InTech

NOV-DEC 2017

Issue link: http://intechdigitalxp.isa.org/i/910561

Contents of this Issue

Navigation

Page 11 of 61

12 INTECH NOVEMBER/DECEMBER 2017 WWW.ISA.ORG Electricity subsector supply chain test, training, standards and certification organizations (preliminary) Features, capabilities, competencies, responsibilities, and authority – related to cybersecurity of the electricity subsector supply chain Organization, program, or activity Recognized national or international standards or regulations creation body Regulates, monitors, and enforces Imposes penalties for noncompliance Monitors, inspects, licenses, and regulates energy sector projects Standards-based device test and accreditation Cybersecurity research, test, development, and validation laboratory Awareness programs Cybersecurity incident response Mitigation and recovery planning Vulnerability assessments Personnel risk assessment and accreditation Personnel CIP cybersecurity training Personnel CIP physical security training Personnel CIP operational security (general) training Research for future CIP solutions Energy supply chain focused Funds independent research Publications posted on public or members-only website Periodic newsletter to members or industry Energy CIP workforce development programs FERC – Existing capability ✔ ✔ ✔ ✔ ✔ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✔ ✔ ✔ ✘ NERC – Existing capability ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ IEC – Existing capability ✔ ✘ ✘ ✘ ✔ ✔ ✔ ✘ ✘ ✔ ✘ ✔ ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ISASecure – Existing capability ✔ ✘ ✘ ✘ ✔ ✔ ✔ ✘ ✘ ✔ ✔ ✔ ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Underwriters Laboratories – Existing capability ✔ ✘ ✘ ✘ ✔ ✔ ✔ ✘ ✘ ✔ ✘ ✔ ✘ ✔ ✔ ✘ ✔ ✔ ✔ ✔ NIST – Existing capability ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✘ ✔ ✘ ✘ ✔ ✘ ✘ ✔ ✘ ✔ ✔ ✔ ✔ DOE/OE ES-C2M2 Cybersecurity Capability Maturity Model – Existing capability ✔ ✘ ✘ ✘ ✘ ✔ ✔ ✔ ✔ ✘ ✘ ✔ ✘ ✔ ✔ ✔ ✘ ✔ ✘ ✔ and public health and safety. Securing and encouraging investments in risk reduction in the existing electric grid and against such consequences is cen- tral to the security goals of the world's public and private infrastructures. The same situation exists within the industrial sector. Is it time for a change? What to do? In response, a research and develop- ment activity—named DarkNet—ini- tially aimed at the electric utility sec- tor has been underway within the U.S. national laboratory system to perform a "fresh eyes" analysis of the methods, goals, and practicality of existing cyber- security designs and implementations. Briefly stated, the goal of DarkNet is to deliver a modern, cyber- and cyber- physical secure, resilient, self-healing, and cost-effective communications infrastructure for automation systems (from small to large). We feel that it is imperative to analyze and develop fun- damentally different strategies from today's "bolt-on" cybersecurity solu- tions. Today, automation industries, in- cluding utilities and power-generation facilities, are moving toward having many more devices connected to the network for real-time assessments of their operations and fast responses to problems. The related IoT applications nerable to cyberattack. Attackers have demonstrated they can disable critical controllers from afar and create a highly disruptive electrical blackout from which it would be difficult to recover (like the cyberattack in Ukraine). Prolonged fail - ure of critical electric systems in water/ wastewater, public health, transporta - tion, banking, and industry—essentially throughout the automation world— would halt economic activity, create mayhem, and proliferate life-threatening safety hazards. Isolated or complex events with cas- cading effects can have major conse- quences for automation systems and the electric grid and adversely affect national security, economic stability, U.S. electric grid. From the April 2017 Department of Energy's Multiyear Pro- gram Plan for Energy Sector Cyber Se- curity: "A secure and resilient electric grid that protects system assets and critical functions and can withstand and recover rapidly from disruptions is a priority of the United States. Protect- ing against and mitigating cyber- and physical risks to the electric grid in a prioritized manner requires that public and private sector partners continue to work together." Within the context of the electric grid, controlling the generation and main - taining voltage to meet demand is per- formed with communication networks and software applications that are vul - COVER STORY Utility owner/operator Provider Will seek business partners who meet open trusted technology provider requirements. Integrator Standards body Accreditation/accreditation body By contractual terms and conditions should demand accreditation certificate as evidence Component suppliers May be hardware, software, global, open source – or not multiple supplier layers. Will seek business partners who meet open trusted technology provider requirements; includes all types of service providers. Will seek ways of achieving market up-take/integrity of standards. Typically allied with accreditation bodies. Must be independent and vendor/ technology neutral. Figure 1. External dependencies and challenges Figure 2. Matrix of currently available cybersecurity-relevant assessment or compliance resources

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - NOV-DEC 2017