Critical Infrastructure (Gas, Energy, Water, Transport, etc.) is very easy to see from a personal perspective, if any benefits considered essential and we use every day suddenly disappears this directly affects our lives [PERMAN 16], surely services, systems and infrastructure that provide such essential benefit are enclosed within critical infrastructure. From this simple perspective it is evident critical infrastructure must be protected, but what should we protect?
In recent years we have presented cyber-attacks cyber-threats to critical infrastructure on countries like United States, China, Iran, Korea South, among others, however had not reported attacks checked against critical infrastructure, until last year December, when was reported an attack to Ukraine electrical system after a blackout and affected around 225000 consumers. In general, currently critical infrastructure cyber-attacks cannot be considered only theories, action plans, and protective systems must be defined.
In Colombia was evidenced importance protect system electric and through “Consejo Nacional de Operación” CNO is defined a cybersecurity guide based in standards NERC-CIP (North American Reliability Corporation-Critical Infrastructure Protection), where is located an annex with active critical definition to protect in Electrical Sector.
Cybersecurity Colombian Legislation
In Colombia cyber-security and cyber-defense principles was established in 2011 through document CONPES 3701 in 2011, cyber- security and cyber- defense which inspired NOC “Concejo Nacional de Operación” to issue agreement 788 in 2015, which sets a roadmap for creation a guide to cybersecurity. This cybersecurity guide is a frame based on standards series NERC-CIP “North American Electric Reliability Corporation – Critical Infrastructure Protection”.
Agreement 2015 788, indicates CNO Technology Committee “study rules applicable to electrical industry for mitigate risks of cyber-security in sector and national interconnected system where concluded best reference in application is standard NERC CIP for critical assets and this standard-based technologies, was developed a cyber-security guide aimed at protection assets on SIN (National Interconnected System).
Also sets a six months limit, counted from agreement issue date, so generators, transmitters and distributors agents of national interconnected systems to designate a person responsible for directing and managing Cybersecurity guide implementation. This deadline already was January 8, 2016.
Additionally, one year from the agreement issue date, so such generators, transmitters and distributors agents, execute identification of critical assets and cyber critical assets, risks and vulnerabilities, and management level cybersecurity in operation their companies were established. This period was in July 2016.
It is important to notice that cybersecurity guides give a set guidelines for protection critical infrastructure (assets, cyber assets and Cyber-assets critics) in the electricity sector, giving guidelines to follow in terms of information security is concerned, going beyond, including control physical access and training staff, as NERC-CIP. In general, it is indicated what should be protected, however is not indicated as or importance of knowing a fund that should be protected. Thus have a solid foundation in the cyber-security area, cryptography and PenTesting is essential to know what must be protected critical infrastructure, as do it and how to evaluate permanently security on assets, cyber assets and cyber-assets critical.
On the other hand, CNO cybersecurity guide is basically a summary with items applicable to Colombia of NERC-CIP 002-009, however is important consider others standards and recommendations from sector can result complementary in some aspects, such as NIST and ISA99 focused towards substations electric and is usual companies sector (SIEMENS, ABB, ALSTOM) followed this rule in construction their equipment and solutions in automation for electrical substations.
As a conclusion, see some critical success factors in guide Cybersecurity implementation:
Critical Factors for Success Apply CNO Guide Cybersecurity
Among critical factors guarantee a proper implementation of CNO guide cybersecurity, some following should be included:
- Solid knowledge for information security and cyber-security in order to know “what” and “how” should protect critical infrastructure electricity industry.
- Stay updated on the development and evolutions of NERC-CIP, since it is the basic cybersecurity of CNO Guide, and constantly some very important aspects in a particular version are obsolete in other more recent.
- Testing security (PenTesting) to different critical Cyber-assets to ensure established security schemes are safe.
- Familiar services, systems, equipment and infrastructure available, and constantly research publications at security bugs found and apply appropriate patches preventively.
- Complements guide cyber-security with other standards in the industry for example like ISA99.
Article written by: Carlos Lucero, Axon Group