April 2016 Powerlines

Issue link: http://powerlines.uberflip.com/i/668134

Contents of this Issue


Page 0 of 7

Powerlines April 2016 | Volume 29 • Number 4 | www.powersouth.com/powerlines | info@powersouth.com A December cyber-attack — leaving more than 200,000 people without electricity halfway around the world in Ukraine — could influence the kind of security procedures being required by utilities in the U.S., including PowerSouth. Electric utilities in North America are required to follow reliability standards to protect cyber assets used in the control of the bulk electric system from vulnerabilities. Utilities are audited on how well they are meeting the standards at least once every three years. Less than two months after the attack on three Ukrainian electric power distribution companies, PowerSouth hosted a routine audit by the Southeastern Electric Reliability Council (SERC) to make sure it is following the standards of the North American Electric Reliability Corporation. The audit consisted of two tracks, a critical infrastructure protection (CIP) track and an operations and planning (O&P) track. The CIP standards are commonly associated with "cyber" protection while the O&P refers to planning, operating, and maintaining the generation and transmission system. PowerSouth welcomed a team from SERC Feb. 9–11 to conduct the on-site portion of PowerSouth's audit. However, the audit actually began Nov. 10 with SERC submitting data requests to PowerSouth and extended through Feb. 24. PowerSouth submitted information and documentation for the SERC audit team's evaluation. The SERC audit team then reviewed and evaluated, both remotely and onsite, the information submitted by PowerSouth to assess compliance with applicable standards. The audit consisted of 57 O&P requirements and 28 CIP requirements from the NERC standards. The audit reported no findings of non- compliance with O&P requirements by PowerSouth. The audit did note three CIP issues to be mitigated. One issue involved documentation of visitors entering and exiting PowerSouth's Zone A areas. "Federal Energy Regulatory Commission requires all visitors to log in and out of areas containing critical cyber assets (Zone A areas)," said PowerSouth Planning, Compliance and Regulatory Manager Jay Farrington. "Ideally, employees should avoid bringing visitors to those areas whenever possible, but when exceptions are made, visitors require a continuous escort." Employees with Zone A access can help by assuring that all visitors are logged in and out of Zone A areas with the log book being filled out completely. The other two issues are more technical in nature involving electronic access to PowerSouth's critical cyber assets. Neither of the technical issues were noted as creating a significant threat. "We're particularly pleased that there were no findings with the O&P standards and that the issues with the CIP standards were not considered a significant threat and could be easily mitigated with the issues already addressed," Farrington said. "PowerSouth's network security team does an excellent job of securing our cyber networks from external attacks. However, some protection must come from the user, such as employing caution when using instruments like flash drives. A user could unknowingly introduce a vulnerability into the system." Farrington said the Ukraine attack — executed in part through attachments in phishing emails — highlights the importance of regular security audits, like the one recently completed by SERC, as well as awareness on the part of PowerSouth employees. In its exit presentation, the SERC audit team observed a noteworthy practice and demonstration of good compliance evidence at PowerSouth. "One of PowerSouth's goals is to establish and maintain a strong culture of regulatory compliance." said Director of Legal Affairs and Compliance Art Brunson. "All PowerSouth employees can help to create and maintain a culture of compliance by reviewing and adhering to the compliance messages located on PowerSouth's digital signage network." g Prefer to read an electronic version of Powerlines? Visit www.powersouth.com/powerlines to access our e-newsletter. PowerSouth focuses on cyber security

Articles in this issue

Links on this page

Archives of this issue

view archives of PowerSouth - April 2016 Powerlines