Energy and Utilities

Security & Compliance

Threats arise in real time and are constantly evolving. As mentioned above, well-funded and incentivized nation-states, hacktivists and criminal syndicates relentlessly probe expanded attack surfaces in order to disrupt supply chains and service delivery, endangering citizens, crippling commerce, and resulting in stiff regulatory penalties.

As the perimeter of any network changes with the addition of each new IIoT technology and evolution of service, it is important to periodically review equipment configurations, test security devices for weaknesses, identify compliance gaps, review documented policies, and conduct end-user training.

Microsegmenting the network to shield assets – including industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other high-value systems – is also key.

Our engineers possess decades of experience working with the energy industry, providing a full understanding of the conditions specific to the cybersecurity standards of the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan. If NERC CIP / FERC compliance is critical to you, here are some specialty services we provide to help you meet or exceed regulatory thresholds:

Vulnerability Assessments: Whether to meet a 15-month, 36-month, or other assessment requirement — such as adding cyber assets — Structured can perform vulnerability assessments, risk assessments and penetration testing.

Policy Development: Structured can perform complete policy development, or modifications to existing policies, to meet evolving national standards. These critical documents form the backbone of your security program and compliance effort.

Gap Analysis Self-Check: Structured can provide an internal validation of control requirements. This can be especially effective prior to an audit to reveal any actual or potential weaknesses in your organization’s security program.

Industrial Internet of Things (IIoT)

The energy sector relies on IIoT devices to collect information, optimize performance, and guard against outages across its enterprise — from drilling rigs, wind turbines, solar panels and pumphouses, to pipelines, to refineries, to the grid and internal networks, and all the way to the consumer.

These devices are common, and they have enlarged the attack surface of the country’s energy grid. They’ve also transformed the way energy companies do business and serve consumers.

Digitization

Thanks to IIoT, better connectivity, and improvements in visibility monitoring across network infrastructure, the energy sector has transformed many of its operational and service processes to reap higher efficiencies and realize significant cost savings.

Advanced analytics capabilities, supported by artificial intelligence, can identify potential issues in infrastructure before they arise. Organizations can practice predictive maintenance, which extends the operational lifetime of infrastructure and prevents service disruptions and downtime. More intelligence and information also contributes to crisper decision making and more efficient service delivery to consumers.

NERC CIP

NERC Critical Infrastructure Protection applies to entities that generate, transmit, or distribute electric power on the US/Canada Bulk Electric System that meets threshold criteria.  Stringent security controls and monitoring are required of the SCADA/ICS networks that control these facilities, as well as any systems that have connectivity to them.

NIST Cybersecurity Framework (NIST CSF)

A subset of security controls from NIST 800-53 that typically apply to critical infrastructure such as telecommunications, utilities, transportation, and other important services.

Center for Internet Security (CIS) Controls

Originally formed in late 2000 as a response to growing cyber threats, the Center for Internet Security began to crowdsource a prioritized set of actions to protect organizations and data from known cyber attack vectors. The organizing principle was to provide clarity into the lifecycle of attacks and then offer a concrete plan of 20 counteractions, or controls, that realistically could be implemented by organizations of all sizes. Today, the CIS Controls provide global standards for internet security and best practices for securing IT systems and data against attacks.

Payment Card Industry Data Security Standard (PCI DSS)

Sets requirements for any organizations “that store, process or transmit cardholder data.”