Tdworld 3634 Cyberprotection
Tdworld 3634 Cyberprotection
Tdworld 3634 Cyberprotection
Tdworld 3634 Cyberprotection
Tdworld 3634 Cyberprotection

NERC | CIP COMPLIANCE: Security Monitoring

Jan. 15, 2016
The first of a series of NERC/CIP Compliance briefs from SOS Intl, a provider of training and compliance program services to electric utilities.

To discourage theft and vandalism, many businesses incorporate video recording systems. However, if no one is watching the screen, individuals can still get away with criminal activities, costing business millions of dollars.

In a similar manner, computers record user activities. While they don’t record video, they do track login attempts or changes in access privileges by writing information to log files. By reviewing this information on a regular basis, entities can identify signs of an attempted break in or other inappropriate activity.

Unfortunately, once again, the computer logs only help if someone is reviewing them on a regular basis. As a result, most security experts and best practices mandate the use of continuous security monitoring at the network and computer system level, and it is important to incorporate them into our processes and procedures. In addition, the NERC CIP Standards require a number of security measures. These measures are critical for our organization, but can be useful for your personal computer security as well.

  • Monitor and log all access to the Electronic Security Perimeter.
    • Things to look for include:
  • Last log in date does not match with the date when you last used the system
  • You find unusual software running on your system
  • Usual software, such as anti-virus programs, stops running
  • You experience erratic system behavior such as unexpected shutdowns, an unusually slow system, or unusual increase in network activity
  • Detect and alert for attempts at unauthorized access
  • Monitor and log security-related events on all cyber assets connected to the network
  • Review logs of system events, try to figure out why they occur, and if they are continuing

If any of these measures indicate suspicious behavior, you must report it to the appropriate personnel. Security monitoring is an activity that can help us prevent an attack rather than react to an event. As such, it is time well spent.

Voice your opinion!

To join the conversation, and become an exclusive member of T&D World, create an account today!