Strategy 8: Test Your Incident Response Plan
Periodic testing of a cyber security incident response plan is the best way to ensure it will work when needed to respond to a real incident. Conduct "table-top" exercises regularly, simulating a variety of cyber security incidents, involving the entire incident response team. In some cases, such exercises are required by regulation, such as with NERC's CIP Reliability Standards. It can also be worthwhile to occasionally conduct unscheduled exercises, so that complacency does not set in, resulting in the response team able to handle only incidents that they know are coming, leaving them ill-prepared for the way real-world incidents usually unfold.
Strategy 9: Identify Lessons Learned and Implement Changes Accordingly
Every test of the incident response plan should result in lessons learned and an action plan to adapt the response plan to address those lessons. The chief security officer should take responsibility for following up on the lessons learned. Changes should be incorporated into the response plan and tested at the next opportunity (which in some cases is required by regulation, such as with the NERC CIP Reliability Standards).
Strategy 10: Get Involved, Stay Involved
The current regulatory environment is enmeshed in uncertainty and perpetual red tape that impedes development of a comprehensive framework within which to address cyber threats. Industry faces a critical and daunting task: how best to tackle current threats and prepare to combat and mitigate future threats to the physical power grid. In light of today's minimal mandatory regulatory requirements, it falls to industry to proactively seek solutions to the growing number and sophistication of cyber threats. As part of its culture of security, a company should be actively seeking opportunities to improve, including participating in industry working groups and other activities that provide access to lessons learned and best practices that the company can import into its own cybersecurity compliance program.
The future of cyber security is uncertain, both in terms of the types of threats and attacks that can compromise the physical power grid and the legislative and regulatory response intended to protect against such attacks. But even in the absence of more definitive legislation and regulations, there are steps that can be taken today to address cyber threats and attacks. The strategies identified here will help companies develop and implement a culture of security and be better prepared for whatever compliance requirements are thrown their way.
—Daniel E. Frank and Jennifer J. Kubicek are attorneys in Sutherland's Energy and Environmental Practice Group in Washington, D.C. Mark Thibodeaux is an attorney in Sutherland's Energy and Environmental Practice Group in Houston, Texas.
Share
Email
Comments
Print
BlinkList
Blogmarks
Del.icio.us
Digg
Favoriting
Furl
Google Bookmarks
Netscape
Newsvine
Reddit
Simpy
StumbleUpon
Technorati
Twitter
Windows Live
Yahoo! My Web