America’s energy infrastructure propels our nation, and the people who are tasked with ensuring the reliability of that infrastructure shoulder an important responsibility. The North American Energy Reliability Corporation (NERC) has identified a set of standards that utilities must meet to protect the reliability of the energy infrastructure. These NERC Critical Infrastructure Protection (CIP) requirements guide the protection of both physical and electronic (“cyber”) assets, and had mandatory compliance deadlines no later than December 2010.
AppliedTrust has experience auditing and securing SCADA and other infrastructure control systems and has helped several clients meet the NERC CIP requirements. Our breadth of IT knowledge across diverse operating systems, applications, and networking architectures helps us identify the most efficient way for utilities to meet the CIP IT security requirements that apply to them. AppliedTrust’s Certified SCADA Security Architect (CSSA) provides the highest levels of technical and strategic guidance. We can help with CIP requirements 002 through 009, including:
CIP-002: Critical Cyber Asset Identification
AppliedTrust can help you create an inventory of your existing IT hardware and software, without interrupting operations or installing any software. Our network engineers will create clear, concise documentation of critical cyber assets to facilitate compliance audits as well as day-to-day operations.
CIP-003: Security Management Controls
IT security policy and governance documents are important, but they need not be dense tomes of legalese. AppliedTrust’s workshop-based approach to policy development ensures consensus and the support of the business for IT security policies. Our technical writing team can then create a customized policy set based on the workshop results, and can even update it on an annual basis.
CIP-005: Electronic Security Perimeter(s)
Almost every utility will implement multiple Electronic Security Perimeters (ESPs), and AppliedTrust can help identify appropriate locations for network partitioning and firewalls. By considering ease of network management in addition to high levels of security, we will help you design a network that is reliable, instrumented, and low-maintenance. We recognize that ESPs require protection at multiple layers of the infrastructure stack — from physical connectivity, addressing and routing, to firewalls, auditing, and intrusion prevention.
CIP-007: Systems Security Management
This section contains the bulk of the technical requirements of CIP, from provisioning IT equipment to disposing of it. Every engineer at AppliedTrust carries a pager — we make recommendations based on our real-life experiences with technology, not vendor relationships. We can help you establish secure, CIP-compliant operations practices, backed by reliable tools and infrastructure.
CIP-008: Incident Reporting and Response Planning
Incident management and response planning are at the core of our business. Read more about our experience with incident management here.
CIP-009: Recovery Plans for Critical Cyber Assets
AppliedTrust has deep experience with disaster recovery planning. Click here to read more about how we can help.
Let us bring a practical approach to your standards compliance effort. Call us at (303) 245-4545 or contact us online.