NERC-CIP Cyber Security Compliance Assessments
| What You Need to Do | How Redspin Can Help |
|---|---|
| NERC CIP — Cyber Security Program Audit Whether you are new to NERC CIP's compliance requirements or have already fully implemented each one, every organization should perform testing on a periodic basis and after a major change to ensure each requirement is operating as expected. A gap analysis should be performed that creates a baseline and practical roadmap for organizations that have never been tested before as well as a list of deficiencies between your implemented controls and the NERC CIP standard for more established cyber security programs. | NERC CIP Gap Analysis |
| CIP-005-04 — R4. - External Cyber Vulnerability Assessment The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. | External Network Security Assessment |
| CIP-007-04 — R8. - Internal Cyber Vulnerability Assessment The Responsible Entity shall perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. | Technical Internal Security Assessment |
Advancements in communications technology, when applied to the grid, allow it to operate much like an internetwork of connected elements. By distributing control across the network, better optimization is possible across many aspects of the energy lifecycle – generation, distribution, and consumption. In addition, utilities benefit from having near real-time information, providing for even more efficiency. Similarly, better information will let consumers economize their use and manage their costs.
These benefits are compelling, particularly against a backdrop of rising energy costs and uneven supply. Yet, an all digital, IP-based electricity grid presents significant security challenges. Such a system must be made safe and secure from viruses, malicious hackers or even terrorist-sponsored cyber-warfare. The U.S. Department of Energy (DOE) has recognized that security must be built-in to the system from inception.
The DOE also understood the need to develop a standardized set of effective controls and assigned this task and regulatory responsibility to the North American Electric Reliability Corporation's (NERC). NERC's mission has long been to ensure the reliability of the North American bulk power system. Thus it was a logical choice to designate NERC as the electricity sector coordinator for critical infrastructure protection (CIP).
To develop a clear set of requirements for CIP, the NERC Board considered several factors:- Migration of the grid infrastructure to IP based wire and wireless networks
- Influx of new end points (smart meters, sensors, telemetry and controls systems)
- Increasing demand for access and access control (employees, contractors, even consumers)
- Evolution of the threat landscape to include covert cyber attackers
- Regulatory compliance and enforcement
Most of the NERC-CIP standards were made mandatory in late 2009 and early 2010. NERC Standards CIP-002-3 through CIP-009-3 describe a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Redspin offers comprehensive NERC-CIP Cyber Security compliance assessments that enable utilities and other energy companies to be confident in their security measures and well prepared for regulatory audits in the future.
Additional Redspin Services
Application Penetration Testing
Social Engineering Testing
Wireless Penetration Testing
