Cybersecurity to Protect the Grid and Marketplace
Information technology has become an indispensable tool for efficiently and reliably operating the increasingly complex regional power system, administering the billion-dollar markets where wholesale electricity is bought and sold in New England, and engaging and collaborating with our stakeholders.
Today, the energy sector faces significant risk of attempted cyberintrusion. ISO New England is committed to making sure power grid and market operations remain secure and will continue to build on our already extensive process controls, advanced detection and response systems, and redundancy in systems and control centers. These help us detect, respond to, and recover from any cyberattacks, as well as to comply with mandatory standards. For example:
- Our 24/7 Security Operations Center provides round-the-clock monitoring of the ISO technology network, and in the past few years we have tightened access to networked services and systems.
- We’ve tightened security controls for cyberassets and visitors to ISO facilities, in compliance with North American Electric Reliability Corporation (NERC) revised critical infrastructure protection (CIP) cybersecurity standards.
- A CIP and Systems Compliance Operations Group was formed to, among other things, provide day-to-day support of highly complex infrastructure and cybersecurity compliance functions required by NERC CIP Version 5. Compliance requires complex activities to be performed continually, even daily. One of the largest sub-requirements requires around 125,000 items to be checked for CIPv5 compliance every 35 calendar days. A number of new CIP standards are expected in the coming years.
- FERC Order 848 requires NERC to update the CIP standard for cybersecurity incident reporting (CIP-008), which will require the ISO to update practices and procedures associated with cybersecurity event investigations and incident investigation and reporting.
- We participate in NERC GridEx exercises on cybersecurity and physical security, and conduct annual training for all ISO employees. In 2017, more than 70 employees participated in GridEx IV; we will take part in GridEx V in 2019.
- During 2019, we will be developing and implementing a third-party cybersecurity risk management program that will include compliance with the new CIP standard (CIP-013) related to Supply Chain Cyber Security Risk.
- During 2019-2020, we will be replacing our 14-year-old system for modeling and tracking physical and electronic access to systems and applications. The new Identity and Access Management system will add cloud-service access tracking, privileged access management, automated implementation of accounts, and enhanced reporting to address NERC CIP compliance objectives.
- A prominent corporate objective requires all ISO employees participate in annual cybersecurity training.
Read about how we’re using sophisticated systems to innovate for New England.