Critical infrastructure operations–whether it be an electrical substation, wastewater treatment plant, or traffic control center–are relying more and more on networked assets like sensors and control switches. But, the introduction of connected devices also raises security risks. Since these systems control services both businesses and consumers heavily depend upon, regulations are in place to ensure our infrastructure remains in working order and secure from threats.
Much like the laws you abide by while driving such as wearing your seatbelt, staying within the speed limit, etc., utility providers connecting assets with cellular LTE must follow certain standards and protocols to ensure security and reliability. In North America, these rules and standards are referred to as North American Electric Reliability Corporation Critical Infrastructure Protection or more conveniently as NERC-CIP. For our friends in Europe, the standard is called “European Programme for Critical Infrastructure Protection” or EPCIP for short.
What makes a network solution NERC-CIP compliant? In this video, Brad Cole, Device Cloud Product Manager, walks through the steps many of our utility customers take in order to deploy secure and connected critical infrastructure.
In short, critical infrastructure operators must comply with these reliability standards–or face large penalties. The mandatory Reliability Standards include CIP standards 001 through 009 (see below), which address the security of cyber assets essential to the reliable operation of the electric grid.
- CIP-001: Covers sabotage reporting;
- CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System;
- CIP-003: Requires that responsible entities have minimum security management controls in place to protect Critical Cyber Assets;
- CIP-004: Requires that personnel with authorized cyber or unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness;
- CIP-005: Requires the identification and protection of the Electronic Security Perimeters inside which all Critical Cyber Assets reside, as well as all access points on the perimeter;
- CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets;
- CIP-007: Requires responsible entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeters;
- CIP-008: Ensures the identification, classification, response, and reporting of cybersecurity incidents related to Critical Cyber Assets; and
- CIP-009: Ensures that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.
The Digi TransPort WR31 comes with features and configuration options to simplify securing critical infrastructure assets like electric and gas meters or traffic control cameras. The Digital I/O can address physical security concerns and Remote Manager will log user information and even device changes. Click here to learn more about the Digi TransPort WR31 and how utility provides are using it to connect critical infrastructure.