Currently, many utilities and critical infrastructure industries are having to comply with NERC CIPS. The point of this blog is that I feel that this is eerily similar to SarBox in its early days.
When SarBox requirements came in, there was a mad scramble to figure out who was on financial systems and to ensure that identities were terminated. This brought into life attestation lists. I remember one company where the SVP had a executive assistant working nearly full-time on vetting the lists for the SVP.
Over the next few years, enterprises began to understand the significant effort, time and costs to produce the regulatory reports. This lead to many identity management projects with electronic attestation that significantly reduced costs, time and effort to comply.
NERC is of course different in that it pertains to critical assets, physical and logical systems. This past year, many consultants and employees have been scrambling with their spreadsheets, databases and lists to begin compliance. I see the same trend happening here re identity and access management as occurred with SarBox.
There are many challenges in NERC. Many large enterprises have many data stores of critical assets where the asset is identified differently in each store. (Sound familiar identity people? - It's a great application for virtual directories).
Then there is the physical and electronic access. Getting these lists put together takes time and money. These too are great applications for identity and access management.
Over the next four years I predict that many utilities and critical infrastructure enterprises will adopt identity and access management to reduce their recurring costs.