When it comes to the national infrastructure, most leaders agree on one thing: There is nothing more important than reliable electric energy.
The electric energy sector has seen a significant increase in security regulation since the Sept. 11 attacks — an increase that only escalated after the Northeast blackout of 2003. Recent federal legislation has changed the regulatory environment from voluntary compliance to mandatory compliance.
The North American Electric Reliability Corporation (NERC), the lead organization for the electric industry, has set voluntary industry standards for years. Now it has “real teeth,” in the form of federal compliance legislation and newly developed reliability standards. All of the NERC's standards can be found under the Standards link at www.nerc.com, including those that deal with security and critical infrastructure protection — both physical and logical — which are commonly referred to as the CIP standards.
The CIP standards apply to all key players in the electric industry: reliability coordinators, balancing authorities, transmission operators, generator operators and load-serving entities. It takes all five of these parties working in unison to provide highly reliable electric service across North America .
The CIP has nine security standards that businesses or organizations who participate in any of the five key areas must address: sabotage reporting; security management controls; personnel and training; electronic security perimeters; physical security of critical cyber assets; systems security management; incident reporting; response planning; and recovery plans for critical cyber assets.
The overriding emphasis is on the effective protection of information and control systems that perform critical, split-second functions. For businesses and organizations across the electric industry, reliability and security issues are critically important. Security leaders must effectively orchestrate security practices that meet the requirements of the CIP and that are also economically sound so businesses can effectively maintain the regulations' intent of enhancing overall system reliability. If you are in the electric industry, you are already seriously engaged in addressing these issues.
So, what about those of you who are not in the electric industry? What does it mean to you?
I believe there are some key takeaways for any large business or organization. While your operations may not currently be impacted by CIP-like regulations, there things you can do now to better prepare your business if similar regulations come your way. Federal and state government is becoming increasingly involved in setting security guidelines and protocols for key businesses, especially those in sectors of the national infrastructure.
Consider these six actions:
• Review the CIP regulations at www.nerc.com and note the approach and design they take in addressing and implementing their requirements.
• Find out from your general counsel or legal department who in your organization monitors legislation — and, more importantly, proposed legislation — that may impact security issues involving employees, facilities or information in your industry. Check at both the federal and state levels. If these areas are not being monitored, determine how your organization can set up a process of monitoring and ensure your security leaders are involved and are receiving routine updates.
• Directly participate in industry-specific security or other organizations at the local, state and national levels. All have different perspectives and resources.