By Gregory Hale
Todd Mortensen II used to be an IT professional, but not any more.
At least that is what his bosses told him as he was learning and working as a senior network specialist at PNM’s coal-fired San Juan Generating Station in Albuquerque, NM.
That was all part of the learning process he talked about during his discussion on “Lessons Learned when Compliance, Cyber Security and a Control System Mix,” during the Foxboro & Triconex Global Client Conference ’13 in San Antonio, TX last week.
“You can hire IT people. It is all right, we don’t bite,” Mortensen said. “We understand controls much better. You just need to make sure they get the right training. I was an IT guy, but I am told I am not IT any more.”
PNM serves 498,700 electricity customers statewide and also sells electricity on the wholesale market and is New Mexico’s largest electricity provider.
As a part of meeting compliance rules and maintaining a secure platform, Mortensen talked about some of what the company is working with, like a multiple mesh unit; 8.4.3 upgraded to 8.7 of mesh secure; NERC CIP v3 compliant, prepping for v5; individual operating accounts; event monitoring, whitelisting/malware software prevention; off the shelf thin clients; McAfee EPO; patching programs and Information Protection Procedures (IPP) for USB drives.
When dealing with compliance issues, Mortensen said he worked with his supplier and they had some helpful items like their documents site and a security enhancement guide among other items. Yes, they need secure products, but they also needed a plan.
“Secure products will not make you compliant,” said Doug Clifton, director of Critical Infrastructure and Security Practice (CISP) at Invensys. “There are other things that you have to do.”
“Cyber security regulations will not go away,” Mortensen said. “Whenever you do cyber security you will need a lot of time, money and resources.” In addition, he said, “you will need backing from the executive level all the way to the back line.”
While that works, sometimes there just is not a ton of experience found in plants dealing with how to work with standards, so Mortensen said there is no need to work in a vacuum.
“You can always use outside firms that have the experience working with these standards,” he said. “You need to be ahead of the game.”
One of the keys, though, is to train these outside contractors in how your company works and deals with various issues because in the end, “you are responsible for your compliance and your cyber security.”
Here are some tips Mortensen suggested when working with contractors:
• Ensure you lead
• Have people that can look at their own work and see if it is done correctly
• See if they have experience with standards and rules that you have to comply with
• Ensure they have experience securing systems like yours
Mortensen did say NERC CIP compliance forced his company to ensure a secure environment.
“Compliance can be a stepping stone to security, but it is not security,” he said.