NERC CIP Compliance with Security Professional Services

Transcription

1 NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America s bulk electric systems. Having been approved by the Federal Energy Regulatory Commission (FERC), the CIP Cyber Standards will be mandatory in March, 2008 and enforceable across all users, owners and operators of the bulk-power system. Masergy has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. As described below, many of our Unified Enterprise and Professional Services align directly with the NERC CIP Cyber Standards, allowing you to easily meet and exceed the requirements they set forth. CIP Critical Cyber Asset Identification All network assets must be audited to identify Critical Cyber Assets. A risk-based assessment methodology should be utilized with annual reviews. These requirements mandate the need to identify your Critical Cyber Assets through risk-based assessments of your network. Using a risk-based methodology aligned with CIP requirements, Masergy s Professional Services team can help you regularly audit your IT systems and identify Critical Cyber Assets (CIP R3).

2 CIP Management Controls Policies with adherence monitoring and change control must be documented and in place. Change control policies and processes must be adhered to. Definitions and documentation on access control levels for critical assets such as Internet facing systems and critical backend solutions. Solutions should be in place to mitigate risks. These requirements mandate having minimum security management controls in place to protect Critical Cyber Assets. Masergy s Professional Services team can evaluate your security management controls, identify gaps in your security management program and make recommendations for addressing any deficiencies (CIP R1 through R6). We can also assess your security program to determine if CIP security policies are being followed in practice. Additionally, our Managed Firewall and Managed NIPS/NIDS services provide full lifecycle device management, including change and configuration management. All changes are tracked and documented within the Masergy Portal, allowing you to easily demonstrate compliance with change control policies and procedures (CIP R6). Managed Vulnerability Scanning APT Management CIP Personnel and Training Employees should be trained on policies, access controls and general awareness issues around Social Engineering. Background checks should be performed on all users with access to computer assets. These requirements direct that personnel having authorized access (either cyber or physical) have an appropriate level of personnel risk assessment, training and security awareness. Masergy s Professional Services team can review your personnel and training policies, identify areas of weakness and audit the practice of personnel and training policies.

3 CIP Electronic Protection An Electronic Perimeter should be established that provides the following: Disable ports and services that are not required Monitor and Log Access 24x7x365 Perform Annual Vulnerability Assessments (at a minimum) Documentation of Network Changes These requirements mandate the identification and protection of an Electronic Perimeter within which all Critical Cyber Assets reside. All perimeter access points are also must be identified and protected. Masergy s Professional Services team can perform the required Annual Vulnerability Assessments, as well as help you identify your Critical Cyber Assets and evaluate your Electronic Perimeter to determine if it meets CIP requirements (CIP R4). Our Managed Firewall service removes the burden of firewall management by providing you with a 24x7x365 team of experts. Our firewall experts will audit policies to ensure they align with CIP requirements (CIP R2), perform on-going rule-set changes and monitor these devices for any signs of attack. Masergy s Monitoring service can provide 24x7 monitoring of your network access points by certified security professionals (CIP R3). Additionally, our Managed Services feature detailed web-based reporting through the Masergy Portal. This allows you to easily demonstrate compliance with CIP requirements (R5). Managed Vulnerability Scanning APT Management CIP Physical Program Physical controls should be documented and implemented that provide perimeter monitoring and logging along with robust access controls. All cyber assets used for Physical are considered Critical and should be treated as such. These requirements ensure the implementation of a physical security program which protects Critical Cyber Assets. Masergy s Professional Services team can review your physical security controls, as well as perform physical security assessments, and make recommendations for areas of in need of improvement in regards to the CIP standards.

4 CIP Systems Management All methods, processes and procedures for securing Critical Assets and all technology solutions should be well-defined and include automated controls. System and network events should be monitored automatically with alerts sent to key personnel. An annual vulnerability assessment should be performed. These requirements call for the definition of methods, processes, and procedures for securing Critical Cyber Assets and non-critical Cyber Assets within the Electronic Perimeter. Masergy s Professional Services team can provide the required annual vulnerability assessment of your Systems Management methods, processes and procedures (CIP R8). Masergy s Monitoring and Information Management services specifically address CIP R6 which requires utilities to monitor system events that are related to cyber security (R6.1), maintain logs for ninety calendar days (R6.3, R6.4), and maintain records documenting that logs have been reviewed (R6.5) Additionally, Masergy s Managed NIPS and Managed HIPS services detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware (CIP R4). Managed HIPS Event Management Threat Management Log Management / Monitoring CIP Incident Response and Reporting All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC). This requirement mandates having a Cyber Incident Response Plan that addresses the classification, response and reporting of Cyber Incidents related to Critical Cyber Assets. Masergy s Professional Services team can work with you to develop your Incident Response Plan and ensure that it exceeds minimum CIP requirements for classification, response, reporting and documentation as indicated in CIP R1 and R2. Also, Masergy s Managed Services help you identify, classify and respond to security incidents. Our certified security professionals provide 24x7x365 enterprise-wide security monitoring and escalation to prevent and respond to security incidents. Managed HIPS Event Management Threat Management

5 CIP Disaster Recovery A disaster recovery plan should be created and tested with annual drills This requirement calls for having a recovery plan(s) in place for Critical Cyber Assets. These plans should follow established business continuity and disaster recovery techniques and practices. Masergy s Professional Services team can audit your recovery plans to identify any gaps that should be addressed in order to successfully backup and restore Critical Cyber Assets (CIP R4). ADDITIONAL RESOURCES HHS Office for Civial Rights HIPAA Information page CMS HIPAA Regulations and Guidance page Solutions for Healthcare For more information regarding our Unified Enterprise solutions, contact us at 1 (866) or visit us online at Best Products & Services Reader s Trust Award Network Products Guide has named Masergy a winner of the 2009 Best Products and Services - Reader s Trust Award for Unified Global Product Excellence - Customer Trust Award Info Products Guide has named Masergy a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Product Innovation Award Network Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Product Innovation Award for the overall Solution (Hardware and Software) category. Masergy also receive the Product Innovation award in 2008 for its All-n-One Module for Enterprise UTM Tomorrow s Technology Today Award Info Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Tomorrow s Technology Today Award for the Integrated Solution (Hardware and Software) category. Masergy has also received the Tomorrow s Technology Today award in prior years (2006, 2007 & 2008) for Unified, Network and Risk Management Managed Services. SC Magazine 2008 Industry Innovator SC Magazine has recognized Masergy for its industry innovation in the unified threat management category. Rev (866) MASERGY ( ) Masergy Communications, Inc.