The North American Electric Reliability Corporation Critical Infrastructure Protection standards are the guiding set of principles by which U.S. power companies must abide. In its mission statement, NERC describes its function as assuring “the reliability of the bulk power system in North America.” Its industry standards, therefore, are an effort to maintain this reliability – and hold those who threaten it accountable.
Between sanctions, remedial actions and penalties, there are consequences that await entities found in violation of NERC. Through a system of compliance enforcement, NERC finds violators and holds them to task in accordance with sanction guidelines. Over the years, NERC’s Compliance Monitoring and Enforcement Program (CMPE) has racked up a lot of violators. In its first-ever compliance violation statistics release – covering the fourth quarter of 2008 – the CMPE reported that there were 1,812 enforceable violations.
For power plants, being NERC compliant is not just about avoiding penalties – it is also about maintaining public safety. For power plants, the vulnerabilities that accompany a lack of NERC compliance could lead to attacks that might endanger public safety and jeopardize human lives. With global terrorists now setting their sights on critical infrastructure, the need has never been greater to defend organizations within this sector.
Compliance with NERC happens at the intersection of emerging technology and comprehensive management. When these two elements are paired, power organizations are left with an infrastructure that will hopefully not be singled out by those hunting for NERC violators – and, more importantly, a platform that will be very difficult to attack. Here are five key tips that power plants can follow to ensure NERC compliance:
- Have an intrusion detection system in place: There are few things worse than identifying a problem too late. For power plants without an intrusion detection system, this becomes a distinct possibility. But it does not have to happen. As PowerMag pointed out, rolling out an intrusion detection system can play a pivotal role in defending against attacks and questionable traffic.
- If you do not have an incident response plan, get one: For all businesses, having a disaster incident response plan is an absolute necessity. Organizations without such a strategy are left powerless when an incident occurs, and consequently suffer far more damage than those that are ready with a plan. One of NERC’s standards specifically addresses incident reporting and response planning, and stipulates that organizations must have comprehensive plans in place.
- Get strong physical and login access: Without robust physical and login access tools, an attack can not only happen quickly, but can metastasize. Thus, what began as a localized attack can turn into something that threatens the entire business network. Physical and login access control features can mitigate the risk of this happening by ensuring – through tools like two-factor authentication – that only authorized individuals are accessing the business network.
- Empower worker safety with advanced physical access solutions: One key component of NERC’s standards involves physical security, and it is especially imperative for power plants to guard access to their facilities. Physical security becomes trustworthy and efficient with emerging tools like PKI, card authentication keys and biometrics.
- Account for all points of access: Where many organizations go wrong in the security realm is that they overlook a single, vulnerable access point, which a hacker then exploits. Power plants looking to ensure every vulnerable point is strongly covered need to pursue a security solution that evaluates the network in-depth, leaving no room for weak points. Otherwise, an attack becomes easy.
Entrust delivers industry-leading solutions that help users simplify NERC compliance. With a multitude of threats looming for critical infrastructure organizations, there’s no question about the immediate need for robust security tools.
Entrust’s security solutions for critical infrastructure offer power plants the tools they need to remain safe in a threat-heavy world. That tool is Entrust IdentityGuard, an either in-house or managed security solution that covers all the bases as far as the management and authentication of digital identities. Entrust IdentityGuard’s strength and versatility as a security option make it the go-to choice for organizations seeking the highest level of identity protection. For power plants, this is the only level that should be pursued.