SOURCE: LockPath, Inc.


April 02, 2015 12:04 ET

Avoiding Another Stone Age: Business Continuity for Utilities

OVERLAND PARK, KS--(Marketwired - April 02, 2015) - Our culture is obsessed with doomsday scenarios. We can easily picture, say, an army of zombies lurching toward an isolated, rural power plant. They breach the outer fences and gain access to the heart of the facility, chewing through turbines, generators, and transformers, the very flesh and bone of our critical infrastructure. The lights go out all across the U.S. due to multiple attacks. Chaos ensues. Zombies take over the world. Roll credits.

While zombies may not cripple the nation's power grid, many believe other forces could. The potential for attacks on industrial control systems has been documented. A scenario whereby a team of foreign hackers sitting in dimly-lit basements surrounded by computer screens and empty energy drink cans shuts down the grid is, at the very least, imaginable.

The utilities industry is one of the most important industries in the United States, hence why it is deemed part of the critical infrastructure. This industry has the ability to immediately affect a huge percentage of people and shut them off from basic necessities. If major portions of the grid went down, the U.S. could be sent back to the Stone Age in a short amount of time. Because of this, business continuity plans need to be put in place to ensure this over-the-cliff time is never realized.

NERC's latest version (5) of the Critical Infrastructure Protection (CIP) standards lays out what bases these plans need to cover in the event of a cyberattack. A few of the business continuity plan standards laid out in CIP 009-5 are:

  • One or more processes for the backup and storage of information required to recover BES Cyber System functionality.
  • One or more processes to preserve data, per cyberasset capability, for determining cause of a cybersecurity incident that triggers activation of recovery plan.
  • Test each recovery plan every 15 months (by recovering from actual incident, tabletop exercise, or operational exercise).
  • Document lessons learned no more than 90 days following test of a recovery plan or actual recovery; update plan based on lessons learned, notify each person with assigned role during plan of updates.
  • Notify affected personnel within 60 days of changing any roles, responsibilities, or technology involved in plan.

It is important to note that CIP 009-5 is not a comprehensive plan. Its requirements only encompass cyberassets responsible for the flow of electricity. Business continuity for utilities should focus on two areas. The first being functions involving production and distribution, the second being corporate functions. Regardless of the physical or technological segregation between these two areas, a business continuity management software solution, such as LockPath's Keylight platform and Business Continuity Manager application, can bridge the gap and effectively manage both simultaneously.

With this solution, the management of these plans can be made more efficient, ensuring proper, timely execution should the need arise. With a business continuity management software solution you can manage your business continuity plans, policies, and processes from creation to execution, and anywhere in between.

All utility organizations need to plan for disaster, whether that be hurricanes in the Gulf Coast, earthquakes on the West Coast, zombies, or hackers. It's better to be safe and have these plans installed then have something happen and be sorry. Therefore, if an event were to occur, your company is back up and running quickly, and the lights (or water) back on. Oh, and no zombie takeover.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available: