NERC-CIP Requires Vulnerability Assessment

What is NERC?

The North American Electric Reliability Corporation (NERC) is a nonprofit international regulatory authority whose responsibility is to safeguard the reliability of the North American bulk power systems. The United States of America, Canada and a part of Baja California in Mexico comes under the responsibility of NERC and power system operators in that region need to meet its security standards which includes network scanning for security vulnerabilities. For more info about NERC see NERC web site https://www.nerc.com/

About Critical Infrastructure Protection (CIP) Security Compliance Standards:

NERC Critical Infrastructure Protection (NERC-CIP) is a set of standards which specifies the minimum security requirements for the bulk power systems. NERC-CIP imposes rules which address power system security. This includes testing, and repairing security issues of critical assets with vulnerability assessment tools.

Company Profile

Beyond Security’s testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security thus reducing their vulnerability to attack and data loss. Our product lines, beSECURE (network and SCADA vulnerability management) and beSTORM (software security testing), will help you secure your network and applications, comply with your security policy requirements and exceed industry and government standards such as NERC-CIP.

NERC-CIP Security Standards

NERC-CIPDescription
CIP-002 Critical Cyber Asset IdentificationNetwork administrator or a responsible entity needs to run a network scanner such as beSECURE to identify critical cyber assets.
CIP-003 Security Management ControlsPower system operators must create security policies to protect all critical cyber assets. beSECURE Policy management tools help operators to develop their standards.
CIP-007 Systems Security ManagementDefine the methods, processes, and procedures for securing Cyber Assets within the Electronic Security Perimeters (ESP); including how and when vulnerability assessment is to be done with tools like beSECURE.

CIP-002 Requirements- Critical Cyber Asset Identification

NERC CIP 002 “Critical Cyber Asset Identification” requires identification and documentation of all critical cyber assets in a bulk power system. This identification and documentation of critical cyber assets will help a network administrator or a reliable entity to understand the impacts and damages which could happen if a critical cyber asset is compromised. Beyond Security’s beSECURE identifies all the cyber critical assets(CIP 002 R3) automatically during a network scan. beSECURE network scan can be scheduled daily, weekly, monthly and it can also be manually scheduled by the network administrator.

CIP-003 Requirements – Security Management Controls

NERC CIP 003 “Security Management Controls” requires a network administrator or a responsible entity to create or modify existing policies which have the capability to protect critical cyber assets(CIP 003 R1). CIP 003 also insists on creating exception where policies can’t be implemented(CIP 003 R3). CIP 003 asserts documentation of all changes such as creating, modification, removal, replacement of any critical cyber hardware or software(CIO 003 R6). Beyond Security’s beSECURE policy management tools helps a network administrator to create new policies or standards for critical cyber assets and it also enables him to create exception where ever deemed necessary. beSECURE generates detailed report for all the discovered critical cyber assets.

CIP-007 Systems Security Management

CIP 007 “Systems Security Management” requires a network administrator or a responsible entity to ensure that any changes which might occur during a software update or installation of a security patch doesn’t affect the overall operations and performance of the critical cyber assets. beSECURE doesn’t perform auto-patching as it is designed to follow the principles of ISMS so all the patches or updates are tested before they are deployed.

Network administrator or a responsible entity needs to set up a process through which only ports which are required for normal and emergency operation remain open (CIP 007 R2). beSECURE uses its port scanner function to detect all the open ports on a system and immediately highlight potential risks or security related network issues

CIP 007 Requirements

CIP 007 requires network administrator or a responsible entity to use malicious software (malware) preventions tool as it can identify and prevent malicious software from affecting critical cyber assets. beSECURE is a vulnerability assessment and management solution which is designed to precisely scan network from 64 to 200k active IPs. With help of a large, up-to-date vulnerability database, beSECURE is able to detect more than 10,000 individual vulnerabilities and new vulnerabilities are added every day. AVDS Management System provides vulnerability assessment reports for technical staff, administrators and senior executives.

How Fortra Helps with NERC-CIP Compliance

Fortra’s Tripwire works incredibly well as a NERC CIP compliance assistant. Simplify, accelerate, and automate continuous compliance standards and make the audit process run much smoother. Audit-ready, customizable reporting streamlines the audit process and avoids fines. Multi-policy management simultaneously complies with NERC CIP, PCI DSS, and other requirements. Compliance tasks become less of a headache and passing audits become a breeze. See how Tripwire can help uncomplicate your NERC CIP process.

Get a demo and see how to simplify your compliance requirements.

Contact us today for more information about how vulnerability assessment fits into your NERC-CIP requirements and about how our product line, beSECURE, will help simplify your compliance and reduce your compliance man-hours and direct costs.