Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL


250 CHAPTER 10 Standards and Regulations COMMON STANDARDS AND REGULATIONS As mentioned in Chapter 2, "About Industrial Networks," industrial networks are of interest to several national and international regulatory and standards organizations. In the United States and Canada, NERC is well known because of the NERC CIP reliability standards, which heavily regulate security within the North American bulk electric system. NERC operates independently under the umbrella of the Federal Energy Regulatory Commission (FERC), which regulates natural gas, oil, and elec- tric transmission, as well as hydropower projects. The Department of Energy (DoE) and Department of Homeland Security (DHS) also produce several security rec- ommendations and requirements, including the Chemical Facility Anti-Terrorism Standards (CFATS), the Federal Information Security Management Act (FISMA), and Homeland Security Presidential Directive Seven, which all refer back to several special publications of the National Institute of Standards and Technology (NIST), particularly SP 800-53 "Recommended Security Controls for Federal Information Systems and Organizations" and SP 800-82 "Guide to Industrial Control Systems (ICS) Security." The International Standard Association's standard for the Security for Industrial Automation and Control Systems (ISA-99), and the International Standards Organization (ISO) Standard ISO/IEC 27002:2005 provide security rec- ommendations that are applicable to industrial control networks. NERC CIP It is hard to discuss Critical Infrastructure security without referring to the North American Electric Reliability Corporations' Critical Infrastructure Protection reli- ability standards (NERC CIP). Although NERC CIP standards are only enforceable upon North American bulk electric systems, the standards represented are techni- cally sound and in alignment with other standards, and are presented in the spirit of improving the security and reliability of the electric industry. 1 Further, the critical infrastructures of the electric utilities--specifically the distributed control systems responsible for the generation of electricity and the stations, substations, and con- trol facilities--utilize common industrial network assets and protocols, making the standards relevant to a wider base of industrial network operators. NERC consists of nine separate configuration management controls: l l l CIP-001-4--Sabotage Reporting. Requires that all disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies. 2 CIP-002-4--Critical Cyber Asset Identification. Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. 3 CIP-003-4--Security Management Controls. Requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. 4