Industrial Security & Compliance: A Complete NERC CIP Compliance Solution

Industrial Security & Compliance can assist you in achieving and maintaining compliance with any requirement of NERC CIP 002—009. Our services for each NERC CIP standard are listed below. Some services refer to Compliance Manager, a software solution for managing NERC CIP compliance offered by Honeywell.

One Product—Multiple CIPs
with Compliance Manager

CIP-002: Critical Cyber Asset Identification

• We will review your methodology for identification of critical assets.We will identify any deviations from standard industry practice and make suggestions for improvement. We can assist with re-applying the methodology if required.
• We can develop a methodology for identifying your critical cyber assets (CCAs) as well as apply that methodology to develop your list of CCAs. The methodology can include tasks such as examination of router and switch configurations, tracing network cables and developing and interpreting network diagrams.
• We can help your organization understand what the upcoming CIP-002 Version 4 and the longer-term CIP-010 Version 1 imply for identification of cyber assets that are subject to the full set of NERC CIP requirements.
• Compliance Manager can maintain your lists of critical assets and CCAs as well as generate a workflow for the required annual reviews of these lists.

CIP-003: Security Management Controls

• We can review and/or develop your organization’s cyber security policy, including adapting it to your critical infrastructure environment (generation plant, control center, etc). We will confirm that it addresses all of the requirements of CIP-002 through CIP-009.
• We can review your procedures for documenting exceptions to your cyber security policy and choosing and implementing compensating measures where appropriate. We can verify that these procedures are being properly applied, and make suggestions for improvement where warranted.
• We can review your information protection program for CCAs, including the adequacy of your classification scheme, document coverage and access privileges. We can also assess whether your program may be too restrictive and thus be hampering employees from doing their jobs. We can suggest improvements and assist in implementing these improvements.
• We can help you set up and maintain your change management and configuration management programs.
• Compliance Manager provides the capability to maintain and document your change management program, including tracking requests for changes to cyber assets and approval and implementation of those changes.
• Compliance Manager can also maintain and document your configuration management program, including automatically retrieving configuration baseline information and changes on Windows systems and some other devices.

CIP-004: Personnel and Training

• We can help you develop and maintain your security awareness program, including developing content for emails, posters, lunch-and-learns, etc.
• We can help you develop and implement a role-based security training program, so that all employees, vendors and contractors with access to CCAs are trained appropriately for their roles and responsibilities. We can assist in delivering this training and integrating it with your Learning Information Management System (LIMS), either through computer-based training or classroom delivery.
• Compliance Manager automates tracking and documentation of your role-based security training program, and provides reminders as new training deadlines approach.
• We can review and, if necessary, implement your program to conduct personnel risk assessments (PRAs) of personnel with access to CCAs. Compliance Manager can automate the documentation of PRAs and provides reminders as these need to be renewed.
• Compliance Manager can maintain and display lists of personnel having access to CCAs. For Windows systems and some other devices, Compliance Manager can retrieve and update this data automatically.
• When an employee leaves and needs to have their access revoked, Compliance Manager generates notices to system administrators to remove that access, and documents all steps taken.

CIP-005: Electronic Security Perimeter(s)

• We can help you identify and document your Electronic Security Perimeters (ESPs).
• We can suggest and implement changes to your network infrastructure that will cut down on the size of your ESPs, and thus reduce your NERC CIP compliance costs.
• We can revise, develop, implement and document processes and procedures to control electronic access to your ESPs. These can include procedures to:
  • Limit user access to systems for which the user has explicit permission and need to access
  • Ensure default deny for all other access at all ESP access points
  • Ensure that only ports and services required for operations and monitoring are open on ESP access points
  • Verify authenticity of any third party remotely accessing an ESP access point
• We can recommend and implement technologies to control electronic access to the ESP. These can include:
  • Identity and Access Management
  • Intrusion Detection and Prevention
  • Firewall and UTM Management
  • Secure Administration Gateway Environment (SAGE) for securing administrative access to industrial control systems
  • Wireless Access Controls
• We can recommend and implement technologies for monitoring and logging electronic access to the ESP, as well as for alerting on unauthorized access attempts. These technologies include Security Information and Event Management (SIEM) and log management.
• We can perform the required annual cyber vulnerability assessment of ESP electronic access points.
• Compliance Manager will manage all documentation of your ESP and its access points, cyber vulnerability assessment results, etc. The documentation can be updated when necessary, and used to present evidence of compliance for audits and spot checks.

CIP-006: Physical Security

• We can help you develop or update your physical security plan, including ensuring that all cyber assets within an ESP reside within a physical security perimeter (PSP), and that all physical security controls are properly accounted for and documented.
• In conjunction with our sister company, Honeywell Industrial Security, we can design and implement physical access controls, access monitoring systems and access logging mechanisms.
• We can ensure that all cyber assets that authorize or log PSP access are protected as required by CIP-006 R2.
• Compliance Manager will manage all documentation of your physical security plan and physical access controls. Cyber assets can be identified based on a model of the physical structure of the site, including buildings, floors, rooms and the connections between each.

CIP-007: Systems Security Management

• We can help you design test procedures to ensure that changes to cyber assets do not adversely affect cyber security controls.
• We can identify open ports and services on your cyber assets, determine which are necessary for normal or emergency operations, and disable those that are not. Where technical limitations preclude such disablement, we can implement compensating measures as required in CIP-007 R2.3.
• We can design and implement processes, procedures and technologies for security patch management (CIP-007 R3), malicious software prevention (R4), account management (R5.1), administrative and shared account management (R5.2) and password management (R5.3). Where these are not technically feasible, we can prepare and submit requests for Technical Feasibility Exceptions with your Regional Entity.
• Depending on your requirements and budget, we can implement manual procedures or automated technologies–including Security Information Event Management (SIEM) and log management–for security status monitoring.
• We can perform the required annual cyber vulnerability assessment of cyber systems within an ESP.
• Honeywell’s Patch Evaluation Subscription Service monitors the availability of vendor patches for the devices and software components in your control system environment. We notify you of all patches that are applicable to your systems and software.
• Compliance Manager automates the patch management workflow, including identifying applicable patches, assessing risk, testing risk, approving and implementing patches and documentation. For Windows systems and some other devices, Compliance Manager can automatically verify successful patch installation.
• Compliance Manager can maintain and display lists of personnel having access to CCAs. For Windows systems and some other devices, Compliance Manager can retrieve and update this data automatically.
• When an employee leaves and needs to have their access revoked, Compliance Manager generates notices to system administrators to remove that access, and documents all steps taken.

CIP-008: Incident Reporting and Response Planning

• We can implement or revise your cyber security incident response plan (CSIRP).
• We can assist with designing and facilitating the required annual tests of your incident response plan.
• Compliance Manager will manage the documentation of your CSIRP, all updates to it and the reasons for the updates, and the results of the required annual tests of the CSIRP.

CIP-009: Recovery Plans for Critical Cyber Assets

• We can help develop recovery plans for CCAs.
• We can plan and implement exercises to test the recovery plans, and make changes to the plans based on the results of the exercises.
• Compliance Manager will manage documentation of the recovery plans and changes to them, the results of the annual exercises, the processes and procedures for backup and storage of information required to restore critical cyber assets, and the results of testing backup media.

For more information on the standards, visit NERC Critical Infrastructure Protection (CIP) Reliability Standards