http://hclte.ch/If33g9 - IT Management Tools
http://www.hcltech.com/ - More on HCL Technologies
Power and utility executives today are faced with many challenges as they work to meet their compliance requirements. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which help ensure the protection of critical cyber assets that control or effect the reliability of North America's bulk electric systems. HCL Governance, Risk and Compliance Consulting Practice offers market-leading services to organizations seeking NERC compliance by improving their security and governance posture in a cost-effective and timely manner.
2. Overview
The North American Electric Reliability electrical utilities and the newness of the
Corporation (NERC) is a nonprofit corporation standards. Certainly, the remoteness of power
designed to ensure that the bulk electric system generation and the wide coverage of electric
in North America is reliable, adequate and transmission greatly complicate the job of
secure.” As the federally designated Electric securing these assets from direct attack.
Reliability Organization (ERO) in North America,
NERC maintains comprehensive reliability HCL Governance, Risk & Compliance (GRC)
standards that define requirements for planning consulting practice offers market leading services
and operating the collective bulk power system. to organization seeking compliance support for
NERC CIP standards by improving their security &
Among these are the Critical Infrastructure governance posture while reducing cost. Many of
Protection (CIP) Cyber Security Standards, which our Managed Security Services and Professional
are intended to ensure the protection of the Critical services align NERC CIP Cyber Security
Cyber Assets that control or effect the reliability of Standards, allowing organizations to easily meet
North America’s bulk electric systems. and exceed the requirements they set forth.
Starting from compliance health-check HCL can
NERC CIP Standards seek to address the question work with your organization to implement the
“How well protected is this critical infrastructure?” recommendations by providing technical,
Compliance with these standards can be both risky documentation and project management.
and complicated given the differences between
Challenges Addressed
Lack of confidence in organizational Lack of basic security mechanism in
security posture and siloed approach for SCADA/EMS and DCS design when compared
engineering, operations and IT department to standard business information system
Real-time systems make patch High cost of audit and compliance sustenance
application, validation, and user
authentication difficult HCL GRC focus is to offer end to end “Advisory” &
Cyber Security requires a toolset and “Implementation” service to enable an organization
knowledge base that is traditionally not located in meeting the business objectives of their NERC
within the same experience pool that Cyber Security Compliance initiative
understands and manages the day-to-day
operations of a power grid.
Diversified risk-assessment approach
2
3. Approach – NERC Cyber Security compliance
HCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable the
achievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL services
covers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust and
reliable operations of bulk electric systems. The approach and key activities are detailed as below:
NERC Requirement HCL GRC Capability Deliverables
CIP-002-1 – Critical Cyber Asset Automated Enterprise discovery of Inventory of Critical Cyber
Identification Critical Assets Assets Risk library pertaining
Identification of critical assets by to cyber asset operations
client and HCL SMEs who have Annual Reviews
qualified experience in Grid
Analysis
Risk based assessment, analysis &
prioritization by application
CIP-003-1 – Management Control – Policy evaluation & analysis Enhanced Cyber Security
Cyber Security Policy Policy Documentation Policy for NERC Compliance
CIP-003-1 – Management Control – Establishing of Security Program Established governance for
Leadership & Exceptions Management Office for NERC compliance management
Compliance & reporting
CIP-003-1 – Management Control – Catalogued information Information classification
Information Protection classification for Critical Cyber procedures
Assets Data security reference
Defining access controls, architecture
encryption & procedures for System Security & disaster
3
4. disposal, printing and other tasks recovery plan
CIP-003-1 – Management Control – Modeling for role based access Access control policies
Access Controls control for internet facing systems & procedures
and critical backend solutions
CIP-003-1 – Management Control – Establishing change management Change Management &
Change Management procedures Control Process
Conducting impact analysis of Back-out procedures
changes (includes configuration) Security Enforcement Policy
Enabling functional testing for
changes
Review of corporate & process
control networks (SCADA)
CIP-004-1 – Personnel & Training – Conduct security awareness Security awareness report
Awareness evaluations & employee assertion Training roadmap
program
Security awareness training plan
development
CIP-004-1 – Personnel & Training – Identification & deployment of Specific procedural training
Training role based trainings modules
CIP-004-1 – Personnel & Training – Development of personal Background check policy
Personnel Risk Assessment background check policies &
procedures
CIP-005-1- Electronic Security Identification of control points, Vulnerability & Penetration
Parameter(s) – Electronic Security ports and services assessment report
Parameter Conduct vulnerability assessments Remediation report
& penetration testing Firewall implementation
procedures
CIP-005-1- Electronic Security Development of authentication Authentication procedures
Parameter(s) – Electronic Access procedures Audit Reports
Controls Firewall audits Log review & reporting
Log management & review Threat analysis report
Real time threat analysis through
SOC (includes NIPS & HIPS)
CIP-005-1- Electronic Security Documentation of all systems in Documentation of network
Parameter(s) – Documentation electronic security parameters changes
Review & Maintenance Quarterly review of all
documentation
CIP-006-1- Physical Security Assessment of facilities physical Physical security assessment
Program security report
Assessment of organization Log retention & governance
physical security plan policies
Development of log & DVR
retention policies
Physical security audits
CIP-007-1 – System Security Test procedures evaluation for Malicious software prevention
Management patch management, device policy
management, anti-virus policies Test procedures and controls
Documentation for non-critical for device management
cyber asset policy Password policy
Creating inventory of non-critical Asset disposal policy
cyber assets Identity management process
4
5. Policy documentation for malware Security incident management
and malicious software prevention process
Documentation and enforcement Documentation lifecycle process
of password management policy
Policy creation for disposal &
redeployment of cyber assets
Establishing governance and org.
structure for documentation &
policy review
CIP-008-1 – Incident Reporting & Assessment of Incident Incident management procedures
Response Planning – Cyber Security management procedures Business Continuity Plan
Incident Response plan Documentation of business Business Continuity Test
continuity plan Procedures
Testing of business continuity plan
Process for retention of incident
logs
CIP-008-1 – Incident Reporting & Process for retention of incident Log retention policy
Response Planning – Cyber Security logs
Incident Documentation
CIP-009-1 – Disaster Recovery – Identification & definition of Disaster Recovery Plan
Recovery Plan, Backup & restore, action triggers, acceptable Back-up procedures
Testing Media downtime service levels and Test plan for backup storage
acceptable data loss
Development of verification
criteria & procedures
CIP-009-1 – Disaster Recovery – Conducting DR drills DR test report
Exercises
Automated NERC Compliance Management – GRC Manager
Power and utility executives today are faced with In order to mitigate these challenges & offer a
many challenges as they work to meet their streamlined sustenance for compliance, HCL has
compliance requirements. Some of the most partners with various GRC platform vendors and help
pervasive and difficult of these obstacles include: Energy & Utilities organizations establish an
automated solution for optimal blend of centralization,
• Multiple regulatory bodies and requirements monitoring & reporting for effective oversight. The
• High cost of defining controls GRC platform can also be used for implementing
• High cost of demonstrating compliance governance initiatives, such as programs for
• Budget impacts of NERC and other regulatory Standards of Conduct and Environmental Health and
efforts on the business Safety (EH&S) through document control, compliance
• Allocation of resources away from key training and ongoing auditing, as well as recording
business initiatives and reporting of Federal Energy Regulatory
• Difficulty with ongoing sustainability of ad-hoc Commission (FERC)-related violations or process
compliance projects nonconformance and the resulting corrective actions.
5
6. Some of the basic features of the automated Integrated Program Resource Management
GRC platform are as under: capabilities to manage Control Remediation.
Capturing, Compiling & Reporting Compliance Integration with Enterprise business systems
Information for audit evidence collection
Dynamic Real time analysis of Risk & Controls
Single Global Repository for Risk & Controls
A sample snapshot from automated GRC
Integrated Industry Standard Framework for
Control Optimization platform is shown below
Role based dashboards that streamline
decision making
Figure 1. Governance Risk and Compliance Platform
• Expertise across all micro verticals in Electric,
Gas distribution, Water & Water Waste/
Why choose HCL •
Recycling Utilities.
First in APAC and amongst only 9 companies
in the world to receive Cisco’s Master Security
• One stop shop for all your information
security & compliance needs Certification.
• Matured consulting framework with • Accredited by Govt. of India CERT as providers
of Information Security Assessment Services.
integrated solution implementation
methodology to reduce compliance cost • Recognized by Gartner & NASSCOM for its
Information Security Strengths.
• Strong engineering with R&D practice with • First Indian Company to provide PCI ASV
focus on Energy & Utilities vertical Vulnerability Management Services.
6
7. • HCL is ranked as the No. 1 Security Services • Technology labs in Identity and Access
provider by Dataquest, V&D and Frost & Sullivan Management, Software Security, Security
• Experienced consultants with certifications Testing, Networks and Systems.
like CEH, GWAS, CISSP, CISA, CBCP, BS
25999 and ISO27001
• Partnership with leading security product
and service vendors
For further information on HCL GRC Consulting Services or to have a HCL representative contact you, mail
at CFS- GRC-PMG@hcl.in or visit http://www.hclisd.com/Governance-Risk-Compliance-Consulting.aspx
7