Success Stories Generation compliance

Generation compliance

Several large utilities and independent generation companies have engaged Encari to assist in supporting their diverse NERC CIP compliance initiatives.  Because of how most generation plants are organized and staffed, this task requires distinct skills and approaches than are typically applied toward control center compliance.  Encari has worked for a large number of generation companies, and its prevalent NERC CIP compliance consulting activities include:

  • Identifying critical cyber assets – Doing this in a generation plant often involves tracing cables and interviewing plant staff knowledgeable about each cyber asset.
  • Identifying electronic security perimeter(s) (ESPs) and physical security perimeter(s) (PSPs) – Because of the compliance cost that will be incurred if ESPs and PSPs are too widely / broadly established, Encari examines all options for keeping these perimeters as small as possible.  Often, an investment in additional switches will yield a manifold return through lower ongoing NEC CIP compliance costs.
  • Cyber security policies, processes, procedures, and programs – In many electric utilities, generation plants were not the focus of cyber security policies, processes, procedures and programs that were established for NERC CIP compliance or other purposes.  Encari reviews existing cyber security policies, processes, procedures and programs in order to confirm their applicability to generation plants, and assists in developing and implementing new ones, if required.
  • Network segmentation – Because in many generation plants there are links between their control networks and the corporate IT networks, it is imperative that these links be broken.  On the other hand, these links are typically established due to corporate staff needing access to particular generation plant information.  There are many ways to resolve these issues, and addressing them has been a large focus of the NERC CIP compliance consulting services Encari has provided for generation companies.
  • Technical feasibility exceptions – There are always a number of cyber assets at generation plants that cannot run anti-virus software, can only accept upper-case letter passwords, etc.  While these do not need to be replaced, technical feasibility exceptions need to be pursued and carefully documented, and measures need to be taken to mitigate the risks resulting from the pursued technical feasibility exceptions.
  • Security training – Generating plant personnel are often very focused on the machinery of the plant and much less focused on the cyber assets controlling the machinery.  There is often a greater requirement for cyber security training (CIP-004, R2) at generation plants than there is in control centers.
Copyright 2008-2010 Encari, LLC.