There’s a saying in the cybersecurity community which states that just because you are compliant doesn’t mean that you are secure. Over the years, many images have been used to illustrate the point. One memorable image is that of a nude bicyclist wearing a helmet. By all standards, that is the epitome of “compliant, but not secure”. 

Many organizations have shifted the focus away from merely achieving compliance, to being both compliant and secure. Security is often more difficult to achieve than compliance, so the higher standard of security often fills in all the compliance details as well. This mindset is highlighted in organizations that are part of critical infrastructure, where adherence to very strict rules go far beyond compliance.

Electrical companies are tasked with the burden of providing uninterrupted power across the nation. In an effort to assist in this goal, the North American Electrical Reliability Corporation (NERC), was founded as an advisory body, making recommendations to increase the fidelity of the North American power grid. Over time, NERC took on a more regulatory role, creating the Critical Infrastructure Protection (CIP) standards, which govern the operation of electrical companies. One important aspect of the CIP standards is security.

When it comes to security, one of the most deceptively simple protective measures is to apply security patches to all the systems in the environment. Even in a small organization, this can be a challenge, as number of devices, coupled with the number of patches can quickly overwhelm even the most diligent security practitioner. When it comes to an electrical company, not only do the systems exceed hundreds, or thousands of patchable components, but the patches themselves can be just as numerous—this creates millions of patch/server combinations that must be measured every month, all requiring specific audit justification (Read more...)