In the time since I’ve not only continued the conversation but have become part of group of security and compliance thought leaders that the company’s compiled to help further refine and focus their vision. As luck would have it, I happen to be actively engaged with a client that’s in the energy sector (I was brought in because of my SOX and PCI genius) and so here I am with my worlds converging on me….. again. As such I’ve been thinking about NERC CIP quite a bit these days despite typically hanging around banks and credit unions.
So why am I bothering to bring this up? I mean, this site is focused on the financial world not energy. And it’s not like there’s ever any shortage of things to discuss with regards to security, compliance and the financial verticals.
Because NERC CIP may prove to be the standard that ultimately becomes the framework used by President Obama’s administration as a baseline for national cybersecurity measures. It’s already federally mandated, courtesy of the Federal Energy Regulatory Commission (FERC) which oversees NERC, it’s high-level enough to work across business verticals (though it would need a reasonably thorough rewrite for which I hereby volunteer to help with), and has already been validated as strong enough to be used to make sure the electric grid is not needlessly exposed. And at this point in the evolution of information security and regulatory compliance, I doubt there’s a need for yet another new framework. So I’m putting it out there right now that I’m betting money that the soon-to-be-announced cyber security czar will eventually find his/her way to NERC CIP and recognize it as a viable baseline.
Here’s the view from up-high:
- CIP-001-1 Sabotage Reporting
- CIP-002-1 Critical Cyber Asset Identification
- CIP-003-1 Security Management Controls
- CIP-004-1 Personnel and Training
- CIP-005-1 Electronic Security Protection
- CIP-006-1 Physical Security Program
- CIP-007-1 Systems Security Management
- CIP-008-1 Incident Response and Reporting
- CIP-009-1 Disaster Recovery
You have to admit, it’s straightforward and pretty much covers what’s needed. And yes, I know, there’s way more detail to be found underneath the section headings but let’s keep it simple for the purposes of this post. What else would you want to include for a federally mandated cybersecurity framework?
As for why this seemed like a good topic for this particular forum, it’s really quite simple: Something like NERC CIP is coming soon to every business vertical and not just those within shouting distance of the financial industry. And it will potentially be here before anyone can even say “Happy New Year’s” again. While most of those in the banking sector are already accustomed to such requirements almost everyone else isn’t. With PCI having been a shocker, I can only imagine how this is going to play out. I’m just using my digital pulpit to try and jolt people into thinking about what’s rolling down the regulatory highway towards them so that when the headlights are upon them they’ll maybe be just a little bit prepared.
As an aside regarding President Obama’s press conference last week discussing the cybersecurity 10-point plan, the only truly great thing to come out of it was the fact that it pushed information security to the front pages for the day. Professionally speaking, I thought it lacked any real bite and while I know these things take time I was expecting that there would at least be dates and names aligned against the bullet points to set expectation and assign responsibility. Considering that the plan was based on a report generated by some pretty sharp minds who were likely ready to begin rolling weeks (if not months) ago I was less than thrilled.