NERC Cyber Security Assessment

Why perform a NERC Cyber Security Assessment?

• We want to become compliant with the NERC CIP Standards.
• We want a gap analysis between our current implemented controls and those defined by CIP-002 through CIP-009.
• We want to know how we are doing compared to similar peers in our industry.
• We want to know which high risk issues to focus on.
• We want a fresh set of eyes on our systems.

The scope of our NERC Cyber Security Assessment is informed by a variety of sources:

• Redspin Personnel's Experience — (covered in other sections) and Redspin's proprietary list of infrastructure vulnerabilities and control deficiencies collected during our work on hundreds on information security assessments over the last ten years.
• Best Practices — Redspin uses our own independent research, professional exchanges, industry and other recognized standards including ISO 27001 and NIST federal guidelines to keep our scope in line with the latest IT security, availability, and operational analysis appropriate for an organization's size and business operations complexity and technology presence.
• NERC — Cyber Security Standards CIP-002-2 through CIP-009-2 (Critical Infrastructure Protection), NERC (North American Electric Reliability Corporation), December 2009.
• NIST — Risk Management Guide for Information Technology Systems (Special Publication 800-30), NIST (National Institute of Standards and Technology), October 2001.

Performing this assessment on a periodic basis will also help address specific NERC CIP regulatory requirements.

• Can portable media be used to install malware & viruses and steal confidential data?
• Is backup media stored securely off-site?

• Has a program been defined that identifies, classifies, and protects information associated with critical cyber assets?
• Has a single senior manager with overall responsibility and authority for leading and managing the entity's implementation of the cyber security program been assigned?
• Are cyber vulnerability assessments of the electronic access points to the electronic security perimeter(s) performed at least annually?
• Has a security awareness and training program been established, documented, implemented and maintained?
• Has a cyber security Incident response plan been documented and implemented to respond to cyber security incidents?

• Are the firewalls and other network devices actually configured to implement the domains the way we think they are?
• Do we allow remote access in a secure way that minimizes risk?
• Can one walk into our facility and plug into the network and have extensive data and network access?
• Are our network devices implemented according to best practices?
• What cost-effective actions can we take to improve logging and monitoring?

• Has a physical security plan been documented, implemented, and tested?
• Are all critical systems contained within the physical security perimeter?
• Are monitoring controls active 24 hours per day, 7 days per week, 365 days per year?
• Is logging enabled to record sufficient information to uniquely identify individuals and the time of access twenty-four hours a day, seven days a week, three-hundred-sixty-five days a year?
• Is sufficient fire suppression in use?

• Do we have appropriate password requirements?
• Do our users have the capability to override the security configurations of their workstations?
• Can our users install software on their workstations that might unintentionally impact the security of our entire network?
• Are change control and configuration management processes in place for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software?
• Do we have an effective patch-management strategy in place? Does it include operating systems and applications?