The Steadfast Group Glossary/FAQs Image of power tower
Link to Sitemap
Link to Home
Link to About Us
Link to Services & Solutions
Link to Training
Link to Glossary/FAQs
Link to Contact Us

1. What is the difference between FERC and NERC? —>

2. As a utility company, are we required to meet any legal minimum security standards? —>

3. What is CIPAG?—>

4. How vulnerable are facilities to Internet worms or viruses and what can be done to prevent it? —>

5. Are there any benchmarks for what other companies are spending on cybersecurity? —>

6. What would it cost to get a quick security vulnerability assessment? —>

7. What is the most cost-effective method for complying with cybersecurity standards? —>

8. Cybersecurity standards are so complicated that my facility will never be able to comply. Why bother? —>

9. Our facility does not have a budget for meeting physical security standards, let alone cybersecurity standards. Where can we go for funds? —>

1. What is the difference between FERC and NERC?
The Federal Energy Regulatory Commission (FERC) is an independent agency that regulates interstate transmission of natural gas, oil, and electricity. FERC is composed of up to five commissioners who are appointed by the President of the United States with the advice and consent of the Senate.

The North American Electric Reliability Corporation (NERC), formerly known as the North American Electric Reliability Council, is an organization whose members are drawn from all segments of the electric industry: investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal and provincial utilities; independent power producers; power marketers; and end-use customers in the United States, Canada, and a portion of Baja California Norte, Mexico. NERC sets standards for the reliable operation and planning of the bulk electric system and monitors, assesses, and enforces compliance with those standards.

The Energy Policy Act of 2005 authorized the creation of a self-regulatory electric reliability organization (ERO) that spans North America, with FERC oversight in the United States. The legislation makes compliance with NERC and regional reliability standards mandatory and enforceable; previously compliance was voluntary in the United States. The legislation respects the international character of the bulk electric system by ensuring that the ERO applies for and receives comparable recognition and approvals from government authorities in Canada. On July 20, 2006 FERC issued an order certifying NERC as the ERO for the United States.
Back to Top

2. As a utility company, are we required to meet any legal minimum security standards?
Yes. NERC's Permanent Mandatory Cyber Security Standards went into effect on June 1, 2006. CIP-002 through -009 require due diligence in certifying that the security of your cyber assets, including the physical security of them, is assured. The Steadfast group specializes in NERC CIP compliance assignments where we train and guide your internal team to comply with NERC's standards and walk them through all the reporting requirements.
Back to Top

3. What is CIPAG?
The Critical Infrastructure Protection Advisory Group (CIPAG) is a thirty-six member, expert advisory panel to the NERC Board of Trustees and Standing Committees in the areas of physical and cyber security. CIPAG's members are selected based upon expertise in physical security, cyber security, and operations security. Its mission is to advance the physical and cyber security of the critical North American electricity infrastructure.
Back to Top

4. How vulnerable are facilities to Internet worms or viruses and what can be done to prevent it?
On multiple occasions control systems have been invaded by Internet worms and viruses. These occurrences are well documented and verified by NERC and, over the past few years, a significant number of electric utility real-time networks have been compromised. In two well-known electric utility cases, the SQL Slammer worm penetrated real-time networks and was able to block SCADA traffic. In another instance, a virus disabled two monitoring systems at a U.S. nuclear power plant.
Back to Top

5. Are there any benchmarks for what other companies are spending on cybersecurity?
Yes. In a recent survey, The Meta Group (www.metagroup.com) found that despite tight budgets, average cybersecurity spending, per-company, has more than doubled in the past two years. In their most recent survey, cybersecurity accounted for 8.2% of an average company's C3 (computer, communications and control) systems budget vs. only 3.2% two years prior.
Back to Top

6. What would it cost to get a quick security vulnerability assessment?
Fees are based on the extent of the facilities and systems covered, the depth of assessment, and the level of detail. For smaller facilities with limited critical assets, connectivity and asset dispersal, fees run at a few thousand dollars. As part of our customer service, The Steadfast Group offers a no-cost fact-finding preliminary assessment. This assessment provides facilities with a proposal that outlines a variety of possible assessment and remediation programs.
Back to Top

7. What is the most cost-effective method for complying with cybersecurity standards?
The Steadfast Group offers no-cost fact-finding preliminary assessments that outline a variety of possible assessment and remediation programs. Once a facility has our recommendations, it can seek alternative re-assessment and remediation solutions from a variety of potential suppliers. We offer our no-obligation benchmarking service because we believe facilities will find The Steadfast Group delivers the most cost-efficient, thorough means to initiate increased cybersecurity.
Back to Top

8. Cybersecurity standards are so complicated that my facility will never be able to comply. Why bother?
The mandatory standards exist to protect a facility, its employees, and the general public. However, since the standards are mandatory and if a facility chooses to ignore them, it is comparable to an individual failing to file an income tax return "because the tax code is too complicated." If a facility makes no attempt to comply, it puts its entire operation at risk. If a facility does its best with a reasonable deployment of resources and still falls short of full compliance, it sends a message to the rule makers. The Steadfast Group can help facilities unravel the complex issues of cybersecurity and design a plan of action that keeps facilities on track with their budget, as well as compliant.
Back to Top

9. Our facility does not have a budget for meeting physical security standards, let alone cybersecurity standards. Where can we go for funds?
In these vulnerable times, companies need to re-think priorities. Without additional funding, a budget pool is fixed and the only option is to look at re-allocations. For example, is there a budget for landscaping? Could that be pruned a bit in order to provide at least a meager budget for security? In one municipal utility The Steadfast Group has worked with, security funding came from the road pothole repair budget. In the words of the Mayor, "Our citizens can live on if we don't fix the potholes this year. They may not if we don't fix the utility security vulnerabilities this year."
Back to Top

FAQs



Glossary

A to B

C to D

E to I

J to P

Q to S

T to Z

Home | About Us | Services & Solutions | Training
Glossary/FAQs | Contact Us

Copyright © 2002-2011 The Steadfast Group. All rights reserved..