WORLD-GENERATION MAY/JUNE 2015 V.27 #2
7
PERSPECTIVE
Call it the “new normal.” Cyber threats
targeted to the power generation industry
are growing in both frequency and com-
plexity. Meanwhile, cybersecurity compli-
ance obligations continue to evolve.
In this environment, there is increased
urgency for utilities to secure their sys-
tems, establish security programs and com-
ply with regulations. This can be daunting,
as power plant staffing is often lean, with
personnel facing many demands on their
time. More and more, utilities are turning
to control system suppliers for help.
With a staff that offers a rare combina-
tion of necessary skills, a blend of cyberse-
curity, control system and power industry
experience, control system suppliers are
uniquely qualified to help utilities identify
areas of risk related to automation and con-
trol within their plants. While Emerson has
always worked closely with customers on
security matters, the company’s Security
Solutions group recently expanded its
cybersecurity services portfolio, offering a
best practices approach for helping power
generators achieve a strong security pos-
ture. The portfolio includes: cybersecurity
assessments, scheduled cybersecurity ser-
vices, and security program & compliance
services.
CYBERSECURITY ASSESSMENTS
Cybersecurity assessments are
designed to assist power generators in iden-
tifying their cyber assets, assessing vulnera-
bilities, and providing recommendations to
mitigate cybersecurity risks through the
deployment of appropriate security controls
and safeguards. The cybersecurity assess-
ment service includes:
• Initial site walk down to identify targeted
systems and key deliverables
• Detailed assessment plan
• Plant-wide cyber asset inventory and
audit
• Network mapping of targeted systems
• Host-based vulnerability assessment with
port, protocol, service and system
scanning
• Network security analysis
• Risk mitigation analysis, review and
reporting
• Mitigation and remediation
recommendations
Assessments are recommended annual-
ly to evaluate and track continuous
improvement of an organization’s security
posture.
SCHEDULED CYBERSECURITY SERVICES
Patch management, antivirus protec-
tion, and backup and recovery initiatives
are often at the core of an organization’s
security program. Industry best practices
suggest deploying patches monthly, updat-
ing antivirus definitions weekly, and per-
forming frequent backups. Unfortunately,
the work required to complete these
updates adds to the workload of plant staff.
Scheduled cybersecurity services
include regularly scheduled visits to cus-
tomer sites to deploy patches; update and
install antivirus definitions; and generate,
verify, and archive backups – all without
diverting essential manpower from other
important assignments. This service can
also be customized to include other cyber-
security or preventive maintenance tasks
that require regular attention, such as
review of overall heath and diagnostics for
key control system components including
servers, workstations, controllers and net-
work equipment.
SECURITY PROGRAM & COMPLIANCE
SERVICES
They say the devil is in the details, and
that is certainly true for security programs
and compliance – particularly in light of the
ongoing evolution of the North American
Electric Reliability Corporation’s (NERC)
Critical Infrastructure Protection (CIP)
standards. This service area is focused on
helping utilities evaluate, develop and
implement security and compliance pro-
grams that meet compliance obligations
while also following power industry best
practices. This is an important distinction,
as an established best practice followed in
the financial or IT industry is not necessari-
ly a best practice for the power-generation
industry, and may in fact be detrimental.
For example, in many office environments
it is considered an IT best practice to lock
users out of their workstations after a
defined period of inactivity. However, this
could have serious consequences in a con-
trol room, particularly if the operator for-
gets the password and cannot log back in.
This is a good illustration of why common
sense and power industry best practices
should prevail.
Tasks related to security programs may
include:
* Identifying compliance gaps
* Gathering evidence and supporting
documentation required for compliance
audits
* Developing and revising security
processes & procedures as needed
* Conducting cybersecurity awareness
training
NO SINGLE SOLUTION
Just as no two power plants are
OPERATING PLANTS SECURELY IN A
“NEW NORMAL”ENVIRONMENT
BY JAIME FOOSE
(continued page 8)
Manager, Security Systems
Emerson Process Management
