For instance, he would like the CIP standards to move more rapidly and possibly be augmented with more agile ways for covered organizations to manage their risk. "It takes years for these standards to be agreed upon. That's way too long for cyber security," he says. Additionally, Weatherford says that a more dynamic risk management framework that can be used in conjunction with the CIP standards would help facilities more intelligently manage risk. "Just as all systems are not equally critical, the risk postures of different plants are not the same and can't be managed the same way," he says. "We've just began work on developing a more agile way for organizations to leverage the CIP standards." Assante also agrees that critical infrastructure regulations should be risk based and more agile to help better prepare critical infrastructures and the security teams that protect them. "Legislation should include the need for more sharply defined federal authority to address specific and imminent cyber security threats to critical infrastructures in the form of emergency measures," Assante said in a hearing before the senate committee on homeland security and government affairs in November. Utility company implements network encryptors to protect SCADA data and meet NERC requirements With a huge power plant built back in the 1940s that covers a lot of square footage, the North American Energy Alliance faced a compliance challenge. North American Electric Reliability (NERC) standards require that wiring between physical security perimeters be enclosed in conduit or the data must be encrypted. For the NAEA, that would have meant a lot of conduit so it opted to encrypt, says Dominick Birolin, network engineer at NAEA. The company, which is based in Iselin, N.J., and owns a portfolio of 1,755 megawatts of electricity producing power stations in the Northeast, looked at a variety of encryption options, including point-to-point IPSec tunnels. But it determined that IPSec tunnels would result in latency problems, Birolin says. NAEA ultimately chose network encryptors from CipherOptics for securing its SCADA information. CipherEngine Enforcement Points from CipherOptics are FIPS 140-2 Level 2 validated encryption appliances.

