Brian Cleary
Brian Cleary
Regulatory compliance has become a major focus for energy and utilities corporations. Demonstrating compliance through an annual review and certification process can be complex and time consuming, which results in less time available for organizations to focus on core business activities. The net result is higher operational and regulatory risk exposure.

Regulatory oversight and audit standards for the energy and utility industry focus largely on reliability. Reliable service for consumers is tantamount. Many of the guidelines were written in response to high profile incidents, such as the 2003 Northeast power blackout and the event at Ohio's Davis-Besse nuclear power plant (also 2003), in which safety systems were brought offline for nearly five and a half hours due to an IT access issue. Fortunately, the plant was offline for other reasons at the time, so disaster was averted.

These types of events provide a sobering reminder for the need for proper access risk management. The Davis-Besse incident was particularly interesting: Though the culprit was the Slammer worm, it was largely an access governance issue responsible for the vulnerability. A contractor partner with inappropriate access to the corporate network opened an entry point for the worm; the corporate network was not appropriately segregated from the safety systems.

Access governance is a core component of much of the regulations within the energy and utility industry. Segregation of duties (SoD) is a primary component -- to ensure that access is appropriate for a particular job function or role so that transmission information can't be used to manipulate market pricing. Access can represent a significant regulatory risk exposure for organizations with ad hoc access control and governance processes. To mitigate such exposure, organizations can implement automated access governance procedures and SoD controls.

Continually evolving requirements, looming deadlines
FERC has directed NERC to monitor the work that the National Institute of Standards and Technology (NIST) conducts on potentially complementary technical standards. As a result, the NERC critical infrastructure protection (CIP) standard, though created initially by NERC, may be a work in progress, and requirements may evolve to incorporate NIST requirements in the future.

NERC's CIP has become a de facto cybersecurity standard for virtually all energy and utility organizations in the North America. The CIP was made mandatory in 2006, with external auditing beginning in June of 2007. The CIP spells out a fairly prescriptive set of access controls to which energy and utilities firms must adhere to comply. These include creating and maintaining a security policy, identifying and implementing electronic access controls for access to critical assets, maintaining documentation of the access controls, and continuously monitoring and protecting electronic access to critical assets. In addition, NERC requires a multifaceted and comprehensive compliance program, which involves initiatives including periodic reporting, self-certification, random spot checking and compliance audits.

The NERC CIP standard now requires compliance with the full scope and intent of all requirements. Organizations must maintain documentation, logs and audit records that can demonstrate compliance. In addition, in 2010 organizations must be auditably compliant, meaning organizations must be able to produce all documentation for the previous twelve months to auditors and external stakeholders on demand.

Best practices for getting compliant
An initial NERC CIP compliance program should start with a readiness assessment and gap analysis, followed by a mapping exercise to the existing control framework. Organizations with a comprehensive control framework in place will have a leg up on the process, but for other entities this can represent an opportunity to build such a framework. Such a control framework for access governance will pay dividends both in terms of operational and compliance risk reduction as well as in a reduction of the operational overhead required with ongoing compliance processes. Regulatory compliance management is an ongoing process, and should not be treated as a one-time project.

To become compliant with specific CIP requirements, organizations must have enterprise-wide visibility to user access. Under CIP requirements, a holistic view of all user access entitlements is required. To get a unified view of user access is almost impossible from most organizations without a centralized access governance framework in place, as they tend to manage access at the information resource level. Having such a framework in place provides a comprehensive view of enterprise access reality, i.e., understanding who has access to what information resources at a fine grained entitlement level.

Organizations also must perform regular access reviews under CIP. For many entities, access reviews are performed in an ad hoc and manual fashion, and can be a painful and labor-intensive process. Typically, this involves exporting user access data into spreadsheets. Controls are then applied in a manual fashion. The resultant data is error prone. Poor access change management can make problems fester and multiply.

Formalizing an access risk management program is also a core requirement of the CIP. Additionally, the FERC Standard of Conduct requires automated controls to ensure segregation of duties are enforced, for instance, to ensure that the marketing department does not have access to risk analysis and price forecast data.

Most organizations rely on manual, detective controls in this area, catching potential violations through periodic audit and review processes. Automated preventative controls are far superior, and a strong access governance program should contain the ability to stop segregation of duties violations from being granted in the first place.

This process is known as continuous role lifecycle management, and it reduces the administrative burden involved with access delivery and change management. As a result, fewer control violations go unnoticed, and access reviews and risk management efforts become much less labor intensive.

However, being compliant is of little value to organizations if demonstrating evidence of compliance to auditors and regulators is difficult or impossible to produce. For entities with ad hoc and manual compliance processes in place, the costs are high.

Compliance “rubber stamping” is a common occurrence in organizations with poor access governance. It happens because of a language gap between the business stakeholders who are required to certify compliance and IT security teams that provide user-entitlement data, typically in cryptic technical terms that the business people can't understand.

In addition to rubber stamping, compliance fatigue is a common problem. A typical organization is subjected to numerous regulatory mandates, and utilities are no exception. System administrators and business managers alike frequently complain about being required to respond to redundant and independent requests for access certification from numerous sources.

Automating the solution
A roles-based approach to governing user can help reduce the review task considerably -- it means certifying by role rather than individual. A department of 300 people might be represented by four or five roles. By certifying the role structure – entitlements that make up the role – a great deal of efficiency is gained. If no member of the role has entitlements outside of the role, and the entitlements within the role structure are in compliance, then everyone that is a member of the role automatically inherits the compliance. Additionally, role-based access governance can automate a set of processes for event-driven reviews that require a review of access only when it changes.

Role based access governance also introduces a preventative approach to managing operational and compliance risk. Managing user access through continuous, dynamic access lifecycle management simplifies compliance by introducing a set of preventative controls that run at the point of requesting access, which avoids the introduction of compliance violations while ensuring the timely delivery of access to business users.

To meet the objective of being auditably compliant cost-effectively fashion, organizations can invest in an automated access governance program. This approach will ease both the initial setup of a NERC CIP compliance program, as well as streamline the ongoing maintenance while reducing organizational costs and mitigating access risk exposure.