The North American Electric Reliability Corporation (NERC) creates regulations for businesses involved in critical power infrastructure under the guidance and approval of the Federal Energy Regulatory Commission (FERC). A few of these, the Critical Infrastructure Protection (CIP) standards, protect the most important links in the chain and are enforced under penalty of heavy fines for non-compliance. Many of the CIP standards cover cybersecurity, as much of the nation’s infrastructure is now digital. To prove compliance with CIP standards, companies must have a system of record that can be shown to auditors to prove they have enacted the required security measures to protect their cyber assets.
Picking a NERC Compliance Solution
For businesses required to comply with NERC CIP standards, finding the right compliance solution can be difficult. But when choosing a NERC compliance solution, consider the following:
Does it satisfy CIP requirements? Most importantly, the solution must demonstrate compliance to NERC standards in an audit.
Price. Avoiding fines is the government’s “stick” to drive compliance. For better or worse, financial controllers must compare the cost of a solution to the cost of fines, which has led some companies to choose non-compliance as the less costly result.
Deployment time. A solution that takes months to deploy incurs additional costs in employee time, reduces the amortized value of the solution, and doesn’t mitigate the risk of failing audit in the interim. Like pulling off a band-aid, compliance hurts less if it can be done quickly.
Total cost of ownership. Beyond the sticker price and the time spent deploying a solution, what’s being signed up for down the road? How will the maintenance costs of the solution affect the ability to execute on other projects? And if using the software on day one isn’t enjoyable, just imagine after a year or two of steady use. Outdated and complex solutions require specialist knowledge that is increasingly more difficult to come by. This is why UpGuard focused on usability, visualization, search and other functions that improve efficiency and experience.
Strategic benefits. You want to pass your NERC audit, but you also want to be good at your job. Consider whether solutions will integrate with other tools and processes, and what benefits they might offer beyond checking the box on compliance. Getting budget for tools that demonstrate compliance is easier than doing so for tools that increase efficiency, but here that’s an advantage if the solution can do both. Our holistic approach to visibility means that UpGuard is far more than a compliance solution.
When you step back for a moment and consider what it is that the NERC CIP regulations are trying to achieve, it becomes clear that visibility into the environment is key to security. UpGuard offers continuous visibility and configuration testing in an intuitive user interface with powerful search and policy building features. Capable of scanning servers, websites, cloud hosts and network devices,UpGuard can track current state and changes for NERC compliance items as well as any other configurations. Create quick visualizations of compliance status by applying a policy to affected nodes, then track remediation by comparing historical data to the present state.
UpGuard does NERC compliance better, with faster implementations and changes, for cheaper. And NERC compliance is just the beginning for how organizations can utilize UpGuard's robust visibility platform. Other compliance solutions require multiple products for CIP compliance, sometimes each having multiple modules, all of which come at a cost. UpGuard is a single pane solution with all of the functionality and visualization necessary for NERC, HIPAA, PCI and other types of cybersecurity compliance. Organizations can try UpGuard out on a few of their systems and see how easy it is to get inventory, build policies and report compliance status.
How UpGuard Achieves CIP Compliance
UpGuard covers 23 of 49 CIPv5 requirements, including the new CIP 010-3, which includes change management, configuration monitoring and vulnerability assessment-- three of our specialties. We also cover most of the other cybersecurity requirements, including port and service inventory and monitoring, patch management, critical asset identification and access control.
The CIP standards regarding cybersecurity can be grouped into a few types, defined by the kind of security they provide. While not exhaustive, most of the CIPs can be thought of as follows:
Inventory. What needs to be secured? Having an inventory not only of what systems fall under the scope of the standards, but an inventory of what is on those systems and how they are configured is the first necessity for compliance.While this could be handled on something as simple as a spreadsheet, consider how much labor it would take to simply get a single snapshot of inventory by hand, much less any changes made. UpGuard regularly scans nodes for updated inventory and stores historical scans for audit and/or comparison purposes. Create policies for inventory standards and receive notifications whenever a node falls out of compliance.
Configuration Monitoring and Change Tracking. A key security concept many of the CIPs seek to enforce is that nothing should happen without people knowing about it. Whether an unplanned change that requires after-the-fact forensics, or a planned, but uncommunicated outage, tracking changes made to critical systems and notifying responsible parties prevents what may seem like a simple change from causing drastic effects down the road. UpGuard can monitor all configuration files and report changes down to the line level.
Antivirus and Antimalware. NERC CIPs require systems to have appropriate defenses in place, including updated antivirus and antimalware. UpGuard can check nodes for installed software and verify correct versions and will send notifications if a node fails to meet the appropriate criteria.
Patches and Updates. An IT no-brainer, one might think, but in fact most exploited vulnerabilities are over a year old. NERC requires companies to have a patch management mechanism and provide a record of all installed updates on every system. UpGuard inventories all installed updates and can quickly check which systems have or are missing a particular update. You can diff your servers across development, test and production to make sure the same patches are installed in all your environments so you don’t get any deployment surprises.
Vulnerability Management. Also required is that organizations have a vulnerability management platform that detects and assesses threats. UpGuard can handle this as well as document it within a single, easy to use interface.
Stop Chasing NERC
NERC has just started enforcing version 5 (v5) of the CIP standards and v6 is already in the works. Those who transitioned between v3 and v5 of the CIPs (don’t even ask about v4) know that compliance to one version doesn’t necessarily entail a smooth transition to the new one. Power companies can expect for the CIPs to continue to change as technology evolves and threats along with it. It only makes sense that a compliance solution should be adaptable as well, able to move along with the changing standards so companies can focus on security instead of documentation. Traditional compliance solutions require multiple systems, lengthy implementations and tedious updates between versions.
UpGuard’s approach is to let you check the boxes of compliance while taking a holistic view of environment visibility and configuration testing. This not only eases transition between ever-changing compliance standards, but increases overall security, which ultimately is what NERC is about. We don’t know what will be in the CIPs for v7 (or v8, or v9…) but we do know what kinds of things will be in them, and by using a system of record designed for total visibility and quick, visualized policy testing, you know that implementing changes between versions won't be a nightmare.
The complexity and versioning of the NERC standards can make them seem difficult, but compliance doesn't have to be when you mix an easy to use interface with solid configuration testing and proactive change tracking. UpGuard offers all of these and more, all without the price tag of legacy compliance solutions. Try a fully functional version on up to 10 devices for absolutely free. If that piques your interest and you'd like to learn more or schedule a demo with our experts, contact us via the link below and we'll help you get what you need for NERC.