Deepak Patel, Director of Security Strategy at Imperva, Gives Tips on Improving Security Posture and Satisfying Auditor Expectations
Understandably, there is no shortage of cyber security regulations that owners, operators and users of bulk electric power systems in North America must comply with to keep the public, employees and other stakeholders safe. In addition to NERC – the North American Electric Reliability Corporation – there is often the need to comply with multiple, sometimes overlapping, cyber-related regulations. Organisations that don’t meet requirements, including the PCI Data Security Standards for the processing of credit card information and the Sarbanes-Oxley for publicly traded corporations, risk fines and punitive damages. These are in addition to the numerous non-cyber-related power generation and distribution industry regulations requiring company compliance. As such, the challenge of identifying and routinely meeting the requirements can be a hugely daunting undertaking for many organisations.
One such aggressive NERC requirement is the NERC CIP (Critical Infrastructure Protection) Version 5 Framework that has come into force recently. Though the NERC CIP Framework only addresses a minimal baseline for security, as with any compliance requirement, simply meeting it does not guarantee an organisation’s web applications and data are secure. Companies need to think beyond simply meeting requirements. They need to consider they could be improving their entire security posture and actually make the auditing and compliance process easier at the same time. To do this, organisations wishing to improve their security postures should use the NERC CIP Framework as a starting point and integrate these requirements with all-encompassing solutions to compliment it. This includes cyber security solutions that help with incident prevention, detection and response.
Problems to Overcome When Securing Critical Infrastructure
All too often within this industry, there is a seemingly never-ending process of internal auditors, business application owners, and IT managers coming together to attempt to define and implement security controls while at the same time sifting through volumes of information to try and find the relevant pieces for each regulatory auditor. The process is slow, costly and the manual efforts involved are unable to scale across multiple regulations without adding additional headcount, which is generally not an option due to already stretched IT budgets.
When it comes to CIP standards, several critical areas represent an overlap of security and compliance: cyber asset discovery and classification, cyber asset protection and monitoring, incident response, auditing and reporting. Applications and databases make up a substantial assortment of what is considered a critical cyber asset within bulk power organisations, such as SAP, Oracle e-business Suite and PeopleSoft. Some of these systems reside in the corporate or IT network, others within the operations or control system network while some are designed specifically to communicate across once air-gapped connection points.
For example, many companies need to allow customers, partners and employees to interact with their portals for customer self-service and Business Process Outsourcing. With potentially thousands of people interacting with these systems daily, it’s crucial that companies take steps to prevent data theft incidents by protecting business applications and the sensitive data contained within them.
Securing these applications and database cyber assets is important for addressing NERC and other regulations as well as improving overall security. Not only do these assets process and store sensitive data, but they can also be used to administer non-cyber assets, thus having a direct impact on the availability of control system assets such as Supervisory Control and Data Acquisition (SCADA).
Many organisations spend vast amounts of time and resources conducting these exercises, which when done manually are highly prone to error. But there is a better way.
Connecting Security and Compliance
Businesses need to think of compliance and security together to effectively kill two birds with one stone. By looking for solutions that combine data asset discovery, protection and monitoring with the ability to deliver regulation specific reports, bulk power organisations can focus on the business at hand, and stop oversubscribing resources to do tasks that could be automated by a technology solution.
When seeking such a solution, make sure it can capture the data necessary to address specific auditor requests such as:
- What are the vulnerabilities within databases that process financial information and store credit card information?
- How are critical databases protected?
- How was the latest security incident addressed?
- How are privileged users tracked?
- Can it pinpoint which user accessed what data in what database?
When the cyber security solution can automate many of the requirements for discovery and audit reporting while at the same time help to reduce risks associated with failing an audit, that solution will be an invaluable asset to the business.
With substantial punitive non-compliance penalties under the NERC – some as high as $1 million per day – organisations should act now to implement place preventative, investigative and corrective cyber security controls that enhance the overall security posture of the organisation. When these controls are implemented correctly, operational efficiency is improved and compliance outputs are not an afterthought but rather a natural by-product of security best practices.