Overview
DYONYX is an information technology and management consulting firm specializing in working with government and enterprise customers to support their critical infrastructures, improve security, productivity and reduce cost and risk.

Challenge
Configuring Processes for Cyber Security

Electric power is vital to nearly every aspect of our lives, and its security is paramount to this nation. The U.S. Department of Energy (DOE) designated the North American Electric Reliability Council (NERC) as the electricity sector coordinator for critical infrastructure protection. NERC has adopted cyber security standards that outline minimum requirements needed to ensure the security of the electronic information exchanges needed to support grid reliability and market operations. There are eight NERC standards, each of which includes three to five requirements. Most utilities that move electricity through transmission lines must comply with these cyber security standards.

DYONYX, which provides specialized services in the support of critical infrastructures, is charged with developing the cyber security standards implementation process for a major electric utility in the southwest United States. This massive undertaking involves the configuration of processes for management, access control and several other supporting processes.

Spearheaded by DYONYX Vice President Ron Blume and consultants Randy Cleland and Jack Kutzer, the team’s model-driven approach on the cyber security standards project includes identifying critical assets for providing electrical power and then pinpointing the cyber assets for those critical assets. Some of these will then be determined to be “critical cyber assets” that must be protected electronically and physically.

Solution
An Integration of Data Model and Process Development Efforts

"ProVision provides us with the means to integrate our data model and process development efforts in a manner that preserves the integrity of the data and provides appropriate visibility for our clients to review, validate, and approve our designs for a comprehensive, soon to be automated, set of security policies, procedures and standards," Blume said.

DYONYX is utilizing the Zachman Framework included in the Metastorm ProVision Enterprise Architecture tool to build in the “who, what, when, where and why” of the client’s cyber security processes. Information comes from various people and documents—though rarely in electronic form. It all will be consolidated into one comprehensive, dynamic and integrated repository within Metastorm ProVision.

The repository is vital to DYONYX because it allows the knowledge to be searched and retrieved with great efficiency and accuracy.

“This is one customer of potentially hundreds,” Blume said. “There is a whole market segment DYONYX will be able to serve. It’s imperative that we leverage our intellectual capital for other clients.”

In addition, he said Metastorm ProVision enables the entire team to operate from the same methodology and structure. This is especially important in projects involving contract workers who each may have a preferred style and approach.

The DYONYX cyber security standards project, estimated to take more than twelve months, is just recently underway. As a first step, the team addressed the “who” component of the framework. Kutzer developed an organizational model as it applies to the scope of this project. To compile the “whys,” they designed models that contain the requirements found in NERC’s standards.

With “who” and “why” complete, DYONYX is now documenting the “hows” with process maps. Utilizing a multi-step process that will involve its client, the DYONYX team is creating the new “to be” process flows within Metastorm ProVision. The “what” and “where” components will follow.

Cleland said the project’s pace is increasing rapidly. “Our momentum increases by the day, because when you load an object in ProVision, it’s there and available for reuse. We expect to realize a savings of time with improved efficiency,” he said.

Results
Extending Intelligence, Saving Time and Ensuring Data Integrity

• Leveraging intellectual capital using the repository to consolidate information in one place and allowing knowledge to be searched and retrieved with great efficiency and accuracy.
• Realizing a savings of time with improved efficiency.
• Integrating compliance requirements, data model and process development efforts in a manner that preserves data integrity and provides appropriate visibility for clients.