Cyber Security Regulations are Changing – Is Your Testing Program Ready?
To meet the rapidly evolving technology demands of the power industry, while still ensuring grid reliability, NERC has developed new CIP requirements to protect your mobile and storage devices from cyber security threats. These guidelines, scheduled to go into effect April 2017, will change the way you work – from the field to the office. How can you get ahead of the curve? Consider making a few changes to your test practices when developing your NERC compliance program to ensure your devices are secure and malware-free.
Laptops and tablets used for testing power equipment are now labeled by FERC as “Transient Cyber Assets,” while CDs, USB thumb drives and all other forms of portable storage are classified as “Removable Media.” Devices covered by these definitions are routinely targeted by cyber threats as a way of getting into critical environments such as control centers and substations. Such devices need to be safeguarded to ensure grid reliability.
To safeguard your transient cyber assets, have special purpose laptops or tablets that are only used for testing. With this solution, your devices can be secured and locked down without interfering with the test interface. You can further protect your assets from exposure to malicious software by avoiding the use of removable media altogether. Replace your USB thumb drives with a safe alternative, such as secure network data transfer technology from your test laptop or tablet, to retain all the convenient data transfer capability of removable media.
NERC also requires your software be secured along with your transient cyber assets. All software on your devices should be reviewed and approved, and your security patches must be kept up-to-date. Applying updates in a timely manner will enable you to safely use your test equipment without compromising your data.
The central component for meeting new CIP requirements is to develop a cyber security action plan, complete with policies, plans and evidence. A plan that defines roles and authorizes users appropriately, while managing and tracking transient devices, will help protect your assets. A third party supplier specializing in maintaining data for CIP regulatory purposes can best assist you in implementing your new plan and alleviate the burden from your IT department. With the help of your supplier, you can integrate your solution into your systems and practices, moving forward with the tools and resources needed to keep your data safe.
What’s your next step? Learn more by downloading our white paper on what NERC CIP means for your testing program.