Compliance standards and programs such as NERC CIP V5 are created to improve the overall security of critical infrastructure. However, much of the time, companies do as little as possible and seem to scramble to create the compliance program at the last possible moment. To get the most out of compliance efforts and to improve on the spirit of the program – improve overall security, it’s important that the compliance and security programs be linked as tightly as possible. Data and status exchange between the compliance programs and security operations ensures that companies are prepared for audits and are more secure.
The power utility industry is busy with NERC CIP compliance activities to meet the upcoming April 2016 deadline. Created by NERC and backed by federal legislation and oversight support, the CIP V5 security & compliance requirements are very real and are becoming part of industry’s day-to-day activities.
We see a number of compliance related activities being implemented in an ad-hoc manner and are not linked to the security management processes. With this approach, companies are not taking advantage of integrating compliance and security which would mutually add value to both programs.
Consider, for example, the case of a company using an Enterprise Asset Management tool for IT management. Enterprise Asset Management tools are powerful in the basic IT environment but lack critical components for a NERC CIP program such as keeping an approved baseline and tracking/monitoring changes against that baseline. Just think how powerful it would be to link Enterprise Asset Management with the compliance program so that changes can follow an existing Enterprise workflow process but also follow the NERC CIP process? Changes could enter the Enterprise Asset Management process, be intercepted by the NERC CIP process for impact analysis, then re-enter the Enterprise process for implementation. With this integrated approach, both programs benefit.
Useful integration required for a solid security and compliance program:
- Integrating the compliance workflow with security operation workflow
- Integrating security events with the compliance monitoring process
- Integrating patch management with the CIP configuration and change management requirements
- Integrating vulnerability assessments processes into the CIP program
Companies that keep security and compliance programs separate, without integrating data and processes are missing an opportunity to build sustainable programs that result in a higher level of security.