top_industries.jpg
 

Power and Energy

industries power and energy Power and utility companies have a plethora of directives impacting their business operations, and their IT GRC environment in particular. Public organizations must comply with a number of additional regulations such as Sarbanes-Oxley  and various state regulations. In addition, the US Federal Energy Regulatory Commission (FERC) approved (Jan 2008) the following eight  mandatory  infrastructure protection (CIP) reliability standards:

  • Critical Cyber Asset Identification
  • Security Management Controls
  • Personnel and Training
  • Electronic Security Perimeters
  • Physical Security of Critical Cyber Assets
  • Systems Security Management
  • Incident Reporting and Response Planning
  • Recovery Plans for Critical Cyber Assets

These critical reliability standards require certain users, owners and operators of the bulk power system to “establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incidents”. These new standards detail the responsible party, the requirements, and the different levels of non-compliance.

The investment necessary to meet these requirements can be significant. Organizations that can reduce these costs and transition their risk and compliance efforts into a structured and controlled process will be more successful. Systems used to manage the generation and transmission of power – known as Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) - were not designed for security. These systems which were intended to run 24 hours a day, 365 days a year satisfy their originally intended purpose, but do not address IT security requirements.

These regulations require controls at various points within the organization, beginning with IT systems development and management and extending to process controls of both physical and environmental security. These regulations are centered on the identification and definition of controls, as well as the establishment of a robust security process within the organization. These parameters also require a framework that enables the organization to manage both defined controls and the necessary regulatory requirements to efficiently and effectively ensure compliance.

Challenges faced by the power and energy sector include:

 

  • Multiple regulatory bodies and requirements
  • New forms of regulatory compliance, even if the organization is already subject to other regulations
  • Additional factors such as manpower issues can make implementations challenging
  • Ambiguity of published standards
  • High costs of defining controls for IT
  • High costs of demonstrating compliance

 

 

How Modulo Risk Manager helps Power and Energy organizations deal with these challenges:

 

  • Simultaneously assesses compliance with different frameworks and regulations, including COBIT, ISO 17799/27002, ISO 27001 and SOX
  • Delivers a framework for addressing Cyber, Physical and Operational security requirements for SCADA system operators in the Oil & Gas, Water and Electric Utility Markets
  • Supports SB 1388 compliance
  • Provides conformity with NERC CIP standard
    Establishing a robust IT-GRC business process providing a comprehensive real-time view into risk and compliance across the enterprise, including partners and vendors
  • Assists in developing effective, cost-effective audits
  • Reduces audit silos
  • Creates a centralized and easily accessible evidence repository
  • Eliminates redundant and unnecessary controls
  • Manages security requirements for multiple audits, eliminating redundant costs and unnecessary controls.
  • Implements a robust operational IT risk program including automating survey workflow throughout the organization, developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 3460 standard methodologies
  • Demonstrates continuous multi-regulatory compliance with a “test once, comply with many” capability, dramatically reducing the cost, quality and cycle time of testing and reporting
  • Integrates and automates technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, segregation of duty systems and other systems to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
  • Migrates over time to standard control frameworks such as ISO 27001/27002, CobiT, and NIST
  • Creates enforceable policies and monitors controls across functional and geographical boundaries
  • Ensures compliance with PCI DSS (Payment Card Industry Data Security Standard)

 

 

 

Success Stories

Schlumberger

Pedro Paulo de Pinho Moreira Jr. Consulting Manager "Modulo Risk Manager reduces the time needed for conducting risk assessments by 50%. The tool automates the data collection process required to...

BR Distribuidora

Eliza Hitomi Fukushique Mihaguti Infrastructure Manager "The information security project at BR started with the contracting of Schlumberger, which further developed - with Modulo's assistance - the company's information...

CEMIG (Electricity Company)

Arlindo Edson Porto Nunes Support Analyst at Cemig "Modulo Risk Manager allows us to issue and distribute questionnaires to obtain information on several issues regarding information security, for example....

Modulo Community


modulo-it-grc-newsletter modulo-it-grc-twitter modulo-it-grc-youtube modulo-it-grc-slideshare modulo-it-grc-linked-in


Contact us

US toll free: +1 866 663 5802
Phone: +1 973 744 1617