Quando ti danno una multa da 10M$, un “verbale” da 250 pagine, 127 violazioni del NERC-CIP, perché non sei stato abbastanza attento alla OT Cyber Security…
Non si può più dire “non ne sapevo nulla” o “non mi avevano avvisato”: oramai si parla di Cyber Security in ambiente industriale a qualsiasi fiera e convegno.
Best Practice e Direttive (e normative) sono a disposizione di tutti, e tutti devono adeguarsi: se cerchi un esperto con il quale collaborare per la Sicurezza dei tuoi Impianti o Processi chiedi a ServiTecno!
Ma torniamo sull’argomento dell’articolo: vi riporto le motivazioni della sanzione, il testo integrale da 250 pagine ed eventuali approfondimenti a fondo articolo.
Folks, if you work for an entity subject to NERC CIP or provide consulting/support services for an entity that is subject to NERC CIP, you must read up on the latest NERC/FERC enforcement action that resulted in a $10M settlement agreement.
The settlement with the “unidentified entity” also includes “other remedies and actions to mitigate and facilitate future compliance” so the cost of violations is even higher than the actual penalty.
The findings included 127 violations of the NERC CIP standards with findings that included violations of 10 out of the 11 standards in effect at the time – only CIP-008 was not included.
The determination was that the collective risk of the 127 violations posed “a serious risk to the security and reliability of the Bulk Power System (BPS)” made worse by the long duration of some violations. In some cases the identified standards were version 3 so that means the violation dated back to before July 2015.
The key contributing causes were identified as:
- Lack of management engagement, support, and accountability relating to the CIP compliance program;
- Disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation , and ineffective oversight and training;
- Organizational silos in the form of a lack of communication between management levels with in the Companies, which contributed to a lack of awareness of the state of security and compliance;
- and Organizational silos across business units that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices.
Sound familiar? I wouldn’t be surprised… none of these are unique to this unnamed organization.
NERC CIP is hard… it’s really hard! But without adequate managerial support, it’s impossible.
Management took in on the chin in this report – it should be mandatory reading for every CIP Senior Manager and executive leader at Registered Entities. We can and must do better than this to protect our most critical of critical infrastructures. The full report is attached and can also be obtained here.
Best Practice e Direttive (e normative) sono a disposizione di tutti, e tutti devono adeguarsi: se cerchi un esperto con il quale collaborare per la Sicurezza dei tuoi Impianti o Processi chiedi a ServiTecno!
LINK AL DOCUMENTO COMPLETO (250 PAGINE)
https://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_FinalFiled_NOP_NOC-2605_Part%201.pdf
https://ics-community.sans.org/t/m2w5x3/10000000-settlement-agreement-for-nerc-cip-violations
https://ics-community.sans.org/media/x16dk0/download/public_finalfiled_nop_noc_2605_part_1.pdf