Security Awareness Blog

Security Awareness Blog

Not your father's CIP

FullSizeRender MJA BIO (1)Michael Assante

There are many things that are still fuzzy when thinking ahead to CIPv5, what is clear is that you can't simply take your past V3 experience and apply it forward. NERC and industry have taken a big step forward in designing a set of cybersecurity standards that focus on protecting against cyber compromises that could lead to "misoperation or instability" of the North American Bulk Electric System.

NERC, anticipating the material nature of the enhancement, initiated a program to help industry transition directly from CIP Version 3 to CIP Version 5. There is a combination of challenges that makes it a necessary and significant investment:


    ...

To NERC CIP Version 6 and Beyond!

Electric_Tower (1)Buckle up folks because the NERC CIP roller-coaster is about to take off again! The July 16, 2015 FERC Notice of Proposed Rulemaking (NOPR) proposes to approve the CIP V5 modifications (CIP-003-6, CIP-004-6, CIP-006-6, CIP-007-6, CIP-009-6, CIP-010-2, and CIP-011-2) which will collectively be known as CIP Version 6. FERC also proposes to accept the new (Transient Cyber Asset and Removable Media) and revised (BES Cyber Asset and Protected Cyber Asset) definitions for inclusion in NERC Glossary of Terms. No surprises here - most of us who have been following the standard development process expected this action.

However, there were a few significant developments in the NOPR that provide some insight

...

All things NERC CIP @SANSICS

Ted GutierrezIf you know anything about SANS you probably know that it's the world's largest provider of cyber security training and certification to professionals at governments and commercial institutions. We understand that the only defense against advanced cyber attackers are the skills that SANS teaches and we take that responsibility very seriously. We also know that a significant concern today is the need to protect the critical infrastructure essential to providing basic services to a society and that the foundation of those critical infrastructures is a reliable bulk electric system (BES).

What you may not know is that SANS is developing training tailored specifically to help electric system asset owners and

...

Lessons Learned from the EU #SecAwareSummit

STH-Summit-London-BannerImageLast week we hosted the first ever SANS Security Awareness Summit in Europe. The goal of the summit was to bring together thought leaders and practitioners from around the world who are working to secure the human element. The event was huge success as over 80 professionals had the opportunity to meet and learn from each other. I wanted to share with you some of the key take aways from the event. You can also download the presentations from the summit here.


  • Behavior Costs: Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security
...

Guest Post #2 - Leveraging Social Media at Diageo

J.Haren(3)Editor's Note: John Haren is the Head of Information Security Governance, Risk & Compliance at Diageo and has responsibility for the company's Security Awareness program. Below is part two of a series where John describes how Diageo is leveraging social media to engage staff and help drive their awareness program.

In a my previous blog post I discussed how we have used Yammer at Diageo to help me both deliver content and get some engagement with the end-user population, to facilitate their asking questions and drive a two-way dialog between them and our security team. I introduced

...