Trend Watch: Cyber Security Dashboards

At the conference, Southern Company – a Southeastern U.S. regional energy company with 4.4 million customers and nearly 46GW of generating capacity – delivered two presentations involving its compliance with the North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP) program. For Southern Company, cyber security is not optional. It is required to address NERC cyber security standards, which, accord-ing to Larry Spoonemore, Southern Company\’s systems analyst, includes maintaining an inventory of all assets and cyber devices/systems at the company\’s 290 plants; having a well-defined and followed management of change process; and providing reporting/notification of NERC cyber security compliance. Southern Company uses PAS\’s Integrity for automation system mapping and data collection. It\’s used as the \“basic building block to track our inventory required for cyber security assur-ance because it (Integrity) sits on top of our disparate systems to track change and provide reporting\“, Spoonemore said. Southern Company has dubbed its cyber security data collection system CSI, which stands for Control System Integrity. Though that\’s essentially a simple moniker for the system incorporating use of the PAS product name, the fact that it matches the name of a popular police investigation TV drama is intentional. Through its design, CSI watches everything connected to the Southern Company\’s system to ensure compliance. Having such a system in place is becoming critical for manufacturers of all sizes in light of some of the data Southern Company shared at the conference. The company notes that one-third of all malware in existence today appeared since the beginning of 2013. And in terms of direct impacts on operations, Southern Company experiences some 1 million attempts to breach its firewall each day. The CSI data engine collects 2TB of data each week from all of Southern Company\’s plants, which is then fed into Integrity for data mining, Spoonemore said. \“FERC (Federal Energy Regulatory Commission) wants to know where you\’re at in terms of security across all your disparate systems\“, said Harvey Ivey, manager of instrumentation and control systems and field support for Southern Company. \“So we collect everything because we never know what the rules will eventually require.\“ Having all this data collected and monitored is enabling Southern Company to provide a cyber security dashboard to its plant managers \“so they can know at all times where they stand with regard to NERC compliance\“, Ivey said. The NERC CIP cyber security requirements \“drove us to closely monitor management of change\“, Ivey added. \“In the process of doing this, we\’ve learned that management of change is simply a good business practice.\“ Speaking to the importance of management of change, Spoonemore said, \“Cyber security is not a computer problem; it\’s a people problem, particularly as it applies to management of change.\“ Of course, not every manufacturing or processing company faces the cyber threats that South-ern Company does as part of the country\’s critical infrastructure. However, cyber security is clearly an imperative for all companies, and the insight learned from Southern Company\’s NERC CIP compliance strategies offers valuable lessons for us all. The idea of a cyber security dashboard – which could only be created with a tool like Southern Company\’s CSI system – is a compelling idea to consider.