The computer chirped; the pop-up indicated an e-mail had arrived from Jerry Frost, vice president of operations at Minerva Power & Light. Brent Scheier, instrumentation and control manager, toggled to Outlook and read the e-mail:

Brent,
I just finished viewing a NERC-CIP security webinar on High Impact/Low Frequency events, and have some security concerns. I’m especially interested in assessing vulnerabilities where our control platforms interface with external networks. Can we bring in someone to discuss?
Jerry

Brent knew the company’s business systems collected data from the control system, and he figured Jerry knew that too. But Brent didn’t have any idea whether the control system networks were connected to other external networks. He was hardly a cyber-security expert – even if his job included the role of part-time security chief. The small utility’s security focus had always been on processes and protection of physical assets.

It’s not as if they’d turned a blind eye to network security; virus protection was updated regularly, and the company’s control system network was protected behind a firewall. But between the various control systems and an ever-increasing number of digital relays, the distribution system contained so many disparate components that the company had simply avoided discussion of the topic.

But Jerry was a pit bull; once he sunk his teeth into something, he didn’t let go until the job was done.

It was for the best, Brent knew. But he wasn’t really even sure where to start. He could call the IT contractor, but their focus was on the PC network; Brent knew the control system required a different approach and he was reluctant to have them work with it.

How should Brent begin a serious assessment of Minerva Power & Light’s vulnerability to a cyber attack or other internet-based disruption? Whom should he call, and what are the big questions that he needs to ask?