In Brief

Cybersecurity Standards for Electric Industry

The North American Electric Reliability Councils new cybersecurity standards for critical infrastructure protection

By Michael Fitzgerald

January 11, 2007CSOCritical cyberassets

Defines critical cyberassets involved in power generation, such as control center assets, transmission substations, backup generators, protection systems and equipment involved in restoring power supplies. Such assets could include monitoring and control systems, automatic generation controls, real-time power system modeling tools, real-time interutility data exchanges and network communication protocols.

Security Management

Controls Establishes requirements for formal cybersecurity policies, such as identifying a lead security manager and reporting on changes and exceptions in security controls.

Personnel and training 

Requires at least one cybersecurity training exercise per quarter, plus annual training. Also requires preemployment background checks.

Electronic security

Requires establishing a security perimeter (including access controls) and performing cyber­vulnerability assessments and securing cyberassets. Includes monitoring network traffic, intrusion detection and data retention.

Physical security

Establishes plan for protecting physical equipment needed for cybersecurity. Includes guidelines for housing such equipment behind walls and monitoring physical access to systems, with provisions for escorts, alarms and video surveillance.

Systems Security Management

Establishes rules for how to securely manage and monitor information systems and test procedures for vulnerability assessments. Sets up provisions for what constitutes a significant systems change, such as implementing patches, new versions of software, service packs, and new custom or third-party applications.

Incident Reporting and Response Planning

Sets up a computer incident response team as a requirement. Mandates that all incidents be reported to the Electricity Sector ISAC (information sharing and analysis center).

Recovery plan

Establishes disaster recovery plan, annually reviewed. Details the severity and types of attacks that would trigger a recovery effort and what that effort should consist of, and requires defining the roles and responsibilities of those who will respond.

–M.F.

The North American Electric Reliability Council

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors