'Now our enemies are seeking to sabotage our power grid.' - President Barack Obama, State of the Union Address, Feb. 2013
Austin, Texas (PRWEB) November 20, 2013
The Anfield Group’s long-held position that compliance with federal regulations is not sufficient to protect the nation’s electric utility industry from cyber attacks received impressive support in a new survey of 100 professionals involved in protecting the North American power grid. Conducted by Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, the survey was conducted July through September. The results were announced on November 13.
Although 77 percent of respondents agreed that compliance with the North American Electric Reliability Corporation’s (NERC) regulations is essential for protecting the electric industry, 70 percent said compliance should only be considered part of an effective cybersecurity strategy.
“We’re encouraged by the results of this important Tripwire survey,” said Patrick Miller, partner and managing principal at The Anfield Group, an Austin-based critical infrastructure security and compliance consultancy. “Obviously, most of the industry has now begun to realize that compliance is essential -- a few years ago, I think much of the industry would have labeled the compliance process as ‘burdensome’. Even more importantly, the survey confirmed the growing realization that security can’t be achieved simply by being in compliance.”
Miller explained that at the time governmental regulations are authored, they represent the best possible deterrent to potential cyber attacks on the North American power grid. However, by the time they are reviewed, refined, approved and implemented, the new regulations sometimes become woefully outdated. In some cases, by the date the new regulations become effective, hackers have already developed new and improved tactics to circumvent them.
The Anfield Group maintains that security can only be achieved by combining current and upcoming regulations, the soon-to-be-released cybersecurity framework prepared in compliance with the President's Executive Order by the National Institute for Standards and Technology, and the 20 Critical Controls for Effective Cyber Defense created by the SANS Institute. Together, these tools can create a grid that is both secure and compliant.
One of the most disturbing findings of the Tripwire survey was that nearly one-third of the participating professionals felt they lacked a clear understanding of the existing regulations for critical infrastructure protection.
“This finding should not be surprising,” Miller said. “The existing regulations are detailed and comprehensive, plus there are overlapping regulations from one version to the next and a new set of regulations will be issued soon. In reality, I think the percentage of professionals who don’t have a good grasp of the existing regulations is higher than shown by the survey. After we dig into the details and actually start implementing and auditing NERC CIP version five, I suspect many will realize their initial degree of understanding was overly optimistic.”
With more than 30 years of combined experience in NERC CIP standards, The Anfield Group stands out as the most experienced consultancy in the industry. The firm's experts have participated in CIP drafting teams and implemented the standards at utilities. The staff includes NERC-certified lead auditors and the founding chairman of the CIP Compliance Working Group composed of the CIP Compliance Managers and CIP Subject Matter Experts for all eight regions.