NERC Cyber Security
Compliance Consulting
Services
O
verview
The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate and secure.” As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system.
Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America’s bulk electric systems.
NERC CIP Standards seek to address the question
“How well protected is this critical infrastructure?”
Compliance with these standards can be both risky and complicated given the differences between
C
hallenges Addressed
Lack of confidence in organizational security posture and siloed approach for engineering, operations and IT department Real-time systems make patch
application, validation, and user authentication difficult
Cyber Security requires a toolset and knowledge base that is traditionally not located within the same experience pool that understands and manages the day-to-day operations of a power grid.
Diversified risk-assessment approach
electrical utilities and the newness of the standards. Certainly, the remoteness of power generation and the wide coverage of electric transmission greatly complicate the job of securing these assets from direct attack.
HCL Governance, Risk & Compliance (GRC) consulting practice offers market leading services to organization seeking compliance support for NERC CIP standards by improving their security & governance posture while reducing cost. Many of our Managed Security Services and Professional services align NERC CIP Cyber Security Standards, allowing organizations to easily meet and exceed the requirements they set forth. Starting from compliance health-check HCL can work with your organization to implement the recommendations by providing technical, documentation and project management.
Lack of basic security mechanism in SCADA/EMS and DCS design when compared to standard business information system
High cost of audit and compliance sustenance
A
pproach
–
NERC Cyber Security compliance
HCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable the achievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL services covers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust and reliable operations of bulk electric systems. The approach and key activities are detailed as below:
NERC Requirement HCL GRC Capability Deliverables
CIP-002-1 – Critical Cyber Asset Automated Enterprise discovery of Identification Critical Assets
Identification of critical assets by client and HCL SMEs who have qualified experience in Grid Analysis
Risk based assessment, analysis & prioritization by application
CIP-003-1 – Management Control – Policy evaluation & analysis
Cyber Security Policy Policy Documentation
CIP-003-1 – Management Control – Establishing of Security Program Leadership & Exceptions Management Office for
Compliance
CIP-003-1 – Management Control – Catalogued information
Information Protection classification for Critical Cyber Assets
Defining access controls, encryption & procedures for
Inventory of Critical Cyber Assets Risk library pertaining to cyber asset operations
Annual Reviews
Enhanced Cyber Security Policyfor NERC Compliance
Established governance for NERC compliance management & reporting
Information classification procedures
Data security reference architecture
disposal, printing and other tasks CIP-003-1 – Management Control – Modeling for role based access Access Controls control for internet facing systems
and critical backend solutions
CIP-003-1 – Management Control – Establishing change management Change Management procedures
Conducting impact analysis of changes (includes configuration) Enabling functional testing for
changes
Review of corporate & process control networks (SCADA)
CIP-004-1 – Personnel & Training – Conduct security awareness Awareness evaluations & employee assertion
program
Security awareness training plan development
CIP-004-1 – Personnel & Training – Identification & deployment of Training role based trainings
CIP-004-1 – Personnel & Training – Development of personal Personnel Risk Assessment background check policies &
procedures
CIP-005-1- Electronic Security Identification of control points, Parameter(s)– Electronic Security ports and services
Parameter Conduct vulnerability assessments & penetration testing
CIP-005-1- Electronic Security Development of authentication Parameter(s) – Electronic Access procedures
Controls Firewall audits
Log management & review
Real time threat analysis through SOC (includes NIPS & HIPS)
CIP-005-1- Electronic Security Documentation of all systems in Parameter(s) – Documentation electronic security parameters
Review & Maintenance Quarterly review of all documentation
CIP-006-1- Physical Security Assessment of facilities physical Program security
Assessment of organization physical security plan
Development of log & DVR retention policies
Physical security audits
CIP-007-1 – System Security Test procedures evaluation for Management patch management, device
management, anti-virus policies Documentation for non-critical
cyber asset policy
Creating inventory of non-critical cyber assets
recovery plan
Access control policies & procedures
Change Management & Control Process
Back-out procedures
Security Enforcement Policy
Security awareness report Training roadmap
Specific procedural training modules
Background check policy Vulnerability & Penetration assessment report Remediation report Firewall implementation procedures Authentication procedures Audit Reports
Log review & reporting Threat analysis report
Documentation of network changes
Physical security assessment report
Log retention & governance policies
Malicious software prevention policy
Test procedures and controls for device management Password policy
Asset disposal policy
Policy documentation for malware Securityincident management and malicious software prevention process
Documentation and enforcement Documentation lifecycle process of password management policy
Policy creation for disposal & redeployment of cyber assets Establishing governance and org.
structure for documentation & policy review
CIP-008-1 – Incident Reporting & Assessment of Incident Incident management procedures Response Planning – Cyber Security management procedures Business Continuity Plan Incident Response plan Documentation of business Business Continuity Test
continuity plan Procedures Testing of business continuity plan
Process for retention of incident logs
CIP-008-1 – Incident Reporting & Process for retention of incident Log retention policy Response Planning – Cyber Security logs
Incident Documentation
CIP-009-1 – Disaster Recovery – Identification & definition of Disaster Recovery Plan Recovery Plan, Backup & restore, action triggers, acceptable Back-up procedures Testing Media downtime service levels and Test plan for backup storage
acceptable data loss
Development of verification criteria & procedures
CIP-009-1 – Disaster Recovery – Conducting DR drills DR test report
Exercises
A
utomated NERC Compliance Management
–
GRC Manager
Power and utility executives today are faced with many challenges as they work to meet their compliance requirements. Some of the most pervasive and difficult of these obstacles include:
• Multiple regulatory bodies and requirements • High cost of defining controls
• High cost of demonstrating compliance
• Budget impacts of NERC and other regulatory efforts on the business
• Allocation of resources away from key business initiatives
• Difficulty with ongoing sustainability of ad-hoc compliance projects
Some of the basic features of the automated GRC platform are as under:
Capturing, Compiling & Reporting Compliance Information
Dynamic Real time analysis of Risk & Controls Single Global Repository for Risk & Controls Integrated Industry Standard Framework for
Control Optimization
Role based dashboards that streamline decision making
Figure 1. Governance Risk and Compliance Platform
W
hy choose HCL
• One stop shop for all your information security & compliance needs
• Matured consulting framework with integrated solution implementation methodology to reduce compliance cost
• Strong engineering with R&D practice with focus on Energy & Utilities vertical
6
Integrated Program Resource Management capabilities to manage Control Remediation. Integration with Enterprise business systems
for audit evidence collection
A sample snapshot from automated GRC platform is shown below
• Expertise across all micro verticals in Electric, Gas distribution, Water & Water Waste/ Recycling Utilities.
• First in APAC and amongst only 9 companies in the world to receive Cisco’s Master Security
Certification.
• Accredited by Govt. of India CERT as providers of Information Security Assessment Services. • Recognized by Gartner & NASSCOM for its
Information Security Strengths.
• HCL is ranked as the No. 1 Security Services provider by Dataquest, V&D and Frost & Sullivan • Experienced consultants with certifications
like CEH, GWAS, CISSP, CISA, CBCP, BS 25999 and ISO27001
• Partnership with leading security product and service vendors
• Technology labs in Identity and Access Management, Software Security, Security Testing, Networks and Systems.