I recently wrote about a new trend I encountered at the PAS Technology Conference in Houston that involved the training operators at BASF’s Freeport, Texas, plant to create the HMI screens they use. In that article, I referred to another item of potential interest to industry that involved an interesting approach to cybersecurity compliance.
At the PAS conference, Southern Company—a southeastern U.S. regional energy company with 4.4 million customers and nearly 46,000 megawatts of generating capacity—delivered two presentations involving their compliance with the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) program.
For Southern Company, cybersecurity is not optional. They are required to address NERC cybersecurity standards, which, according to Southern Company’s systems analyst Larry Spoonemore, includes: maintaining an inventory of all assets and cyber devices/systems at the company’s 290 plants; having a well-defined and followed management of change process; and providing reporting/notification of NERC cyber security compliance.
Spoonemore said that Southern Company uses PAS’s Integrity for automation system mapping and data collection, which is used to as the “basic building block to track our inventory required for cyber security assurance because it (Integrity) sits on top of our disparate systems to track change and provide reporting.”
Southern Company has dubbed its cybersecurity data collection system CSI, which stands for Control System Integrity. Though “CSI” is essentially a simple moniker for the system incorporating use of the PAS product name, the fact that it matches the name of a popular police investigation TV drama is intentional. Through its design, CSI watches everything connected to the Southern Company’s system to ensure compliance.
Having such a system in place is becoming critical for manufacturers of all sizes in light of some of the data Southern Company shared at the conference. They note that one-third of all malware in existence today appeared since the beginning of 2013. And in terms of direct impacts on operations, Southern Company experiences some one million attempts to breach its firewall each day.
The CSI data engine collects 2 terabytes of data each week from all of Southern Company’s plants, which is then fed into Integrity for data mining, Spoonemore said.
“FERC (Federal Energy Regulatory Commission) wants to know where you're at in terms of security across all your disparate systems,” said Harvey Ivey, manager of instrumentation and control systems and field support for Southern Company. “So we collect everything because we never know what the rules will eventually require.”
Having all this data collected and monitored is enabling Southern Company to provide a cybersecurity dashboard to its plant managers “so they can know at all times where they stand with regard to NERC compliance,” said Ivey.
Ivey adds that the NERC CIP cybersecurity requirements “drove us to closely monitor management of change. In the process of doing this, we've learned that management of change is simply a good business practice.”
Speaking to the importance of management of change, Spoonemore said, “Cyber security is not a computer problem, it’s a people problem, particularly as it applies to management of change.”
Of course, not every manufacturing or processing company faces the cyber threats that Southern Company does as part of the country’s critical infrastructure. However, cybersecurity is clearly an imperative for all companies and the insight learned from the Southern Company’s NERC CIP compliance strategies offers valuable lessons for us all. The idea of a cybersecurity dashboard—which could only be created with a tool like the Southern Company’s CSI system—is a compelling idea to consider.
Other recent coverage of cybersecurity in Automation World: