Implementing a top-down IT framework
by Mark Walton and Scott Vanek
Faced with the pressure of complying with the NERC Critical Infrastructure Protection (CIP) 002-009 standards, energy companies and utilities across the U.S. must act quickly. The CIP standards became effective at the end of 2006 and specify the implementation of a holistic approach that will protect all of the critical assets that make up the bulk electric systems in North America. The challenge is that most companies do not have the proper procedures in place to effectively meet compliance regulations and requirements.
What these energy companies and utilities are not aware of, however, is that their IT departments already have a widely accepted approach that can be used for CIP compliance procedures. The Information Technology Infrastructure Library (ITIL) fosters the provision of high quality services with an emphasis on customer relationships-implying a strong relationship between the IT organization and its customers and partners. The main challenge that companies face is determining how to leverage ITIL in the context of CIP and begin the compliance process.
Table 1. A brief description of each standard, its purpose and specifications. Each standard has to be capable of being audited, if necessary.
The NERC CIP standards are composed of eight specific standards. Each standard is mandatory for energy and utility companies and must be completed within precise timeframes over a multi-year implementation schedule. The overarching goal of the standards as a whole is to ensure that all energy and utility companies responsible for the continued, consistent reliability of the country’s electrical system are properly protecting their critical cyber assets. The standards also offer a cyber security framework that establishes the minimum requirements needed to protect the critical cyber assets and ensure secure electronic exchange of information.
Rather than outlining the most effective way to achieve compliance, the standards merely define the requirements, timeframes, steps and procedures. This leaves much ambiguity for utilities, making the compliance process seem overwhelming and unachievable. To address this challenge and make achieving compliance regulations a smaller feat, a comprehensive approach to managing critical assets should be implemented. The approach combines the efforts of the Operations and IT departments and is compatible with other programs in place that maintain IT assets.
Addressing the compliance challenges
Although there are many IT tools that can be used to help achieve and track compliance, unfortunately there’s no silver bullet software or hardware solution. The solution has to be a well-planned and integrated combination of IT best practice methodologies, processes and IT management tools.
A top-down IT framework should be implemented where the CIP requirements are addressed in the corporate and IT security policies. These policies will be embodied in a set of IT best practice methodologies where IT tools (software and hardware) will provide the workflow and automation. By far, the ITIL IT Service Management is the most widely recognized and accepted IT best practice framework. Most mature IT organizations have implemented some portions of the ITIL framework, such as Configuration Management, Change Management and Asset Management. These organizations will also have IT tools already in place to automate the tracking of IT assets and asset configurations, logging, tracking and resolution of IT security incidents, and the tracking of changes. The key to achieving compliance is to integrate the IT best practices and IT toolsets into an approach/framework that logically covers all the CIP requirements.
Table 2. Alignment between CIP requirments and ITIL IT service management best preactice areas.
How does ITIL fits into the picture? By definition, ITIL outlines the organization of Service Management and can be used within organizations that already have existing Service Management infrastructures in place. ITIL Service Management provides a framework for managing the security and reliability risks to fulfill CIP compliance requirements. By implementing the best practices of the ITIL Service Management, utilities can achieve CIP compliance in a timely, effective manner.
How the best practices work
As a whole, the ITIL best practices are carried out by two primary service areas: ITIL Service Support and Service Delivery. ITIL Service Support works to minimize any IT service disruptions to business operations, and Service Delivery manages and maintains the quality of IT services, ensuring that all IT services and capabilities, and performance and capacity requirements, operate at effective, cost-efficient levels. In addition, Service Delivery plans and accommodates for disaster recovery and prevention.
Through the use of the ITIL framework, utilities can fulfill a majority of the CIP 002-009 cyber security requirements. To achieve full compliance, three key steps must be taken: implementation of a structured approach, cultivation of a security assurance framework, and development of a compliance “roadmap.”
Implementing a structured approach will help organize compliance initiatives by aligning assessment and planning methodologies with the CIP compliance timeframes.
The cultivation of a security assurance framework will serve as a hierarchical structure to organize the utility’s standards, policies, processes/procedures and tools. The framework is used to demonstrate that each NERC CIP requirement is accounted for throughout ITIL by identifying the gaps in the current security posture and aligning CIP requirements with the appropriate ITIL best practice.
Finally, the compliance “roadmap” tracks project initiatives, estimated timelines, resources, and costs to achieve the end state of full compliance. The roadmap provides sequenced, logical steps for accomplishing the most critical required tasks and aligning them with the CIP implementation schedules.
Achieving CIP compliance will be a challenge but it’s one that can be overcome by leveraging frameworks and processes that are already in place at most organizations. By thoroughly planning ahead, establishing a collaborative effort, and implementing a structured approach, energy companies and utilities will be able to successfully fulfill all aspects of CIP compliance in a timely, effective manner.
Mark Walton, CIO and director of commercial technologies, Gestalt, LLC, has more than 20 years of experience with IT and corporate planning organizations, establishing strategy and directing the organizations’ work. He has managed numerous strategic initiatives including the strategy formulation and implementation of various ERP systems. Scott Vanek, a senior business analyst with Gestalt, LLC, has more than 16 years experience within IT and corporate planning organizations. He performs analyses and develops recommendations regarding IT infrastructure, business processes and IT support functions.