The NERC Critical Infrastructure Protection (CIP) standards will soon become required for electric grids. GCUD engineers turned to a consultant and automation vendors such as Emerson Process Management, Austin, Texas, for direction. “We have a consultant to help with CIP, and the consultant wrote a lot of our procedures and guidelines to meet the requirements,” says Jeff Reams, systems engineer for hydro power plants at GCUD. “We also created an internal group of about 20 of us.”

Unlike a lot of plants implementing security, Reams’ team didn’t run into conflicts with its information technology (IT) department. “IT manages our firewalls, but they stayed out of the control side,” says Reams. “We don’t have the typical turf battle. IT does batch processes, and we’re a hydro facility, so we never shut down.”

In past years, plants haven’t worried about cyber security because they didn’t connect to the outside world. New data systems have changed that for most plants. “Our systems are fairly isolated from the outside world, even from corporate systems. We limit access,” says Reams. Even so, software and devices share data, and where data is shared, there is always the possibility of a breech. The cyber security implementation was prompted by NERC’s assessment program. “Our company is going to have a spot audit next month,” says Reams.

Cyber security has become a major issue with electric plants. NERC has launched a number of programs designed to protect the electric grid from Internet-based attacks. Any connection that goes outside the plant—whether it’s Internet connectivity or dedicated connections to corporate offices—leaves the plant vulnerable to cyber attack.

Prompted by new NERC standards, plants are adding or beefing up cyber security. Sometimes, IT is involved in the process, sometimes not. Often, vendors that are familiar with NERC programs implement and run the security programs.

Outside connections

Electric plants have traditionally been isolated from the outside world. But electric plants are now using automation systems that provide data for corporate offices and allow remote monitoring. That means virtually all electric plants are now connected to the outside world. Some plant operators believe they’re still isolated, but that’s not the case, even if they’re only sending production data to their own corporate offices. “People looking at control systems say ‘I don’t have to worry about cyber security because I’m not connected to the Internet,’” says Paul Forney, system architect at Wonderware, an automation software supplier in Lake Forest, Calif. “But they’re connected to the corporate network and it’s connected to the Internet.”

A good portion of new plant connectivity comes from the development of smart grids. “Renewable power needs to be monitored more frequently than traditional power,” says Eric Casteel, manager of security, SCADA and renewable energy development at Emerson Process Management. “You have wind that’s variable, solar that’s variable, and those variables need to be managed frequently. Oversight is deeper and it’s shared with executives, so it’s exposed to the outside world.”

Any time you share data, there is an opening for an attack. Plants are now run by information systems that transfer data from device to software, software to device. So the reality is that virtually all plants are vulnerable to cyber attack. “Anything, any device, any software that communicates over the Internet is a potential target for attack,” says Tyler Williams, chief executive officer, Wurldtech Security Inc., a cyber security firm based in Vancouver, British Columbia, Canada. “Instead of qualifying the potential risk, we look at the components that exist—which are built for reliability, not for security—and we make them more robust so the hacker can’t get in.”

One of the challenges for cyber security is that it’s abstract. The plant is trying to protect itself from something that hasn’t happened. Safety programs are often developed and augmented based on actual accidents. With cyber security, plants are working to protect themselves from events that have not occurred—potential events.

Yet the prevention of cyber attack can be every bit as important as safety precaution. “People need to look at cyber security like safety,” says Ernest Rakaczky, principal security architect at Invensys Process Systems, in Plano, Texas. “You have a safety organization to make sure training goes on and it’s everybody’s responsibility—everyone is looking out for each other. Everyone needs to feel the same ownership of cyber security.”

Many, if not most, electric plants have turned to consultants and vendors to keep up on NERC developments, standards and compliance requirements. Many vendors and consultants have been involved in the development of NERC programs ...