CIP Standard Gap Assessment

CIP Standard Gap Assessment

Location: Various locations throughout Ontario

Client: Ontario Power Generation

Completion Date: 2008

Burns & McDonnell was contracted to perform a gap assessment of the current state of fossil and hydro facilities with respect to the North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP) standards (CIP-002 through CIP-009).

The facilities involved in this review were identified by client Ontario Power Generation as critical cyber assets (CCAs). All findings were clearly distinguished between those items that are required in order to achieve compliance with the NERC CIP standards and opportunities for improvement to go above and beyond the requirements of the standards. Where possible, Burns & McDonnell provided recommendations for strategies to reduce the number of CCAs within the electronic security perimeter at each facility in order to reduce the overall compliance effort.

Burns & McDonnell uses a multi-layered approach to cyber and physical security. When surveying a facility, risks, protection measures and mitigating factors are considered and assessed for their ability to facilitate core the security principles of prevention, detection and response. This survey was performed on 15 separate CCAs, including fossil fuel and hydro generation and regional control centers throughout Ontario.

Burns & McDonnell’s electronic system security methodology included surveys of physical security systems, fire alarm systems, SCADA systems, HVAC systems and utility monitoring and control systems.

Using integrated access control and alarm management as per the NERC CIP standard, along with credential readers, locking devices and alarm contacts, protects the CCA area with a rigorous and auditable process for granting, revoking and monitoring access, as well as retaining a computerized log for an extended period. Each location will have an interior video surveillance system to log people entering a physical security perimeter that contains protected CCAs.

The alarm contact inherent on an access-controlled door allows a captured video log on authorized and unauthorized entry. Limiting access points to the physical security perimeter combined with fixed cameras on those access points results in a highly effective video surveillance coverage area. Integrated security systems combine the functions of many security platforms (access control, closed-circuit television, fire and intrusion alarms). When combined, they offer centralized monitoring for rapid assessment and response.