Tripwire has announced the results of a survey on compliance with North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) version 3.
According to a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy industry faced more cyberattacks than any other sector from October 2012 through May 2013, and a successful attack on any of the country’s sixteen critical infrastructure sectors could have devastating results.
The NERC CIP plan is a set of requirements designed to secure the assets required for operating North America’s bulk electrical system. The plan consists of nine standards and 45 requirements covering the security of electronic perimeters, the protection of critical cyber assets, security management, personnel training and disaster recovery planning.
Fines for compliance violations can be up to $1 million per day, and over the past four years fines assessed have totaled more than $150 million. Tripwire’s survey found that the implementation of NERC CIP-007 was the most challenging security control to execute.
NERC CIP-007 requires that energy organizations define efficient and effective security controls for critical assets identified as essential to the operation of the Bulk Electrical System (BES) and perform an annual vulnerability assessment of these systems.
The control also requires that organizations limit the use of ports and services to those required for normal and emergency operations as well as limit the number of privileged accounts. These security controls must adapt to internal and external changes and deliver documented, audit-ready evidence of compliance.
According to NERC statistics, more than 1,085 violations of CIP-007 have been documented from 2007 through December 31, 2012. “The amount of work an entity must go through to be compliant and to prove compliance is staggering,” said Jeff Simon, director of service solutions for Tripwire.
“With the increased asset scope in the new version of the CIP standards, the work will only increase. Automating the assessment is the only effective way to meet compliance, and it really helps turn compliance efforts into effective security measures that can provide actionable intelligence about security risks on a daily and on-demand basis.”
Tripwire has helped registered entities achieve and maintain NERC compliance since 2008. With Tripwire’s NERC Solution Suite, organizations can access award-winning security configuration management and incident detection solutions as well as specialized intelligence, including NERC-specific configuration assessment rules, correlation rules, tools, templates, customized reports and dashboards.
Together with customized services from NERC-experienced consultants, the NERC Solution Suite dramatically reduces the time and resources required to pass NERC CIP audits and minimize audit findings.
The online survey was conducted from July through September 2013 and evaluated the attitudes of more than 100 IT professionals in the energy field. For more information, please visit: http://www.tripwire.com/company/research/update-nerc-survey-data/.