MainNerve has extensive NERC-CIP and SCADA/ICS penetration testing experience.
In 2006, the North American Electric Reliability Corporation (NERC), which is responsible for the nation’s Bulk Electric System, adopted permanent reliability standards for cyber security, CIP-002 through CIP-011 and CIP-014. These standards set a high bar for the security of Bulk Electric Systems (BES)ES Cyber Assets. NERC Reliability Standards are developed using an industry-driven, ANSI-accredited process that ensures the process is open to all persons who are directly and materially affected by the reliability of the North American bulk power system; transparent to the public; demonstrates the consensus for each standard; fairly balances the interests of all stakeholders; provides for reasonable notice and opportunity for comment; and enables the development of standards in a timely manner. NERC’s ANSI-accredited standards development process is defined in the Standard Processes Manual and guided by reliability and market interface principles.
To provide a comprehensive framework for electrical providers to protect their critical infrastructure, NERC developed a Critical Infrastructure Protection plan with 11 enforceable standards that all electrical providers or entities involved in electrical generation, distribution or transmission (called Responsible Entities) must meet. These 11 standards cover most security related areas for BES to include physical security, personnel and training, security management controls, incident response plans and such. Of the 11 standards, 10 of them focus on cybersecurity.
What does this mean?
If you are involved in any part of the electrical generation or delivery process you will be subject to compliance under NERC CIP. This includes not only owners of electrical generation, but also, distribution and transmission providers as well. Non-compliance with NERC may result in significant fines to responsible entities that fail aspects of an audit.
How do I become compliant?
All Responsible entities will eventually undergo a NERC CIP audit that is conducted by NERC itself or a Regional Entity (RE). That audit must show that the Responsible Entity meets the new cybersecurity requirements approved in NERC CIP Version 6. To prepare for an audit, and thus compliance, a pre-audit should be conducted by a validated and experienced third party or consultant to thoroughly analyze all aspects of the 11 NERC CIP Standards, identify vulnerabilities, prepare mitigation strategies and to ensure the best chance of passing the audit.
NERC CIP Version 6 Consulting: An upcoming NERC audit is sure to generate a lot of anxiety as that audit time comes near. Most Responsible Entities can assuage that anxiety by using an experienced NERC consultancy to review all CIP Version 6 requirements and assist with completing the NERC Reliability Standard Audit Worksheet so that they are ready for submittal to the Regional Entity or NERC auditor conducting the audit. MainNerve works with one of the most experienced firms in the NERC market, AESI to combine its extensive knowledge of NERC CIP with the experience of its engineers and technical personnel to conduct pre-audits, mock audits, training and advisory services. The company is a registered and active member of the NPCC Regional Standards Committee as well as a NERC registered voting member on the Standards Review process and has NERC Auditor trained staff.
Vulnerability Scanning: CIP Standard 007-06, Security Systems Management, and CIP Standard 010-02, Configuration Change Management mandate that Responsible Entities conduct Vulnerability Assessments every 36 months in either a test or production environment and demonstrate that patches and updates are identified and responded to within 35 days. MainNerve has extensive experience in the provision of vulnerability scans with industry leading tools to identify system vulnerabilities and recommend mitigation strategies.
Penetration Testing MainNerve is one of the leading penetration testers in the U.S. with hundreds of customers and highly trained, accredited and experienced penetration testers and one of the very few with SCADA/ICS penetration testing experience with critical infrastructure. While penetration testing is not mandated under NERC CIP Version 5 and 6t, it is a recommended practice and annual penetration tests and quarterly scans are encouraged to demonstrate “best practice” cybersecurity principles in case of an NERC audit as well as heighten your cybersecurity posture. MainNerve understands the criticality of penetration testing in critical infrastructure and can conduct penetration tests in “test” or “production” environments, working with the client’s staff to ensure that no risk to operational electrical systems will be present. (See more at link to SCADA/ICS Penetration Testing under services page)