Regulatory Compliance: Utilities

Power Grids and Computing Systems: Irreversibly Interconnected

Power generation and distribution facilities pre-date the information technology revolution. Therefore, it is not surprising that power companies have historically kept their control system networks completely separate from their general computing networks. But convenience and favorable economics are driving integration and homogenization of the power industry's control system networks and computer networks. Round-the-clock monitoring and corrective actions by remote operators and process engineers, real-time reporting, and sophisticated decision-making systems all require rapid access to control system data.

Metaflows helps IT professionals in the power and energy industry to:

  • Protect interconnected control systems and computing networks. Interconnectivity provides many benefits, but also brings significant risks into play. Most Supervisory Control and Data Acquisition (SCADA) and process control systems were developed at a time when good security amounted to controlling physical access to them and their associated consoles.

    Few, if any, security measures have been incorporated into these systems. Interconnectivity means increased accessibility - including over the Internet. The result is a new weakest link - one that not only puts power facilities in jeopardy, but also entire corporate computing environments.

  • Comply with regulatory requirements designed to maintain continuity of operations. Power generation and distribution facilities are considered critical infrastructure. Among other events, the Northeast electrical blackout of August 14, 2003, reminded the United States public of just how critical these facilities are. The blackout also increased scrutiny of public utilities by the government.

    One significant outcome of the blackout was the Energy Policy Act of 2005 , which called for the Federal Energy Regulatory Committee (FERC) to create an electric reliability organization that will be responsible for developing standards - including security guidelines for power plants. That organization is called the North American Electric Reliability Corporation (NERC) . NERC's board of directors has already adopted nine Cyber Security Standards , which address asset identification, security management controls, personnel and training, perimeter security, systems security, incident reporting, response planning, and recovery plans.

    In addition, the Energy Security and Independence Act of 2007 updated the Energy Policy Act of 2005, adding new standards and regulatory requirements.