Cybersecurity

Coordinator presented Cybersecurity Standard for the National Electricity Sector... (Thursday, July 30, 2020)

CYBERSECURITY?

In simple terms it is:”the practice of protecting equipment, networks, software applications, critical systems, and data from potential digital threats. Organizations have a responsibility to protect data to maintain customer trust and comply with regulations.”...


In Quantica projects related to regulatory compliance associated with the requirements of the National Electrical Coordinator Coordinates (CEN), since the entry into force of the Cybersecurity Standard, we have had to support our Customers in this area, in the aspects summarized below.

Compliance scheme for the Cybersecurity Measures requested by the Coordinator:

The implementation of these preventive measures is within the security levels established in ISO 27001, ISO 27002, IEC 62443 and IEC 62351, among others, which will be used as a guide and regulatory framework for the solutions that Quantica makes available to you.

Since security treatment is a permanent task that requires constant evolution, Quantica offers its experience to approach this solution as a Continuous Improvement Management Process, in which the following stages are identified:

1. Review and study your current infrastructure.

2. Analyze existing requirements and regulations

3. Establish the degree of compliance, and the improvement plan.

4. Implementation of the Improvement Plan

.. I want to be contacted!!

13 measures required by the Coordinator:

1. Establishment of processes in accordance with the continuous improvement forms requested by CEN, evidencing the supporting documents (Policy, Procedure, operating records, reports).

2. According to the processes, it allows us to identify the level or “current compliance percentage”, which must be raised or “estimated”.

3. Estimation and projection of a “total implementation time”, to achieve 100% implementation.

Additionally, it should be noted that the set of “means of verification” that supports each of these edges is provided.

Cybersecurity and the 13 Measures of the National Electricity Coordinator for electric companies

National Electric System Coordinates (SEN) must comply with the 13 minimum Cybersecurity measures requested by the National Electrical Coordinator (CEN), which apply to ALL COORDINATES, without exception, since a specific attack on any of them could affect the entire SEN.

These measures are taken thanks to the identification of areas of risk in the Coordinates, and which could be subject to auditing by the Coordinator or oversight by the SEC.

The “13 Measures” (M-01... M-13) that correspond to management, cybersecurity and physical security controls, which have been considered to be minimum, urgent and priority for the Coordinates are:

• M-01: Head of Security/Cybersecurity

• M-02: Updated network diagrams

• M-03: Asset Inventory

• M-04: Safety rules for perimeter equipment

• M-05: Antivirus/Antimalware Solution

• M-06: Updated Vulnerabilities and Security Patches

• M-07: Secure configuration/hardening on technological platforms

• M-08: Logical Access Control to Systems

• M-09: Secure Passwords

• M-10: Physical Access Control

• M-11: Backup Systems

• M-12: Security/Cybersecurity Education and Awareness

• M-13: Cybersecurity Incidents

This corresponds to basic measures, very much in line with international standards, which constitute a minimum floor and are a basis on which electricity companies must build their own safety plans.

.. I want to be contacted!!

NERC-CIP Requirements:

Below are some of the measures that must be fully met as part of the Cybersecurity requirements established by the coordinator.

CIP-002: Cyber Security - SEN Cyber Systems Categorization

Identify and categorize SEN Cyber Systems and their corresponding Cyber Assets for the application of cybersecurity requirements in accordance with the adverse impact that could be caused, on the safe and reliable operation of the SEN, by the loss, compromise, or misuse of said SEN Cyber Systems. The identification and categorization of Ciber Sistemas SEN will support adequate protection against events that affect or compromise facilities, which may lead to poor operation or instability of the SEN.

CIP-003: Cyber Security — Security Management Controls

Specify consistent and sustainable security management controls that establish responsibility to protect Ciber Sistemas SEN against events that affect or compromise facilities that may lead to poor operation or instability of the SEN.

CIP-004: Cyber Security — Staff and Training

Minimize risks against acts of individuals accessing Ciber Sistemas SEN, which could lead to poor operation or instability of the SEN, requiring an adequate level of Risk Assessment, security awareness and staff training, as support measures for the protection of Ciber Sistemas SEN.

CIP-005: Cyber Security — Electronic Security Perimeter (PSE)

Manage electronic access to Ciber Sistemas SEN by specifying a controlled Electronic Security Perimeter (PSE) to support the protection of Ciber Sistemas SEN against events or acts that could lead to a maloperation or instability of the SEN.

In total, there are 14 requirements that are sub-divided into different sub-requirements, so the above is just a sample of the type of requirement that must be satisfied by the Coordinator, for which Quantica offers its Consulting services to address each and every one of these requirements.

... I want to be contacted!!

What can we help with?

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.