NERC CIP Standards Compliance
Note: The solutions discussed below only represent a small subset of the entire Ivanti product portfolio. Visit http://www.ivanti.com/solutions to learn more.
NERC CIP Standards
The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate, and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems.
NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents, and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards. There are nine NERC CIP requirements:
CIP-002-1: Critical Cyber Asset Identification – Requires the identification and documentation of a risk-based assessment methodology, which when applied annually will identify Critical Assets.
CIP-003-1: Security Management Controls – Specifies that security management controls be implemented — information associated with Critical Cyber Assets must be classified and protected, access control to this information must be maintained, and change control must be documented.
CIP-004-1: Personnel and Training – Requires that REs must include a security awareness and training program for personnel having authorized cyber or authorized unescorted physical access.
CIP-005-1: Electronic Security Perimeters – Dictates that Electronic Security Perimeter(s) (ESP) and all access points to the perimeter(s) must be identified and all Critical Cyber Assets must reside within the ESP(s). REs must implement electronic access controls, continuously monitor access, and conduct annual vulnerability assessments at access points.
CIP-006-1: Physical Security of Critical Cyber Assets – Specifies that an RE create and maintain an approved physical security plan and implement access controls as well as monitor of the access points to Physical Security Perimeter(s).
CIP-007-1: Systems Security Management – Specifies a broad range of methods, processes, and procedures for securing Critical and non-Critical Cyber Assets within the ESP(s), such as patch management, malicious software prevention, annual vulnerability assessment, and port and service lockdown should be implemented and documented for Cyber Assets within the ESP(s).
CIP-008-1: Incident Reporting and Response Planning – Dictates maintaining a Cyber Security Incident response plan and retaining Incident documentation for a period of 3 years.
CIP-009-1: Recovery Plans for Critical Cyber Assets – Specifies the creation and annual review of Critical Cyber Assets recovery plan(s), which include backup and storage of information to successfully restore Critical Cyber Assets.
Ivanti Solution Capabilities Mapped to NERC CIP
Security Management Solutions from Ivanti help responsible entities ensure NERC compliance.
Endpoint management and security software addresses NERC CIP security standards and enables Responsible Entities to ensure security management controls and protect Critical Cyber Assets. These solutions include:
- Patch – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft®, Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle®, Java™, and more.
- Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates, while also reducing configuration drift.
- Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted can execute.
Ivanti solutions can help REs identify all managed and unmanaged Cyber Assets, proactively monitor security configurations, lock down critical systems to allow only required functions, and enforce up-to-date patch implementation and improve NERC audit-readiness.
The Cost of Non-Compliance
Due to the importance of securing the North American power supply, financial penalties for NERC non-compliance are hefty — entities can be fined up to $1 million per day until they have brought themselves back into a compliant state. Although NERC audits are regularly scheduled, additional NERC audits can result if there is a power outage or other incident. Therefore, many entities are taking a proactive approach to vulnerability management and endpoint/data protection to ensure continuous NERC compliance.
Learn more about Ivanti Endpoint Security Software.