and industry security standards. “End-users are looking for guidance from us,” says Wonderware’s Forney. “The security of a system relies heavily on the system’s deployment. We can make secure software, but we have no control on how it’s deployed in the field. If we’re involved, we can educate people about cyber security.”

Vendors often take a role in cyber security implementation because it’s not enough to build security into the system’s components. If security is not implemented at the plant itself, the vendor cannot ensure that the system is secure. “As a control supplier, we look at what is required for compliance,” says Invensys’ Rakaczky. “We look at any of the requirements that affect the control product and we put together a major program. We try to position our product so it supports all the compliance requirements.”

When it comes to security, the IT department has deep experience. But IT is accustomed to applying security patches at night when the office workers are gone. It doesn’t matter if a desktop is shut down and restarted at night. Uptime is the high value for the plant control system. You can’t arbitrarily shut it down to implement a patch. Yet the IT department typically doesn’t want to leave security entirely to control engineers who may not be familiar with security systems. “I’ve heard horror stories where IT says they’re going to do everything with security,” says Emerson’s Casteel. “The problem is, they have conflicting objectives. In IT, confidentiality is big. With control, it’s availability.”

At many plants, a compromise is worked out by which control and IT join as a team for implementing security. Often, plants bring in a consultant who is familiar with NERC and safety standards. “Some plants are bringing in a consultant to work with control, and bridge the gap with IT,” says Casteel. “Where it’s been most successful is where control still has the responsibility for security, but they work closely with IT.”

Stay on top

Cyber security is not a program that can be turned on and left alone. Much like the security on your personal computer, the plant security systems become obsolete as soon as a new worm hits the street. So cyber security becomes an ongoing program rather than a simple installation. “You have to keep up with the underbelly of the Internet—that includes technical tools and attack methodologies,” says Doug Wylie, Mayfield, Ohio-based business manager, networks, for automation vendor Rockwell Automation Inc. “You’re only one 14-year-old kid away from the system crumbling, if you’re not paying attention.”

Cyber security has become a permanent part of running an electric plant. Connectivity to the outside world is inevitable. The Smart Grid requires shared information across multiple plants and multiple offices. NERC programs and audits are compelling electric plants to demonstrate their ability to withstand cyber attacks. To cope with all of this, plants are bringing together the expertise of consultants, vendors and their IT departments to ensure that they’re well protected.

Related Sidebar - Preparing for a NERC Audit
To read the article accompanying this story, go to www.automationworld.com/feature-5825.

Related Sidebar - NERC Programs Reach Significant Milestones
To read the about NERC's recent cyber security and assessment programs, go to www.automationworld.com/feature-5826.

Subscribe to Automation World's RSS Feeds for Feature Articles