Critical Infrastructure Security

Ensuring Grid Continuity with Cyber Best Practices

Critical infrastructure facilities face threats that are constantly and rapidly changing. Companies must meet the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards to reduce compliance risk.

Delta Risk understands the unique challenges facing organizations that support and operate Industry Control Systems (ICS) and IT networks associated with critical infrastructure. We have specialized staff to provide tailored cyber security services to evaluate, advise, and assist critical infrastructure industries on these distinct issues.

Our team has the technical and operational experience to effectively assist these organizations with their cyber security needs including technical experts who have extensive experience with the NERC CIP standards. We offer a variety of cyber security services including; developing your information security program, managing your technical security needs, and responding to a breach, if necessary.

Gain a Detailed Analysis of Your Cyber Security Program

ActiveInsight: NERC CIP Security Program Assessments

A company subject to NERC CIP jurisdiction must have a comprehensive cyber security strategy. Developing a program, reviewing its effectiveness, and testing this plan will not only ensure compliance but will also help mitigate the risks of a devastating cyber-attack.

Our assessment service reviews your current program’s strengths, identifies weaknesses, and provides a detailed analysis of your cyber security program.

Once developed, you will want to test the effectiveness of your program in simulated real-world scenarios. Delta Risk offers a host of red-team and tabletop exercises. We tailor these exercises to your company’s specific security needs and develop them with our expertise in critical infrastructure protection.

To meet the requirements of NERC CIP 004-6 (Personnel & Training), we also offer several cyber security training and education courses for all employees. This training is specialized for critical infrastructure employees because of the unique nature of ICS.

Efficiently and Effectively Manage Your Security Needs

ActiveEye: Critical Infrastructure Managed and Professional Security Services

Delta Risk offers managed security and professional services to utilize our expertise in defending critical infrastructure incidents so you can focus on your immediate business needs. These services will also help you stay in compliance with NERC CIP.

Our managed security services are custom-tailored to meet your specific needs — all while being scalable to the size and complexity of your organization.

Protect Your Network From Attackers

ActiveResponse: Breach Response Services for Critical Infrastructure

Delta Risk maintains a variety of services to help you respond to a breach event. We will hunt for current or undiscovered threats affecting your network. If an intrusion is found, we can coach your company through the breach event. Finally, we can provide a response team with a host of capabilities to deal with the threat directly.

Cyber Threats to the Grid

The days are gone when companies serving our critical infrastructure could rely on a strategy of security through obscurity. Now, cyber criminals bent on achieving their malicious goals will target the lowest hanging fruit—those entities with the weakest defenses. To combat this weakness, standards like the NERC – CIP and industry cyber best practices have been put in place.

Even with these baseline guarantees, it is a matter of when—not if—a serious cyber-attack will affect a major part of our critical infrastructure. In December 2015, a cyber-attack caused 225,000 citizens in Ukraine to lose power, making it the first ever reported cyber action that had physical consequences for the grid. In 2013, Iranian hackers infiltrated the networks of a small dam outside of New York City, demonstrating the vulnerability of the U.S. grid. Many are now aware of the successful operation known as stuxnet, which consisted of a computer virus that destroyed or disabled large numbers of uranium-enriching centrifuges integral to Iran’s nuclear program.

This category of critical infrastructure includes those companies that have large customer bases whose systems are generally controlled by Supervisory Control and Data Acquisition systems (SCADA), Distributed Control Systems (DCS), or ICS. They include industries like the communications sector, the energy sector, and manufacturing sector, to name a few.

Cyber Compliance Requirements for Critical Infrastructure

Because maintaining the operation of many of these industries is crucial to the security of our nation, the U.S. Government enacted several laws to mandate the strengthening of their defenses. The authority for such regulations comes from the Energy Policy Act of 2005. Under that act, NERC develops cyber security standards, and the Federal Energy Regulatory Commission (FERC) reviews and approves them.

The FERC is the federal entity responsible for standardizing grid connectivity over the three distinct grids (the Eastern, Western, and Texas sections) that service all of the US and parts of Mexico and Canada. The NERC is a collection of industry experts, regional entities, and federal and state government representatives.

NERC/FERC implement the cyber security requirements in several continually updated critical infrastructure protection (CIP) standards. These standards cover multiple issues including; identifying critical assets, training personnel, reporting and responding to incidents, and developing programs and recovery plans. The most recent version of the CIP standards is version 5, approved in 2013. Under this regulation, NERC has the authority to audit companies subject to its jurisdiction. It can also issue fines up to $1 million per violation per day.

Other federal agencies that have jurisdiction over the cyber security of critical infrastructure include:

  • The Department of Energy (DOE)
  • The Department of Homeland Security (DHS)
  • The National Institute of Standards and Technology (NIST)

Related Resources

The protection of critical infrastructure is a complex and dynamic field. For further information on this area of cybersecurity, please see our related content below: