Power generation and distribution facilities clearly pre-date the information technology revolution. Therefore, it is not surprising that power companies have historically kept their control system networks completely separate from their general computing networks. Convenience and favorable economics are driving integration and homogenization of the power industry’s control system networks and computer networks. Round-the-clock monitoring and corrective actions by remote operators and process engineers, real-time reporting, and sophisticated decision-making systems all require rapid access to control system data.
Sourcefire's solutions allows IT professionals in the power and energy industry to:
- Protect interconnected control systems and computing networks.Along with the benefits that it provides, interconnectivity also has significant risk. Most Supervisory Control and Data Acquisition (SCADA) and process control systems were developed at a time when good security amounted to controlling physical access to them and their associated consoles. Few, if any, security measures have been incorporated into these systems. Interconnectivity means increased accessibility—including from over the Internet. The result is a new weakest link—one that ultimately puts not only power facilities in jeopardy, but also entire corporate computing environments.
- Comply with regulatory requirements designed to maintain continuity of operations. Power generation and distribution facilities are considered critical infrastructure. Among other events, the electrical blackout of August 14, 2003, reminded the United States public of that fact. It also prompted increased scrutiny by the government. A significant outcome is the Energy Policy Act of 2005, which called for the Federal Energy Regulatory Committee (FERC) to create an electric reliability organization that will be responsible for developing standards—including security guidelines for power plants. That organization is called the North American Electric Reliability Corporation (NERC). NERC’s board of directors has already adopted nine Cyber Security Standards, which address asset identification, security management controls, personnel and training, perimeter security, systems security, incident reporting, response planning, and recovery plans.