NERC reports CIP-007 is most violated enforceable standard
SUBNET Solutions Inc | Wednesday, May 30, 2012
With the implementation of the smart grid comes the ability to remotely access intelligent electronic devices (IEDs) stationed across a wide enterprise, enabling utilities to operate more efficiently and gather more data about their operations.
However, as remote access becomes more prevalent, it has also given way to a higher number of exploitable vulnerabilities, which could put America's critical infrastructure in jeopardy. Cyber security improvements have become crucial for all utilities with operations in the smart grid, and to ensure companies do their part to maintain a secure network, the North American Electric Reliability Corporation (NERC) developed several standards that come with stiff fines if violated.
NERC recently released its Key Compliance Trends report, which details the total number of violations, and which standards were adhered to the least. The report found that of the top 12 enforceable standards, the most actively violated standard between April 1, 2011, and March 30, 2012, was CIP-007, and by a huge margin.
CIP-007, which requires companies to define methods, processes and procedures for securing critical cyber assets, was developed in conjunction with a group of standards that require reliability coordinators and other utility officials to appropriately secure their network. In the studied period, there were 419 violations - far surpassing the second-highest violation, CIP-005, which was violated 229 times.
NERC outlines several levels of non-compliance, all of which may come with some degree of punishment.
SUBNET has developed products and solutions that specifically address CIP-007, which can help utilities ensure they are compliant with the standard. SUBNET PowerSYSTEM Center's My Passwords feature offers companies centralized password management for all of their IEDs, helping companies meet NERC CIP requirements with regular password changes.
Managing passwords manually is a highly inefficient task, considering the many levels of authentication necessary for every IED located in thousands of different substations. Utilities can use SUBNET to automate the password management process for IEDs, and in turn, adhere to CIP-007.
The system simplifies and facilitates NERC CIP audits, makes changing passwords simple and more secure, and lowers risk while keeping reliability strong. Utilities can save money by integrating the system with existing IT infrastructure and processes, and because of SUBNET's strictly vendor-agnostic approach, use best-of-breed IED hardware solutions, rather than being kept to an individual vendor.
With My Passwords, utilities have the option to change passwords at pre-established times, or manually change them as required, creating the simplest way to secure IED password management and comply with NERC CIP-007.
Substation Cyber Security