Achieving North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cyber Security Standards Compliance

NERC CIP Standards 002-009

The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems.

NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards. There are nine NERC CIP requirements:

  • CIP-002-1: Critical Cyber Asset Identification - Requires the identification and documentation of a risk-based assessment methodology which applied annually will identify Critical Assets.
  • CIP-003-1: Security Management Controls - Specifies that security management controls be implemented - information associated with Critical Cyber Assets must be classified and protected, access control to this information must be maintained and change control must be documented.
  • CIP-004-1: Personnel and Training - Requires that REs must include a security awareness and training program for personnel having authorized cyber or authorized unescorted physical access.
  • CIP-005-1: Electronic Security Perimeters - Dictates that Electronic Security Perimeter(s) (ESP) and all access points to the perimeter(s) must be identified and all Critical Cyber Assets must reside within the ESP(s). REs must implement electronic access controls, continuously monitor access and conduct annual vulnerability assessments at access points.
  • CIP-006-1: Physical Security of Critical Cyber Assets - Specifies that an RE create and maintain an approved physical security plan and implement access controls as well as monitoring of the access points to Physical Security Perimeter(s).
  • CIP-007-1: Systems Security Management - Specifies a broad range of methods, processes and procedures for securing Critical and non-critical Cyber Assets within the ESP(s), such as patch management, malicious software prevention, annual vulnerability assessment and port and service lockdown should be implemented and documented for Cyber Assets within the ESP(s).
  • CIP-008-1: Incident Reporting and Response Planning - Dictates maintaining a Cyber Security Incident response plan and retaining Incident documentation for a period of 3 years.
  • CIP-009-1: Recovery Plans for Critical Cyber Assets - Specifies the creation and annual review Critical Cyber Assets recovery plan(s) which include backup and storage of information to successfully restore Critical Cyber Assets.


Lumension’s Security Management Software Solutions Help Responsible Entities Ensure NERC Compliance

Lumension’s security management software addresses NERC CIP security standards and enables responsible entities to ensure security management controls and protect Critical Cyber Assets. These solutions include:

  • Lumension® Patch and Remediation - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
  • Lumension® Scan - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
  • Lumension® Security Configuration Management - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
  • Lumension® Content Wizard - Create custom remediation packages to address configuration issues, remove unauthorized files and applications, address Zero-day threats, patch custom software and more.
  • Lumension® Enterprise Reporting - Robust data warehouse that enables easy creation and sharing of reports on all aspects of your remediation efforts in support of policy compliance.
  • Lumension® Risk Manager - Comprehensive IT-GRC software that streamlines and automates audit workflows and IT risk management to provide crucial visibility across the IT environment and ensure compliance with NERC as well as with other pertinent regulations, mandates and internal policies.
  • Lumension® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
  • Lumension® Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound data from your endpoints.

Lumension solutions can help REs identify all managed and unmanaged Cyber Assets, proactively monitor security configurations, lock down critical systems to allow only required functions, and enforce up-to-date patch implementation and improve NERC audit-readiness.

The Cost of Non-Compliance

Due to the importance of securing the North American power supply, financial penalties for NERC non-compliance are hefty—entities can be fined up to $1 million per day until they have brought themselves back into a compliant state. Although NERC audits are regularly scheduled, additional NERC audits can result if there is a power outage or other incident. Therefore, many entities are taking a proactive approach to vulnerability management, endpoint and data protection to ensure continuous NERC compliance.

Lumension Solution Capabilities Mapped to NERC CIP

Lumension addresses NERC compliance challenges by delivering full cycle vulnerability management, endpoint and data protection solutions with proactive risk management to improve audit readiness for NERC.

Automated Vulnerability Management minimizes the attack surface

Complete identification of managed and unmanaged Cyber Assets

Heterogeneous patch management and reporting to meet the Security Patch Management Requirement for implementation, assessment and documentation

Proactive monitoring of security configurations including restriction of ports and services to only required functions

Built-in reporting to help address NERC documentation requirements

Complete Endpoint Protection prevents malicious software

Discover all applications running in your environment, both authorized and unauthorized

Prevent all malware by allowing only authorized applications to run.

Data Protection protects information from loss and theft

Enforce removable device usage and data encryption policies

Flexible reporting aids in complying with the regular adherence assessment

Each NERC CIP defines a set of requirements (Rs), organizational applicability, measures of compliance, and compliance guidelines for a different cyber security purpose.


Lumension Solution

How Lumension Helps

CIP-002-1 Critical Cyber Asset Identification

Vulnerability Management

Lumension® Scan provides complete asset discovery and inventory which enables clear and complete visibility to Cyber Assets which utilize the routable IP protocol within a control center (R3.1) or to communicate outside the Electronic Security Perimeter (R3.2). This capability aids the Responsible Entity in developing a list of Critical Cyber Assets to comply with R3.

CIP-003-1 Security Management Controls

Data Protection

Requirement R4 specifies that the Responsible Entity implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. Lumension® Device Control uniquely identifies and authorizes specific media, providing per-user/per-device user permissions and enforced encryption for removable storage. Lumension® Device Control enables information protection across media types (R4.1) while providing flexible reporting to aid in complying with the annual adherence assessment (R4.3).

Vulnerability Management

Lumension® Security Configuration Management provides comprehensive policy & compliance management which aids the Responsible Entity in configuration management activities to identify, and document changes to hardware and software components of Critical Cyber Assets pursuant to the change control process (R6).

CIP-005-1 Electronic Security Perimeter

Vulnerability Management Reporting and Compliance

Lumension® Patch and Remediation provides complete asset discovery and inventory including a view of any non-critical Cyber Asset within a defined Electronic Security Perimeter. Along with Lumension® Enterprise Reporting, Lumension can assist the Responsible Entity in documenting interconnected Critical and non-critical Cyber Assets within the Electronic Security Perimeter, access point to the Electronic Security Perimeter and assets utilized for monitoring and control of the access points (R1.4 and R1.6)

Endpoint Protection Vulnerability Management

Lumension® Application Control and Lumension® Patch and Remediation together provide automated application discovery, application whitelisting, comprehensive policy and compliance management and complete asset discovery capabilities. The Lumension® Content Wizard also provides scripting wizards that enable the Responsible Entity to monitor and restrict ports and services only to those required for operations and for monitoring as specified in the access control provision (R2.2).

Vulnerability Management Reporting and Compliance

Lumension® Patch and Remediation along with Lumension® Scan provide heterogeneous platform and application support, extensive scanning functions and comprehensive reporting to comply with the vulnerability assessment requirements (R4.2-R4.5)

CIP-006-1: Physical Security of Critical Cyber Assets

Vulnerability Management Reporting and Compliance Endpoint Protection Data Protection

It is not obvious that software security solutions would have relevance to physical security requirements, however, R1.8 specifies that “Cyber Assets used in the access control and monitoring of the Physical Security Perimeter(s) shall be afforded the protective measures specified in” a subset of the CIPs, therefore software security solutions do play a role in an RE achieving physical security compliance. Lumension® helps protect against vulnerabilities, report on compliance, secure endpoints, and protect data on removable devices.

CIP-007-1 Systems Security Management

Vulnerability Management Endpoint Protection

Similar to the Requirements of CIP005-1, restricting ports and services to only those required for normal and emergency operations (R2.1) and disabling ports and services prior to production use (R2.2), Lumension® Application Control, Lumension® Patch and Remediation, and Lumension® Content Wizard together provide automated application discovery, application whitelisting, comprehensive policy and compliance management capabilities and flexible content creation.

Vulnerability Management Reporting and Compliance

The Security Patch Management Requirement (R3) for implementation, assessment and documentation are accommodated by Lumension® Patch and Remediation which provides intelligent patch and remediation, heterogeneous platform and application support and comprehensive reporting. Coupling these capabilities with baseline enforcement aids an RE in meeting the testing procedures required when there is significant change to the Cyber Assets (R1).

Endpoint Protection Vulnerability Management Reporting and Compliance

The Malicious Software Prevention stipulation (R4.1) for Cyber Assets underscores the importance of utilizing tools to “detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets”. As modern antivirus tools can not address all zero day threats, especially those which might be targeted attacks at fundamental infrastructure, Lumension® Application Control provides application whitelisting which utilizes kernel-level enforcement. A Defense in Depth strategy will still require update and documentation of antivirus signatures as dictated by R4.2, which can be aided through Lumension® Patch and Remediation.

Vulnerability Management Reporting and Compliance

The Cyber Vulnerability Assessment requirement (R8) specifies a RE perform a cyber vulnerability assessment at least annually. Lumension® Patch and Remediation along with Lumension® Scan provide both network based and credentials-based production ready scanning, which does not compromise endpoint performance or stability, enabling a RE to meet its compliance target.