NERC-CIP Compliance

Achieving NERC CIP Compliance with Managed Security Services

The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to “ensure that the bulk electric system in North America is reliable, adequate and secure.” As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America’s bulk electric systems.

NERC CIP

In 2006, the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by NERC, making the CIP Cyber Security Standards mandatory and enforceable across all users, owners and operators of the bulk-power system. After going into effect in June 2006, initial compliance auditing began in June 2007. Masergy has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. As described below, many of our Managed Security Services and Professional Services align directly with the NERC CIP Cyber Security Standards, allowing you to easily meet and exceed the requirements they set forth.

 

Summary of Requirements

All network assets must be audited to identify Critical Cyber Assets. A risk-based assessment methodology should be utilized with annual reviews.

Solutions

These requirements mandate the need to identify your Critical Cyber Assets through risk-based assessments of your network. Using a risk-based methodology aligned with CIP requirements, Masergy’s Professional Services team can help you regularly audit your IT systems and identify Critical Cyber Assets (CIP-002-1 R3).

How does Masergy help?

Professional Services

 

Summary of Requirements

Policies with adherence monitoring and change control must be documented. Change control policies and processes must be adhered to. Definitions and documentation on access control levels for critical assets such as Internet facing systems and critical backend solutions. Solutions should be in place to mitigate risks. These requirements mandate having minimum security management controls in place to protect Critical Cyber Assets.

Solutions

Masergy's Professional Services team evaluates your security management controls, identify gaps in your security management program and makes recommendations for addressing any deficiencies (CIP-003-1 R1 through R6). We assess your security program to determine if CIP security policies are being followed in practice. Our fully managed UES solutions provide full lifecycle device management, including change and configuration management. All changes are tracked and documented within the Masergy Security portal, allowing you to easily demonstrate compliance with change control policies and procedures (CIP-003-1 R6).

How does Masergy Help?

  • Managed Firewall
  • Managed IDS/IPS
  • Managed Vulnerability Scanning
  • Advanced Persistent Threat Management
  • Network Access Policy Monitoring
  • Security Monitoring
  • Professional Services

 

 

Summary of Requirements

Employees should be trained on policies, access controls and general awareness issues around Social Engineering. Background checks should be performed on all users with access to computer assets.

Solutions

These requirements direct that personnel having authorized access (either cyber or physical) have an appropriate level of personnel risk assessment, training and security awareness. Masergy’s Professional Services team can review your personnel and training policies, identify areas of weakness and audit the practice of personnel and training policies.

How does Masergy help?

Professional Services

Social Engineering Audit

 

Summary of Requirements

An Electronic Security Perimeter should be established that :

  • Disable ports and services that are not required
  • Monitor and log access 24/7
  • Perform annual vulnerability assessments (at a minimum)
  • Document network changes

Solutions

These requirements mandate the identification and protection of an Electronic Security Perimeter within which all Critical Cyber Assets reside. All perimeter access points must be identified and protected. Masergy's Professional Services team can perform the required Annual Vulnerability Assessments, as well as help you identify your Critical Cyber Assets and evaluate your Electronic Security Perimeter to determine if it meets CIP requirements (CIP-005-1 R4). Our Managed Firewall service removes the burden of firewall management by providing you with a 24/7 team of experts. Our firewall experts will audit policies to ensure they align with CIP requirements (CIP-005-1 R2), perform on-going rule-set changes and monitor these devices for any signs of attack. Masergy’s Security Monitoring service can provide 24/7 monitoring of your network access points by certified security professionals (CIP-005-1 R3). Additionally, our Managed Security Services feature detailed web-based reporting through the Masergy security portal. This allows you to easily demonstrate compliance with CIP-005-1 requirements (R5).

How does Masergy help?

  • Managed Firewall
  • Managed Vulnerability Scanning
  • Advanced Persistent Threat Management
  • Network Access Policy Monitoring
  • Security Monitoring
  • Professional Services

 

Summary of Requirements

Physical Security controls should be documented and implemented that provide perimeter monitoring and logging along with robust access controls. All cyber assets used for Physical Security are considered critical and should be treated as such.

Solutions

These requirements ensure the implementation of a physical security program which protects Critical Cyber Assets. Masergy's Professional Services team can review your physical security controls, as well as perform physical security assessments, and make recommendations for areas of in need of improvement in regards to the CIP standards.

How does Masergy help?

  • Managed and Cloud Firewall
  • Managed IDS/IPS
  • Managed Vulnerability Scanning
  • Advanced Persistent Threat Management
  • Network Access Policy Monitoring
  • Security Information & Event Monitoring
  • Security Monitoring
  • Professional Services

 

Summary of Requirements

All methods, processes and procedures for securing Critical Assets and all technology solutions should be well-defined and include automated controls. System and network events should be monitored automatically with alerts sent to key personnel. An annual vulnerability assessment should be performed.

Solutions

These requirements call for the definition of methods, processes, and procedures for securing Critical Cyber Assets and non-critical Cyber Assets within the Electronic Security Perimeter. Masergy's Professional Services team can provide the required annual vulnerability assessment of your Systems Security Management methods, processes and procedures (CIP 007-1 R8). Masergy's Security Monitoring and Security Information & Event Management services specifically address CIP 007-1 R6 which requires utilities to monitor system events that are related to cyber security (R6.1), maintain logs for ninety calendar days (R6.3, R6.4), and maintain records documenting that logs have been reviewed (R6.5). Additionally, Masergy's Managed NIPS and Managed HIPS services detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware (CIP-007-1 R4).

How does Masergy help?

  • Managed Firewall
  • Managed IDS/IPS
  • Security Monitoring
  • Security Information and Event Management
  • Advanced Persistent Threat Management
  • Network Access Policy Monitoring
  • Professional Services

 

Summary of Requirements

All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC).

Solutions

This requirement mandates having a Cyber Security Incident Response Plan that addresses the classification, response and reporting of Cyber Security Incidents related to Critical Cyber Assets. Masergy's Professional Services team can work with you to develop your Incident Response Plan and ensure that it exceeds minimum CIP requirements for classification, response, reporting and documentation as indicated in CIP-008-1 R1 and R2. Also, Masergy's Managed Security Services help you identify, classify and respond to security incidents. Our certified security professionals provide 24/7 enterprise-wide security monitoring and escalation to prevent and respond to security incidents.

How does Masergy help?

  • Managed Firewall
  • Managed IDS/IPS
  • Network Access Policy Monitoring
  • Security Monitoring
  • Security Information and Event Management
  • Advanced Persistent Threat Management
  • Professional Services

 

Summary of Requirements

A disaster recovery plan should be created and tested with annual drills

Solutions:

This requirement calls for having a recovery plan(s) in place for Critical Cyber Assets. These plans should follow established business continuity and disaster recovery techniques and practices. Masergy's Professional Services team can audit your recovery plans to identify any gaps that should be addressed in order to successfully backup and restore Critical Cyber Assets (CIP-009-1 R4).

How does Masergy help?

Professional Services

 

Download NERC-CIP Compliance Brochure (PDF)

Explore our comprehensive advanced managed security solution, Unified Enterprise Security™.

Masergy's Unified Enterprise Security™ (UES) fulfills the promise of a truly integrated advanced threat-management solution, delivering an enterprise security capability unlike any other.

APT Management

Advanced analysis and machine learning detects advanced persistent threats before they cause material harm.

Network Behavioral Analysis

1200+ algorithms continuously learn normal network behaviors and correlate all sub-system data to identify abnormal behaviors.

Integrated Vulnerability Management

Unlimited vulnerability scanning which automatically correlates results with IDS/IPS to ensure signatures for known vulnerabilities are applied.

Intrusion Detection & Prevention

24/7 deep-packet network traffic inspection and tunable signatures designed to thwart advanced attacks.

Threat Intelligence Dashboard

Single pane of glass view into security posture, prioritized threat data, and remediation instructions.

Unified Cloud Security

Cloud ready solutions that thwart attacks on public cloud (e.g., Amazon EC2™), private cloud (e.g., VMware™), and hybrid cloud environments.

SIEM+

Integrated real-time monitoring, log-management/archival, and sophisticated analysis and reporting.

Network Access Policy Monitoring

Define and enforce corporate network security policy with continuous monitoring and advanced behavioral network analysis and correlation.

Managed Security Monitoring

Masergy's certified security experts continuously monitor to identify, investigate, and stop threats before they cause material harm.

REQUEST A FREE CONSULTATION

 

Free Consultation