Compliance
NERC CIP
NERC CIP Compliance Solutions
|
As a bulk electricity provider developing and maintaining a strong cyber security posture can be a challenge. The systems used for the safe and reliable operation of bulk electric power infrastructure known as process control and Supervisory Control and Data Acquisition (SCADA) systems were designed and installed without cyber security in mind. The integration of critical infrastructure networks and business information networks is introducing new cyber security risks and vulnerabilities into this environment. With the impending cyber security compliance deadlines mandated by NERC, the issue of critical cyber asset protection takes on a higher degree of urgency.
|
||||||||||||||
Industrial Defender: Your Partner In NERC CIP Compliance
Industrial Defender is committed to providing best-of-breed solutions to help bulk electricity providers comply with the NERC CIP standards. Our solutions work together to establish a formidable electronic security perimeter to protect bulk electricity equipment from malicious and non-malicious cyber security vulnerabilities and incidents. Industrial Defender is the first company to offer a completely integrated Defense-in-Depth™ cyber security solution designed to protect the industrial control system and SCADA environment in a flexible and cost effective platform. This comprehensive Cyber Risk Protection™ lifecycle solution enables the efficient assessment, mitigation and management of cyber security risk within the critical infrastructure network domain.
|
NERC Critical Infrastructure Protection Standards
Officially mandated January 17, 2008, the purpose of the NERC CIP standards is to ensure that all entities responsible for the reliability and availability of the Bulk Electric System in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric System. Bulk electricity entities found to be out of compliance with the NERC CIP standards can face significant financial penalties.
 |
(Revised) Implementation Plan for Cyber Security Standards CIP-002-1 through CIP-009-1 |
NERC CIP Standards In Revision
The NERC standards drafting team (SDT) is planning at least two phases of recommended changes to the existing Critical Infrastructure Protection (CIP) standards. The revisions address a number of wording changes to the existing standards which were outlined in the Federal Energy Regulatory Commission (FERC) Order 706 released in January 2008. The proposed modifications address the directive in Order 706 to "remove references to reasonable business judgment." Phase one also addresses a key gap in the existing standards by specifying a compliance schedule for newly identified critical assets.
 |
Click here to visit the NERC website for the status of the proposed changes |
NERC CIP Compliance Timeline
The timeline below indicates that bulk electricity entities should be substantially compliant with the NERC CIP requirements at this point in time:
| 2007 June-01 |
2007 July-19 |
2007 Sept-09 |
2007 Nov-20 |
2008 Jan-17 |
2008 Q2 |
2009 Q2 |
2010 Q2 |
| Effective Date | FERC Notice of Proposed Rulemaking | Industry Comments | Waiting Period | FERC Approves NERC CIP | Substantially Compliant | Compliant | Auditably Compliant |
| Now |
NERC CIP Penalty Calculations
| Violation | Violation Severity Level | |||||||
| Lower | Medium | High | Severe | |||||
| Range Limits | Range Limits | Range Limits | Range Limits | |||||
| Low | High | Low | High | Low | High | Low | High | |
| Lower | $1,000 | $3,000 | $2,000 | $7,500 | $3,000 | $15,000 | $6,000 | $25,000 |
| Medium | $2,000 | $30,000 | $4,000 | $100,500 | $6,000 | $200,000 | $10,000 | $335,000 |
| High | $4,000 | $125,000 | $8,000 | $300,000 | $12,000 | $625,000 | $20,000 | $1,000,000 |
Overview of How Industrial Defender Services and Products Support NERC CIP Cyber Security Standards
Glossary:
SEM - Security Event Monitoring
NIDS - Network Intrusion Detection System
HIDS - Host Intrusion Detection System
Guard - Perimeter security device that includes firewall, VPN, anti-virus technologies
MSS - Managed Security Service
Access Manager - Secure Substation IED Access/User Authentication
| NERC CIP Reliability Standard | Requirement | Definition | Industrial Defender Service/Product Offering |
|---|---|---|---|
| CIP-002-1 Identification of Critical Cyber Assets |
R1 Critical Asset Identification Method | Responsible Entity shall identify and document a risk-based assessment methodology to use to identify its Critical Assets | ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
| R2 Critical Asset Identification |
Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the risk-based assessment methodology | ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services | |
| R3 Critical Cyber Asset Identification |
Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset | ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services | |
| R4 Annual Approval |
A senior manager or delegate shall approve annually the list of Critical Assets and the list of Critical Cyber Assets | Not Applicable | |
| CIP-003-1 Security Management Controls |
R1 Cyber Security Policy | Responsible entity to document and implement a cyber security policy that represents management»s commitment and ability to secure its Critical Cyber Assets | ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
| R2 Leadership |
Require the designation of a single manager who has direct and comprehensive responsibility for the implementation and ongoing compliance with the CIP reliability Standards | Not Applicable | |
| R3 Exceptions |
Require a responsible entity to periodically submit to the Regional Entity the documentation of exceptions to the cyber security policy | ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services | |
| R4 Information Protection |
The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets | ID SEM user administration includes individual password access and user permissions | |
| R5 Access Control |
Implement a program for managing access to protected Critical Cyber Asset information | ID SEM user administration includes individual password access and user permissions
ID Access Manager defines IED access on port-by-port basis and user privileges; maintains database of administrators, users; provides administrator report |
|
| R6 Change Control and Configuration Management |
Establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software | ID MSS Configuration Management services include move/add/change requests as well as configuration backups
ID Access Manager tracks firmware updates & configuration & access changes to Gateways |
|
| CIP-004-1 Personnel and Training |
R1 – R4 | Requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness | ID Professional Services can assist with personnel and training requirements
ID Access Manager maintains database & provides reports listing authorized users by substation & IEDs; enables immediate reporting on changes to database; user privilege changes logged for historical purposes; enables rapid, global disabling of user privileges without reprogramming multiple IEDs |
| CIP-005-1 Electronic Security Perimeter |
R1 Electronic Perimeter |
Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter | ID Guard UTM offers traditional firewall protection as well as secure VPN and antivirus at the perimeter
ID Access Manager protects communication endpoints (substation IEDs) within security perimeter; Gateways provide secure links between perimeters; provides database and reports listing Gateways (access points) and all secure & non-secure IEDs behind Gateways; provides convenient AutoAudit™ report |
| R2 Electronic Access Controls |
Implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter | ID Guard UTM implements access control via username/password or LDAP/Radius server
ID MSS 24x7 event management service to monitor security of ID Guard and third party firewalls ID Access Managerprovides access control method which denies access by default; secures dial-up access; ensures user authenticity |
|
| R3 Monitoring Electronic Access |
Implement and document an electronic or manual process for monitoring and logging access at access points to the Electronic Security Perimeter(s) 24 hours a day, 7 days a week | ID Guard, NIDS and HIDS detect unauthorized access and send alert to ID SEM
ID SEM logs all alerts and provides standard reports to provide to a NERC auditor ID MSS 24x7 event management service to monitor security of ID Guard and third party firewalls ID Access Manager provides detailed logging info available in reports; sends system alerts |
|
| R4 Cyber Vulnerability Assessment |
Perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually | ID Professional Services Vulnerability Assessment and NERC Gap Analysis services | |
| R5 Documentation Review and Maintenance |
Review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005 | ID Professional Services Network Architecture Review and NERC Gap Analysis services
ID SEM logs all alerts and provides standard reports to provide to a NERC auditor ID Access Manager provides comprehensive reports including NERC CIP AutoAudit™ report |
|
| CIP-006-1 Physical Security of Cyber Assets |
R1 – R6 | Ensure the implementation of a physical security program for the protection of Critical Cyber Assets | ID Professional Services can assist with physical security assessment services |
| CIP-007-1 Systems Security Management |
R1 Test Procedures |
Ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls | ID MSS Configuration Management services include move/add/change requests as well as configuration backups |
| R2 Ports and Services |
Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled | ID HIDS and NIDS monitor control system workstations and networks for potential malicious port and service activity and send alerts to ID SEM
ID NIDS extends traditional signatures to include control system specific protocols and functions ID Access Manager allows per-user and per-port access definition ; enables secure and non-secure devices on same system |
|
| R3 Security Patch Management |
Establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s) | ID SEM automatically updates all ID Guard and ID NIDS signatures as well as software updates
ID MSS IPS/IDS signature updates insures all managed devices, including third parties products, are up to date ID Access Manager offers remote upgrades, auto-update and Microsoft patch scrubbing |
|
| R4 Malicious Software Prevention |
Use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s) | ID Guard includes firewall, virus protection and intrusion prevention at the perimeter, thus offering the benefit of not having to install these technologies on operator stations and other high availability control system workstations
ID Access Manager software has been qualified for use with common anti-virus software |
|
R5 Account Management |
Establish, implement, and document Technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access | ID SEM includes auditing feature to create an audit trail of all user activity
ID MSS Log file analysis services performs a review of all authorized and blocked connections ID Access Manager protects substation access via management of individual accounts and passwords; enables quick disabling of user privileges; comprehensive logging; central storage of data on all IEDs in system; forces use of strong passwords |
|
| R6 Security Status Monitoring |
Ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security | ID HIDS, NIDS and Guard send all events to the ID SEM which presents the information on an incident screen which is customizable
ID Access Manager provides ability to send email alerts; comprehensive logging |
|
| R7 Disposal or Redeployment |
Establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005 | ID MSS configuration management service include performing move/add/change requests of all managed devices | |
| R8 Cyber Vulnerability Assessment |
Perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually | ID Professional Services team has performed more Vulnerability Assessments of SCADA and DCS networks than any other company | |
| R9 Documentation Review and Maintenance |
Review and update the documentation specified in Standard CIP-007 at least annually | ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services
ID Access Manager provides comprehensive reports easing documentation burden |
|
| CIP-008-1 Incident Reporting and Response Planning |
R1 Cyber Security Incident Response Plan |
Develop and maintain a Cyber Security Incident response plan that includes procedures to classify events, response actions including roles of response teams and process for reporting to Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC) | ID Professional Services offers emergence response planning consulting
ID MSS provides 24x7 event management and escalation services |
| R2 Cyber Security Incident Documentation |
Keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years | ID SEM logs all alerts and provides standard reports to provide to a NERC auditor
ID Access Manager provides comprehensive reports, customizable to dates of interest including incidents |
|
| CIP-009-1 Recovery Plans for Critical Cyber Assets |
R1 Recovery Plans |
Create and annually review recovery plan(s) for Critical Cyber Assets | ID Professional Services offers disaster recovery consulting |
| R2 Exercises |
The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident | Not Applicable | |
| R3 Change Control |
Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident | Not Applicable | |
| R4 Backup and Restore |
Recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore Critical Cyber Assets | ID SEM includes backup and restore functions for all data and includes a recovery CD with shipment | |
| R5 Testing Backup Media |
Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available | ID SEM includes backup and restore functions for all data and includes a recovery CD with shipment |