Hewlett Packard (HP) announced today their Trusted Compliance System for Energy (TCS-e). It is an odd coincidence, but a product and a certification we were involved with are announced on the same day. We helped HP get acquainted with the control systems market as well as contributed to the requirements document and some of the help files and templates for this product back in 2006.

The group that designed this product is the old Atalla group that was bought by Compaq who was bought by HP. This group has dominated the financial security market for many years and knows security very well. When you use an ATM machine odds are it is an HP-Atalla system that is performing the security functions back at the processing center.

The TCS-e is designed to help with NERC CIP compliance and audit, and eventually may be extended for SOX and other compliance needs. It is not a firewall, link encryptor, IDS or any other security tool that will protect critical cyber assets. Instead it will automate and secure the NERC CIP data and records.

If you are a bulk electric system and are facing NERC CIP, you will have to collect and store a lot of sensitive data and records of reviews, approvals and audits. This can be done low tech with an accordion file, by customizing your existing document management system, or with a tool like a purpose built tool like the TCS-e.

A few of the things we liked about the TCS-e.

• A secure, centralized location for storage of all compliance records, stored by CIP and requirement. Evidence can be encrypted which may be important as their is a lot of sensitive information in the documents and drawings required for compliance. Think an adversary would like a list of all your critical cyber assets? Your security perimeter drawings?
• Required approvals are designed in so approvers receive email notifications as required. All approvals are recorded in the TCS-e and include time and date stamped digital signatures. Great for auditors because it eliminates the possibility of post dating evidence.
• Similarly all auditor tests are also recorded with digital signatures to prove self audit or third party audit. An audit results can be exported into a secure archive.
• Help files and sample templates assist those who may have a hard time figuring out what is needed. I think in some cases people may make compliance harder than it has to be.
• The product also has a massive log collection and secure storage capability as well as some SEM capabilities available as additional modules.

Some of the people in utilities that have seen this have said it is an auditor’s dream, and I would agree as someone who has done policy audits. An auditor could walk up to this system and quickly perform an audit. It will be interesting to see how the compliance market shapes up as the audit dates get closer and the ERO and RRC’s take control of this task.

There will be a significant effort to achieve compliance, but don’t underestimate the effort to maintain compliance with the annual reviews and update requirements upon certain events.