Protecting SCADA and DCS systems for over 18 years
Industrial Defender Cyber Risk Protection

Compliance

NERC CIP

 

NERC CIP Compliance Solutions


Is NERC CIP compliance on the top (5) list of executive priorities in your company?

Is there an executive responsible for NERC CIP compliance?

Has an audit team been established to support NERC CIP compliance?

Does your company have the right tools and resources to support NERC CIP compliance?

Have you established an electronic security perimeter for your critical cyber assets?


As a bulk electricity provider developing and maintaining a strong cyber security posture can be a challenge. The systems used for the safe and reliable operation of bulk electric power infrastructure known as process control and Supervisory Control and Data Acquisition (SCADA) systems were designed and installed without cyber security in mind. The integration of critical infrastructure networks and business information networks is introducing new cyber security risks and vulnerabilities into this environment. With the impending cyber security compliance deadlines mandated by NERC, the issue of critical cyber asset protection takes on a higher degree of urgency.

 

Recent Updates!

Strengthened Cyber Security Standards Approved
On May 5, 2009, eight revised cyber security standards for the North American bulk power system were approved by the North American Electric Reliability Corporation’s (NERC) independent Board of Trustees. This action represents the completion of phase one of NERC’s cyber security standards revision work plan launched in July 2008. Work continues on phase two of the revision plan, with version three standards already under development.
Download the revised CIP reliability standards (.zip)
   
Results of NERC’s recently completed self-certification compliance survey for NERC Reliability Standard CIP-002-1 – Critical Cyber Asset Identification for the period July 1 — December 31
   


Industrial Defender: Your Partner In NERC CIP Compliance

Industrial Defender is committed to providing best-of-breed solutions to help bulk electricity providers comply with the NERC CIP standards. Our solutions work together to establish a formidable electronic security perimeter to protect bulk electricity equipment from malicious and non-malicious cyber security vulnerabilities and incidents. Industrial Defender is the first company to offer a completely integrated Defense-in-Depth™ cyber security solution designed to protect the industrial control system and SCADA environment in a flexible and cost effective platform. This comprehensive Cyber Risk Protection™ lifecycle solution enables the efficient assessment, mitigation and management of cyber security risk within the critical infrastructure network domain.



NERC CIP Planning Guide For Securing Your Electronic Security Perimeter

Industrial Defender is making available a new assessment worksheet document designed to assist utilities in evaluating their readiness to comply with the NERC CIP standards. It includes an educational overview of the NERC CIP standards, information on two of the most challenging NERC CIP requirements (CIP-005 Electronic Security Perimeters and CIP-007 Systems Security Management), information on penalties imposed for violations of NERC CIP, plus a detailed questionnaire for determining NERC CIP readiness.
   


NERC Critical Infrastructure Protection Standards

Officially mandated January 17, 2008, the purpose of the NERC CIP standards is to ensure that all entities responsible for the reliability and availability of the Bulk Electric System in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric System. Bulk electricity entities found to be out of compliance with the NERC CIP standards can face significant financial penalties.

(Revised) Implementation Plan for Cyber Security Standards CIP-002-1 through CIP-009-1
   

NERC CIP Standards In Revision

The NERC standards drafting team (SDT) is planning at least two phases of recommended changes to the existing Critical Infrastructure Protection (CIP) standards. The revisions address a number of wording changes to the existing standards which were outlined in the Federal Energy Regulatory Commission (FERC) Order 706 released in January 2008. The proposed modifications address the directive in Order 706 to "remove references to reasonable business judgment." Phase one also addresses a key gap in the existing standards by specifying a compliance schedule for newly identified critical assets.

Click here to visit the NERC website for the status of the proposed changes
   

NERC CIP Compliance Timeline

The timeline below indicates that bulk electricity entities should be substantially compliant with the NERC CIP requirements at this point in time:

2007
June-01
2007
July-19
2007
Sept-09
2007
Nov-20
2008
Jan-17
2008
Q2
2009
Q2
2010
Q2
Effective Date FERC Notice of Proposed Rulemaking Industry Comments Waiting Period FERC Approves NERC CIP Substantially Compliant Compliant Auditably Compliant
    Now  


NERC CIP Penalty Calculations

Violation Violation Severity Level
Lower Medium High Severe
Range Limits Range Limits Range Limits Range Limits
Low High Low High Low High Low High
Lower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $6,000 $25,000
Medium $2,000 $30,000 $4,000 $100,500 $6,000 $200,000 $10,000 $335,000
High $4,000 $125,000 $8,000 $300,000 $12,000 $625,000 $20,000 $1,000,000

Overview of How Industrial Defender Services and Products Support NERC CIP Cyber Security Standards


Glossary:

SEM - Security Event Monitoring
NIDS - Network Intrusion Detection System
HIDS - Host Intrusion Detection System
Guard - Perimeter security device that includes firewall, VPN, anti-virus technologies
MSS - Managed Security Service
Access Manager - Secure Substation IED Access/User Authentication

NERC CIP Reliability Standard Requirement Definition Industrial Defender Service/Product Offering
CIP-002-1
Identification of Critical Cyber Assets
R1 Critical Asset Identification Method Responsible Entity shall identify and document a risk-based assessment methodology to use to identify its Critical Assets ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services
R2
Critical Asset Identification
Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the risk-based assessment methodology ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services
R3
Critical Cyber Asset Identification
Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services
R4
Annual Approval
A senior manager or delegate shall approve annually the list of Critical Assets and the list of Critical Cyber Assets Not Applicable
CIP-003-1
Security Management Controls
R1 Cyber Security Policy Responsible entity to document and implement a cyber security policy that represents management»s commitment and ability to secure its Critical Cyber Assets ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services
R2
Leadership
Require the designation of a single manager who has direct and comprehensive responsibility for the implementation and ongoing compliance with the CIP reliability Standards Not Applicable
R3
Exceptions
Require a responsible entity to periodically submit to the Regional Entity the documentation of exceptions to the cyber security policy ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services
R4
Information Protection
The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets ID SEM user administration includes individual password access and user permissions
R5
Access Control
Implement a program for managing access to protected Critical Cyber Asset information ID SEM user administration includes individual password access and user permissions

ID Access Manager defines IED access on port-by-port basis and user privileges; maintains database of administrators, users; provides administrator report
R6
Change Control and Configuration Management
Establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software ID MSS Configuration Management services include move/add/change requests as well as configuration backups

ID Access Manager tracks firmware updates & configuration & access changes to Gateways
CIP-004-1
Personnel and Training
R1 – R4 Requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness ID Professional Services can assist with personnel and training requirements

ID Access Manager maintains database & provides reports listing authorized users by substation & IEDs; enables immediate reporting on changes to database; user privilege changes logged for historical purposes; enables rapid, global disabling of user privileges without reprogramming multiple IEDs
CIP-005-1
Electronic Security Perimeter
R1
Electronic Perimeter
Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter ID Guard UTM offers traditional firewall protection as well as secure VPN and antivirus at the perimeter

ID Access Manager protects communication endpoints (substation IEDs) within security perimeter; Gateways provide secure links between perimeters; provides database and reports listing Gateways (access points) and all secure & non-secure IEDs behind Gateways; provides convenient AutoAudit™ report
R2
Electronic Access Controls
Implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter ID Guard UTM implements access control via username/password or LDAP/Radius server

ID MSS 24x7 event management service to monitor security of ID Guard and third party firewalls

ID Access Managerprovides access control method which denies access by default; secures dial-up access; ensures user authenticity
R3
Monitoring Electronic Access
Implement and document an electronic or manual process for monitoring and logging access at access points to the Electronic Security Perimeter(s) 24 hours a day, 7 days a week ID Guard, NIDS and HIDS detect unauthorized access and send alert to ID SEM

ID SEM logs all alerts and provides standard reports to provide to a NERC auditor

ID MSS 24x7 event management service to monitor security of ID Guard and third party firewalls

ID Access Manager provides detailed logging info available in reports; sends system alerts
R4
Cyber Vulnerability Assessment
Perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually ID Professional Services Vulnerability Assessment and NERC Gap Analysis services
R5
Documentation Review and Maintenance
Review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005 ID Professional Services Network Architecture Review and NERC Gap Analysis services

ID SEM logs all alerts and provides standard reports to provide to a NERC auditor

ID Access Manager provides comprehensive reports including NERC CIP AutoAudit™ report
CIP-006-1
Physical Security of Cyber Assets
R1 – R6 Ensure the implementation of a physical security program for the protection of Critical Cyber Assets ID Professional Services can assist with physical security assessment services
CIP-007-1
Systems Security Management
R1
Test Procedures
Ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls ID MSS Configuration Management services include move/add/change requests as well as configuration backups
R2
Ports and Services
Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled ID HIDS and NIDS monitor control system workstations and networks for potential malicious port and service activity and send alerts to ID SEM

ID NIDS extends traditional signatures to include control system specific protocols and functions

ID Access Manager allows per-user and per-port access definition ; enables secure and non-secure devices on same system
R3
Security Patch Management
Establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s) ID SEM automatically updates all ID Guard and ID NIDS signatures as well as software updates

ID MSS IPS/IDS signature updates insures all managed devices, including third parties products, are up to date

ID Access Manager offers remote upgrades, auto-update and Microsoft patch scrubbing
R4
Malicious Software Prevention
Use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s) ID Guard includes firewall, virus protection and intrusion prevention at the perimeter, thus offering the benefit of not having to install these technologies on operator stations and other high availability control system workstations

ID Access Manager software has been qualified for use with common anti-virus software

R5

Account Management
Establish, implement, and document Technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access ID SEM includes auditing feature to create an audit trail of all user activity

ID MSS Log file analysis services performs a review of all authorized and blocked connections

ID Access Manager protects substation access via management of individual accounts and passwords; enables quick disabling of user privileges; comprehensive logging; central storage of data on all IEDs in system; forces use of strong passwords
R6
Security Status Monitoring
Ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security ID HIDS, NIDS and Guard send all events to the ID SEM which presents the information on an incident screen which is customizable

ID Access Manager provides ability to send email alerts; comprehensive logging
R7
Disposal or Redeployment
Establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005 ID MSS configuration management service include performing move/add/change requests of all managed devices
R8
Cyber Vulnerability Assessment
Perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually ID Professional Services team has performed more Vulnerability Assessments of SCADA and DCS networks than any other company
R9
Documentation Review and Maintenance
Review and update the documentation specified in Standard CIP-007 at least annually ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services

ID Access Manager provides comprehensive reports easing documentation burden
CIP-008-1
Incident Reporting and Response Planning
R1
Cyber Security Incident Response Plan
Develop and maintain a Cyber Security Incident response plan that includes procedures to classify events, response actions including roles of response teams and process for reporting to Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC) ID Professional Services offers emergence response planning consulting

ID MSS provides 24x7 event management and escalation services
R2
Cyber Security Incident Documentation
Keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years ID SEM logs all alerts and provides standard reports to provide to a NERC auditor

ID Access Manager provides comprehensive reports, customizable to dates of interest including incidents
CIP-009-1
Recovery Plans for Critical Cyber Assets
R1
Recovery Plans
Create and annually review recovery plan(s) for Critical Cyber Assets ID Professional Services offers disaster recovery consulting
R2
Exercises
The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident Not Applicable
R3
Change Control
Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident Not Applicable
R4
Backup and Restore
Recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore Critical Cyber Assets ID SEM includes backup and restore functions for all data and includes a recovery CD with shipment
R5
Testing Backup Media
Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available ID SEM includes backup and restore functions for all data and includes a recovery CD with shipment