Cyber Security Programs: Design, Implementation & Controls, and Metrics & Measurements

DESIGNING A CYBER SECURITY COMPLIANCE program for electric transmission substations and power generating plants brings unique technical, geographical and personnel challenges that are not typically seen in Information Technology departments and corporate environments.

A depth of cyber security knowledge of operations staff and availability of compliance tools is critical for designing a robust and self-sustaining cyber security compliance program and to understanding the operational environment and its key technologically configuration. As such, an engineering and operations centric design that focuses on key “pillars” of compliance: Processes, People, Documents and Systems, leads to a successful implementation of a cyber security program. The engineering and operations centric cyber security compliance program should:

• Enable creation or modification of business practices (Processes) that integrate cyber security requirements in everyday business tasks;
• Include cross functional training of compliance and operations staff (People);
• Allow for identification, creation or modification of compliance methods (Documents) that clearly specify critical infrastructure protection (CIP) responsibilities and are limited to the job functions; and
• Allow for identification, creation or modification of tools (Systems) that makes compliance processing and evidence collection practical.

A well designed cyber security compliance program has a higher probability of being successful if the implementation is cohesive, collaborative and transparent. The implementation should contain identifiable controls that not only prevent non-compliant situations but also promotes good infrastructure protection and secure operational practices. All affected areas should implement the designed program in the same manner (“one company-one program”). Bottom-up collaboration should be used for program adjustments and implementation decisions (“team work towards common goal”). Ideally, implementation decisions should be driven by subject matter experts (SMEs) with the appropriate level of operational and compliance knowledge, with representation from the impacted areas. The implemented program must be open to the compliance department and the executive team for annual assessments, spot checks, and audits (promoting the concept of “nothing to hide”).

A careful selection of controls is essential for ensuring quality of implementation. Effective controls include those that are geared towards promoting a culture of compliance and individual accountability. Controls that create process or asset “ownership” foster positive changes towards accepting and advocating compliance. Effective compliance training not only helps in avoiding negative audit results it should intentionally provide valuable knowledge to the operations staff (People). Compliance instructions (Documents) that relate to day-to-day business processes and educate on compliance increase chances of favorable assessments and better infrastructure protection. Systems, tools, and software that ensure consistent evidence collection aid in mitigating operational gaps and potential costly violations.

One of the most frightening questions to answer is “How mature is an entity’s cyber security compliance program?” Many utilities use metrics and measurements to provide an “auditable” answer to this inquiry. Metrics are used to monitor progress toward goals and expose inefficiencies in processes. Metrics also become the catalyst for improvement to and enhancement of the cyber security compliance program. Appropriately implemented, well-defined, and tracked metrics provide valuable insight which can impart an overall comfort level with regard to compliance.

Hopefully, every critical infrastructure entity cyber security and compliance team is using metrics to measure the effectiveness of their compliance program. It is important to acknowledge that “Not everything that counts can be counted, and not everything that can be counted counts.” Does the entity’s metrics support the measures of the compliance program? Are the metrics established for the Compliance Program providing the entity with information and insight to assess risks and make the appropriate decisions?

Tracking and analyzing the information captured to arrive at a meaningful conclusion and an action plan is a complicated and tedious task. Entities should not subscribe to a “one-size fits all” or “canned” measurement approach but develop their own key performance indicators and metrics.