• No results found

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

N/A
N/A
Protected

Academic year: 2021

Share "NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice"

Copied!
7
0
0

Loading.... (view fulltext now)

Full text

(1)

NERC Cyber Security

Compliance Consulting

Services

(2)

O

verview

The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate and secure.” As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system.

Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America’s bulk electric systems.

NERC CIP Standards seek to address the question

“How well protected is this critical infrastructure?”

Compliance with these standards can be both risky and complicated given the differences between

C

hallenges Addressed

Lack of confidence in organizational security posture and siloed approach for engineering, operations and IT department Real-time systems make patch

application, validation, and user authentication difficult

Cyber Security requires a toolset and knowledge base that is traditionally not located within the same experience pool that understands and manages the day-to-day operations of a power grid.

Diversified risk-assessment approach

electrical utilities and the newness of the standards. Certainly, the remoteness of power generation and the wide coverage of electric transmission greatly complicate the job of securing these assets from direct attack.

HCL Governance, Risk & Compliance (GRC) consulting practice offers market leading services to organization seeking compliance support for NERC CIP standards by improving their security & governance posture while reducing cost. Many of our Managed Security Services and Professional services align NERC CIP Cyber Security Standards, allowing organizations to easily meet and exceed the requirements they set forth. Starting from compliance health-check HCL can work with your organization to implement the recommendations by providing technical, documentation and project management.

Lack of basic security mechanism in SCADA/EMS and DCS design when compared to standard business information system

High cost of audit and compliance sustenance

(3)

A

pproach

NERC Cyber Security compliance

HCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable the achievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL services covers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust and reliable operations of bulk electric systems. The approach and key activities are detailed as below:

NERC Requirement HCL GRC Capability Deliverables

CIP-002-1 – Critical Cyber Asset Automated Enterprise discovery of Identification Critical Assets

Identification of critical assets by client and HCL SMEs who have qualified experience in Grid Analysis

Risk based assessment, analysis & prioritization by application

CIP-003-1 – Management Control – Policy evaluation & analysis

Cyber Security Policy Policy Documentation

CIP-003-1 – Management Control – Establishing of Security Program Leadership & Exceptions Management Office for

Compliance

CIP-003-1 – Management Control – Catalogued information

Information Protection classification for Critical Cyber Assets

Defining access controls, encryption & procedures for

Inventory of Critical Cyber Assets Risk library pertaining to cyber asset operations

Annual Reviews

Enhanced Cyber Security Policyfor NERC Compliance

Established governance for NERC compliance management & reporting

Information classification procedures

Data security reference architecture

(4)

disposal, printing and other tasks CIP-003-1 – Management Control – Modeling for role based access Access Controls control for internet facing systems

and critical backend solutions

CIP-003-1 – Management Control – Establishing change management Change Management procedures

Conducting impact analysis of changes (includes configuration) Enabling functional testing for

changes

Review of corporate & process control networks (SCADA)

CIP-004-1 – Personnel & Training – Conduct security awareness Awareness evaluations & employee assertion

program

Security awareness training plan development

CIP-004-1 – Personnel & Training – Identification & deployment of Training role based trainings

CIP-004-1 – Personnel & Training – Development of personal Personnel Risk Assessment background check policies &

procedures

CIP-005-1- Electronic Security Identification of control points, Parameter(s)– Electronic Security ports and services

Parameter Conduct vulnerability assessments & penetration testing

CIP-005-1- Electronic Security Development of authentication Parameter(s) Electronic Access procedures

Controls Firewall audits

Log management & review

Real time threat analysis through SOC (includes NIPS & HIPS)

CIP-005-1- Electronic Security Documentation of all systems in Parameter(s) Documentation electronic security parameters

Review & Maintenance Quarterly review of all documentation

CIP-006-1- Physical Security Assessment of facilities physical Program security

Assessment of organization physical security plan

Development of log & DVR retention policies

Physical security audits

CIP-007-1 – System Security Test procedures evaluation for Management patch management, device

management, anti-virus policies Documentation for non-critical

cyber asset policy

Creating inventory of non-critical cyber assets

recovery plan

Access control policies & procedures

Change Management & Control Process

Back-out procedures

Security Enforcement Policy

Security awareness report Training roadmap

Specific procedural training modules

Background check policy Vulnerability & Penetration assessment report Remediation report Firewall implementation procedures Authentication procedures Audit Reports

Log review & reporting Threat analysis report

Documentation of network changes

Physical security assessment report

Log retention & governance policies

Malicious software prevention policy

Test procedures and controls for device management Password policy

Asset disposal policy

(5)

Policy documentation for malware Securityincident management and malicious software prevention process

Documentation and enforcement Documentation lifecycle process of password management policy

Policy creation for disposal & redeployment of cyber assets Establishing governance and org.

structure for documentation & policy review

CIP-008-1 – Incident Reporting & Assessment of Incident Incident management procedures Response Planning – Cyber Security management procedures Business Continuity Plan Incident Response plan Documentation of business Business Continuity Test

continuity plan Procedures Testing of business continuity plan

Process for retention of incident logs

CIP-008-1 – Incident Reporting & Process for retention of incident Log retention policy Response Planning – Cyber Security logs

Incident Documentation

CIP-009-1 – Disaster Recovery – Identification & definition of Disaster Recovery Plan Recovery Plan, Backup & restore, action triggers, acceptable Back-up procedures Testing Media downtime service levels and Test plan for backup storage

acceptable data loss

Development of verification criteria & procedures

CIP-009-1 – Disaster Recovery – Conducting DR drills DR test report

Exercises

A

utomated NERC Compliance Management

GRC Manager

Power and utility executives today are faced with many challenges as they work to meet their compliance requirements. Some of the most pervasive and difficult of these obstacles include:

• Multiple regulatory bodies and requirements • High cost of defining controls

• High cost of demonstrating compliance

• Budget impacts of NERC and other regulatory efforts on the business

• Allocation of resources away from key business initiatives

• Difficulty with ongoing sustainability of ad-hoc compliance projects

(6)

Some of the basic features of the automated GRC platform are as under:

Capturing, Compiling & Reporting Compliance Information

Dynamic Real time analysis of Risk & Controls Single Global Repository for Risk & Controls Integrated Industry Standard Framework for

Control Optimization

Role based dashboards that streamline decision making

Figure 1. Governance Risk and Compliance Platform

W

hy choose HCL

• One stop shop for all your information security & compliance needs

• Matured consulting framework with integrated solution implementation methodology to reduce compliance cost

• Strong engineering with R&D practice with focus on Energy & Utilities vertical

6

Integrated Program Resource Management capabilities to manage Control Remediation. Integration with Enterprise business systems

for audit evidence collection

A sample snapshot from automated GRC platform is shown below

• Expertise across all micro verticals in Electric, Gas distribution, Water & Water Waste/ Recycling Utilities.

• First in APAC and amongst only 9 companies in the world to receive Cisco’s Master Security

Certification.

• Accredited by Govt. of India CERT as providers of Information Security Assessment Services. • Recognized by Gartner & NASSCOM for its

Information Security Strengths.

(7)

•   HCL is ranked as the No. 1 Security Services provider by Dataquest, V&D and Frost & Sullivan • Experienced consultants with certifications

like CEH, GWAS, CISSP, CISA, CBCP, BS 25999 and ISO27001

• Partnership with leading security product and service vendors

• Technology labs in Identity and Access Management, Software Security, Security Testing, Networks and Systems.

References

Related documents

Focusing on the immediate recovery from psychosocial stress, the current study compared amygdala resting-state functional connectivity (RSFC) before and immediately after

Rewrite the sentences by replacing the underlined word or phrase with the correct form of the appropriate phrasal verb:3. Procedures are in place to handle charges of discrimination

The Border Security, Economic Opportunity, and Immigration Modernization Act (S. 744), for example, would require carriers to collect electronic machine-readable biographic data

As an example of the applications, a high gain planar array antenna at V band by using the half-height-pin gap waveguide has been designed and is presented in the paper with a

We made the following three hypotheses: (1) individuals with normal aging would present hyper-activation in the frontopari- etal network and default mode network and hypo-activation

All the ranges for total and soluble fractions above are based on three populations of P. erosa as shown in Table 3 except for soluble fraction of gill which is only based on

Items 5 and 6 were asked of participants in the control (no attentional instruction) condition, and response options ranged from 1 (not at all) to 5 (very much). Items 7 and 8

Knowing that the cart is initially at rest and can roll freely, determine (a) the final velocity of the cart, (b) the impulse exerted by the cart on the package, and (c)