Cybersecurity is now a must for the grid, II

Many, if not most, electric plants have turned to consultants and vendors to keep up on North American Electric Reliability Corp. (NERC) developments, standards, and compliance requirements. Many vendors and consultants have been involved in the development of NERC programs and industry security standards. “End-users are looking for guidance from us,” says Paul Forney, system architect at Wonderware, an automation software supplier in Lake Forest, California. “The security of a system relies heavily on the system’s deployment. We can make secure software, but we have no control on how it’s deployed in the field. If we’re involved, we can educate people about cyber security.”

AutomationWorld’s Rob Spiegel writes that vendors often take a role in cyber security implementation because it is not enough to build security into the system’s components. If security is not implemented at the plant itself, the vendor cannot ensure that the system is secure. “As a control supplier, we look at what is required for compliance,” says Ernest Rakaczky, principal security architect at Invensys Process Systems, in Plano, Texas. “We look at any of the requirements that affect the control product and we put together a major program. We try to position our product so it supports all the compliance requirements.”

When it comes to security, the IT department has deep experience. IT, however, is accustomed to applying security patches at night when the office workers are gone. It does not matter if a desktop is shut down and restarted at night. Uptime is the high value for the plant control system. You can not arbitrarily shut it down to implement a patch. Yet the IT department typically does not want to leave security entirely to control engineers who may not be familiar with security systems. “I’ve heard horror stories where IT says they’re going to do everything with security,” says Eric Casteel, manager of security, SCADA and renewable energy development at Emerson Process Management. “The problem is, they have conflicting objectives. In IT, confidentiality is big. With control, it’s availability.”

At many plants, a compromise is worked out by which control and IT join as a team for implementing security. Often, plants bring in a consultant who is familiar with NERC and safety standards. “Some plants are bringing in a consultant to work with control, and bridge the gap with IT,” says Casteel. “Where it’s been most successful is where control still has the responsibility for security, but they work closely with IT.”

Stay on top
Cyber security is not a program that can be turned on and left alone. Much like the security on your personal computer, the plant security systems become obsolete as soon as a new worm hits the street. So cyber security becomes an ongoing program rather than a simple installation. “You have to keep up with the underbelly of the Internet-that includes technical tools and attack methodologies,” says Doug Wylie, Mayfield, Ohio-based business manager, networks, for automation vendor Rockwell Automation Inc. “You’re only one 14-year-old kid away from the system crumbling, if you’re not paying attention.”

Cyber security has become a permanent part of running an electric plant. Connectivity to the outside world is inevitable. The Smart Grid requires shared information across multiple plants and multiple offices. NERC programs and audits are compelling electric plants to demonstrate their ability to withstand cyber attacks. To cope with all of this, plants are bringing together the expertise of consultants, vendors, and their IT departments to ensure that they are well protected.