North American Cyber Security Standards Impact Globally

As one of the few sets of enforceable cyber security standards on the books worldwide, the Critical Infrastructure Protection (CIP) standards developed by the North American Electric Reliability Corp. (NERC) are having a global impact.

The NERC CIP standards, which apply to electric utility firms, have “become a constant discussion point for every single sale and for every single upgrade that we do,” says Paul Skare, director of security and deployment at Siemens Energy (www.usa.siemens.com/energy), in Minnetonka, Minn., which sells its Spectrum Power 3 energy management system (EMS) and other systems to the electric power industry.

While the CIP standards were made mandatory and enforceable in North American markets only this year (see “Making Cyber Security Mandatory,” p. 32), they have been in the works for several years. Long enough, says Skare, that the standards are being followed closely and are considered best practices in a number of overseas markets, including the United Kingdom, New Zealand and Australia.

At ABB Group (www.abb.com), another controls and automation systems supplier to the power industry, Markus Braendle notes that the NERC CIP standards are increasingly being called out in requests for proposals (RFPs), not only by North American utilities, but also by European utilities. This may be in part because some international companies own utilities in both geographic regions, says Braendle, who is head of the ABB Power System Security Council, in Baden, Switzerland. “But I think it’s more because NERC CIP is probably the most mature standard right now,” he observes. “There are a lot of security standardization activities going on in process control. But nothing else is really ready yet.”

The CIP standards have also impacted security measures built into controls systems sold to utilities worldwide. Siemens’ Skare cites several high-level changes made to his company’s systems over the past few years specifically to accommodate CIP requirements. These include use of specific complex password rules; addition of anti-virus and anti-malware protection; support of intrusion detection systems; and the definition of network configurations divided into various zones as a way to increase “defense-in-depth” capability.

ABB’s Braendle notes that many of the NERC CIP requirements “fit within activities we had going on anyway.” But he also cites specific changes made to ABB systems to help customers better comply with CIP requirements. These include the addition of features such as virtual private network (VPN) termination points and firewalls aimed at strengthening electronic security perimeters, as well as improved log management and log handling capabilities.

ABB is also developing a new protocol for user authentication to better support NERC CIP user management requirements, Braendle adds
More in Control