|
 |
|
CIP CHALLENGES AND SOLUTIONS |
"The greatest challenge is to identify and fully understand the linkages among the infrastructures (i.e., the interdependencies) and what they mean," according to the North American Electric Reliability Council's 2001 report, "An Approach to Action for the Electricity Sector," concerning critical infrastructure protection. "The electricity sector needs to develop a greater awareness of critical infrastructure protection [CIP] issues, not only within the sector, but also more broadly, from an interdependencies perspective. If power system planners and operators fail to understand how disruptions to one infrastructure could propagate throughout the infrastructures, they will not be prepared to deal effectively with multiple infrastructure contingencies."
 The National Petroleum Council came to a similar conclusion in its CIP report for the oil and natural gas sector. The council identified information technology (IT) and telecommunications, specifically, as leading areas where a catastrophic event or failure could occur that could cripple any of the critical infrastructures. In less than one generation, it pointed out, the information revolution and the introduction of the computer has changed how businesses and economies operate. While the new business environment offers new opportunities to the oil and natural gas infrastructures, it also presents serious challenges with regard to CIP. Increased adoption of cyber systems, supervisory control and data acquisition (SCADA), enterprise resource process systems, automated meter reading, internet-based transactions, just-in-time logistics, and e-commerce help these infrastructures operate more efficiently. But oil and natural gas infrastructures have come to depend on technology before adequate processes have been developed to protect the systems.
Both industry reports had overlapping recommendations for the energy industry in regards to mitigating the vulnerabilities from interdependencies.
Each company should regularly conduct vulnerability assessments of its own systems and operations and take action as appropriate. Risk management processes should include both electronic and physical security.
Industry and government should advocate the development, adoption, and implementation of IT management processes to reduce vulnerabilities of cyber and other electronic systems on which these industries are dependent.
Response and recovery plans should encompass physical and cyber security as well as interdependencies. These plans should be coordinated with other infrastructures and regional, state, and local emergency response programs.
Industry and government should promote CIP and interdependencies research and development.
Better monitoring and detection techniques should be developed among energy industry participants, other critical infrastructure providers, and government.
Also, regional interdependencies workshops and exercises should be conducted to facilitate awareness and the development of an integrated interdependencies strategy, raise awareness of CIP and infrastructure interdependency issues, and identify and highlight roles, responsibilities, and authorities (local, county, state, and federal) for responding to and recovering from infrastructure disruptions.
Two major energy infrastructure initiatives are already underway that can help mitigate vulnerabilities from interdependencies. The first is the development of an energy information sharing and analysis center (energy ISAC) to provide a secure information-sharing mechanism to collect, assess, and share with its members information on physical and electronic threats, interdependencies, certain vulnerabilities, incidents, and solutions/best practices. The energy ISAC is open to all members of the energy infrastructure and provides timely alerts and warnings along with solutions and fixes. More information on the energy ISAC is available at its website, www.energyisac.com.
The second initiative is the NERC Indications, Analysis, and Warning (IAW) program, which involves representatives from the electricity supply industry and the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC). The IAW is a voluntary information-sharing program between electricity suppliers and NIPC. The purpose of the program, which is modeled on the industry's disturbance reporting procedures, is to protect the electricity infrastructure by providing the industry with early and actionable warnings of imminent or potential cyber or physical attacks. |
|
