By Gregory Hale
A major North American utility needed to comply with NERC CIP security requirements. The problem is the organization had about a month to meet the requirements or they could face a huge fine.
Officials sent out a call for help on August 31 and had to be compliant by Oct. 1. This a story about how the utility was able to quickly implement cybersecurity to meet their last minute compliance date.
“Companies implement cybersecurity because either you have made news or the government makes you do it,” said Jeff Foley, business development manager at Siemens during a Tuesday session at the Siemens Automation Summit 2019 in Aurora, CO. “Security has been an afterthought, but NERC CIP regulations were coming into effect. They needed to know what was happening on the network.”
To ensure compliance, the utility had to address CIP-007-6 Requirement 3.1 which requires operators of Bulk Electric Systems to have a system in place to process and address the wide variety of possible vulnerabilities for the equipment capable of malware and evolving threats.
“Called us up on Friday, August 31 and we need to get it done by Oct. 1,” Foley said. If they did not, he added, they could face a fine of $1 million per day per incident.
Before jumping into finding the solution for the utility’s problem, they had to understand what they were looking for and what they had to do.
“Cybersecurity is not a box, it is not a product,” said Jeremy Bryant, vice president of sales and product business development for the RuggedCom portfolio. “Cybersecurity measures are a compilation of people, training, process and solutions that together make up a cyber program to protect a computer or systems against a vulnerability or an attack.”
“We compare security to safety,” Bryant added. “It is an endless circle, you have to understand where you are, risk mitigation, you have to manage the system. It is a continuous process, the environment changes , the risk changes.”
Bryant added they had to look either at an intrusion detection system (IDS) or an intrusion prevention system (IPS)
An IDS is a device or application that analyzes whole packets, both header and payload, looking for events. When an event is detected a log message is generated detailing the event.
An IPS is a device or application that analyzes whole packets, both header and payload, looking for events. When a known event is detected the packet is rejected.
As soon as Siemens got the call on Friday, Oct. 31, they went into action. The following is a timeline to a completed solution:
Saturday and Sunday, Sept, 1-2 – Worked through the weekend to spec, design and document an anomaly-based IDS system designed for the OT market to meet customer requirements.
Monday, Sept. 3 – Presented proposed solution to the customer
Tuesday-Friday, Sept. 4-7 – Had daily conference calls with the customer, along with all of the key stakeholders; finalized design and solution
Sept. 10-14 – Customer had to get approvals and get Siemens a purchase order. Siemens placed advanced orders for systems
September 17-21 – Set up logistics, assigned resources, and got necessary training for customers
Sept 24-28 – Installed and commissioned IDS live in four locations
Oct 2 – Got an email saying NERC CIP compliance achieved they were done..
“They were able to put in an IDS and they did not get fined,” Foley said.