It’s often said that cybersecurity is hard. Anyone who has ever worked their way through the SANS Critical Controls, PCI-DSS or even something deceptively minimalist as the OWASP Top 10 knows that success in achieving these security initiatives requires time-consuming, diligent and often a multi-team effort.

Now imagine amplifying that responsibility over a power plant that extends over a broad geographic region, and you start to get an idea of the challenge that awaits you. In recent years, plenty of power plants have struggled to strengthen their digital security and suffered digital attacks in the process. Back in 2016, for instance, Reuters reported that investigators had found the W32.Ramnit and Conficker computer viruses hiding in a computer system at the B unit of the Gundremmingen nuclear power plant. It was a year later when BBC News reported that the nuclear power plant in Chernobyl resorted to manually monitoring radiation levels after suffering a NotPetya attack. A couple of years after that, the Nuclear Power Corporation of India Limited confirmed the breach of the administrative network at the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India, as reported by The Washington Post.

Cybersecurity and the NERC CIP Reliability Standards

If you work in cybersecurity for a power company, you are most likely familiar with the North American Electric Reliability Corporation (NERC) and its Critical Infrastructure Protection (CIP) Reliability Standards. If you do not work in the power industry, there are many lessons to be learned from this sector that are applicable to all cybersecurity practices.

That being said, there are two striking differences between power companies and other industries. The first is that the power sector is one of the few industries that relies on collaboration between different companies on a regular basis. Rarely do we (Read more...)