"We are not compliance experts, we are technology experts.' They [Encari] are compliance experts," said Eric Knapp, Nitro VP of technology marketing. "Compliance without the technology to remediate compliance gaps can be difficult; information technology equipment without overarching compliance guidelines to be implemented properly is lacking."
Electric utilities are supposed to be in "audit compliance" with NERC CIP's eight requirements by June:
- Identification and documentation of the critical cyber assets.
- Minimum security management controls to protect critical cyber assets.
- An appropriate level of personnel risk assessment, training, and security awareness.
- Identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter.
- A physical security program for the protection of critical cyber assets.
- Defined methods, processes, and procedures for securing those systems determined to be critical cyber assets.
- Identification, classification, response, and reporting of cyber security incidents.
- Recovery plans for critical cyber assets
The industry has been under close scrutiny for years, with intense congressional criticism resulting in mandatory, audited security controls, overriding industry claims that it could police itself. Although there has been no evidence of a deliberate attempt to disrupt the North American power grid, there have been incidents that raised alarms:
- A remote, simulated attack that brought down a diesel electrical generator.
- A highly critical GAO report on the state of security at the Tennessee Valley Authority.
- A Wall Street Journal report that Russian and Chinese attackers had planted malware within the U.S. power grid.
- NERC CSO Michael Assante told Congress that the industry is concerned about "the potential for an intelligent attacker to exploit a common vulnerability that impacts many assets at once, and from a distance."
NitroSecurity says NitroView CIP goes beyond compliance reporting packs--for HIPAA, SOX, PCI DSS, GLBA etc--typically included with SIEM, log management and other security/compliance products. The vendor claims that monitoring devices are customized to understand SCADA protocols, applications and processes, both within and outside what the NERC requirements refer to as the electronic security perimeter (ESP). "Utilities are concerned whether products have a valid interpretation of compliance requirements," said Steve Hamburg, Encari co-founder, "or has this been somewhat of an academic exercise so that the nuances associated with compliance requirements are not ingrained within the product functionality."
The NitroSecurity product includes a five-day services consulting engagement with Encari, in which the consulting firm develops an initial "SIEM compliance roadmap." After that, the utility can decide whether or not to engage Encari for additional services. "It gives the customer an understanding of 'here's where you stand today in terms of implementation, deployment and configuration," Hamburg said, "and here's where you need to be in terms of being in full compliance in terms of SIEM requirements.'" There's evidence that utility security managers, with backgrounds steeped in dealing with direct threats to proprietary control systems and often lag behind in dealing with threats to contemporary IT networks.