At large generators, per-unit air compressors and Unidirectional Gateways are reducing risk and reducing compliance costs.
The latest CIP V5 transition guidance explains
how to assess the impact of segmented networks. Large generating sites are
duplicating site-wide resources, such as
pneumatic air compressors and control systems, for every
generating unit. NERC CIP V5 states that if there is a strong security
perimeter around each control system segment, and no segment can influence more
than 1500 MW of generation, then the site has no Medium Impact cyber systems.
This is a significant incentive; Low Impact systems cost much less to
administer than Medium Impact systems.
Done properly, increased redundancy and
segmentation can dramatically reduce compliance costs and the cost of risks.
The right way to segment generating networks is with Unidirectional Security
Gateways. Per-unit physical redundancy and per-unit network segmentation with
Unidirectional Gateways turns one large, valuable target into many smaller,
much harder targets. Unidirectional segmentation eliminates the single biggest
risk to generating networks: the risk of remote attacks reaching through
firewalls into control system networks. It does not matter how mundane or how
sophisticated the attack, it does not matter whether the attack is from
corporate insiders or the Internet, Unidirectional Security Gateways physically
prevent all message from external networks that may put a control network at
The bottom line: CIP-compliant segmentation
substantially reduces compliance costs. Per-unit Unidirectional Security
Gateways substantially reduce risks and costs. Investing a tiny fraction of
compliance cost savings into risk reduction with Unidirectional Security
Gateways is just good business.